Allow cert chains by mmussomele · Pull Request #2700 · fluent/fluentd

mmussomele · 2019-11-14T21:40:20Z

Which issue(s) this PR fixes:
Fixes #2699

What this PR does / why we need it:

Adds support for certificate chains to Fluentd sockets. Needed for good practice around issuing certificates.

The added test fails if the new line:

context.extra_chain_cert = client_certs[1..-1]

is remove (effectively reverting to the old behavior of only loading the leaf certificate).

Docs Changes:

Unsure if needed.

Release Note:

Otherwise it seems to default to true, which results in logging of warning: verify_hostname requires hostname to be set When running tests that use TLS without verifying the hostname. Signed-off-by: Matthew Mussomele <matt@nefeli.io>

mmussomele · 2019-11-14T21:57:38Z

seems AppVeyor doesn't like ensure, will have to just let the temporary files be deleted by the GC or on exit

mmussomele · 2019-11-15T19:13:47Z

unsure why the builds failed - the tests passed for me locally

mtovino-nefeli · 2019-11-18T19:09:14Z

👍 this would help me too

repeatedly · 2019-11-18T20:25:13Z

I will check this patch in this week.

unsure why the builds failed - the tests passed for me locally

This is travis-ci environment issue. It sometimes slow down and it causes unexpected test failure.

repeatedly · 2019-11-25T05:39:13Z

+          if verify_fqdn && fqdn && context.respond_to?(:verify_hostname=)
+            context.verify_hostname = true
+          else
+            context.verify_hostname = false


Why change this line to set false explicitly?

see commit body of the first commit:

Otherwise it seems to default to true, which results in logging of

warning: verify_hostname requires hostname to be set

When running tests that use TLS without verifying the hostname.

If you leave it unset like the code did prior, then warning logs are printed. Perhaps the right thing to do is something along the lines of

if hostname verification set to true: context.verify_hostname = true else if hostname verification explicitly set to false: context.verify_hostname = false else leave context.verify_hostname nil

?

ganmacs · 2019-11-25T20:58:05Z

+  data('ack true' => true,
+       'ack false' => false)
+  test 'TLS transport client cert chain' do |ack|
+    omit "TLS and 'ack false' always fails. Need to debug" if !ack


could you debug before merging this PR?

This is an existing bug prior to my changes - see the test above.

fluentd/test/plugin/test_out_forward.rb

Line 585 in 4cd9d6b

omit "TLS and 'ack false' always fails on AppVeyor. Need to debug" if Fluent.windows? && !ack

is for AppVeyor environment which the test run Windows. It runs on Linux environment. below is right.

Suggested change

omit "TLS and 'ack false' always fails. Need to debug" if !ack

omit "TLS and 'ack false' always fails. Need to debug" if Fluent.windows? && !ack

corrected omit check

mmussomele · 2019-11-26T17:38:12Z

@repeatedly @ganmacs changes made, except for the verify_hostname one - just want to verify with discussion first. Thanks for the comments!

repeatedly · 2019-12-12T01:32:10Z

Re-run test to check random test failures.

Signed-off-by: Matthew Mussomele <matt@nefeli.io>

mmussomele · 2019-12-12T19:21:16Z

sorry for the delay, have been very busy. Just updated the omit check to specify windows

ganmacs · 2020-04-06T08:46:19Z

This was done by #2930 .

socket: Explicitly set verify_hostname to false

18d6846

Otherwise it seems to default to true, which results in logging of warning: verify_hostname requires hostname to be set When running tests that use TLS without verifying the hostname. Signed-off-by: Matthew Mussomele <matt@nefeli.io>

mmussomele force-pushed the allow-cert-chains branch 2 times, most recently from 84f605a to 4cd9d6b Compare November 14, 2019 21:57

repeatedly self-assigned this Nov 18, 2019

repeatedly added the enhancement Feature request or improve operations label Nov 18, 2019

repeatedly reviewed Nov 25, 2019

View reviewed changes

repeatedly requested a review from ganmacs November 25, 2019 05:47

ganmacs reviewed Nov 25, 2019

View reviewed changes

mmussomele force-pushed the allow-cert-chains branch from 4cd9d6b to 5e05063 Compare November 26, 2019 17:37

socket: Support certificate chains

38acd8d

Signed-off-by: Matthew Mussomele <matt@nefeli.io>

mmussomele force-pushed the allow-cert-chains branch from 5e05063 to 38acd8d Compare December 12, 2019 19:20

ganmacs mentioned this pull request Apr 3, 2020

Allow cert chains in client auth #2930

Merged

ganmacs closed this Apr 6, 2020

	omit "TLS and 'ack false' always fails. Need to debug" if !ack
	omit "TLS and 'ack false' always fails. Need to debug" if Fluent.windows? && !ack

Conversation

mmussomele commented Nov 14, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

mmussomele commented Nov 14, 2019

Uh oh!

mmussomele commented Nov 15, 2019

Uh oh!

mtovino-nefeli commented Nov 18, 2019

Uh oh!

repeatedly commented Nov 18, 2019

Uh oh!

repeatedly Nov 25, 2019

Choose a reason for hiding this comment

Uh oh!

mmussomele Nov 26, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

ganmacs Nov 25, 2019

Choose a reason for hiding this comment

Uh oh!

mmussomele Nov 26, 2019

Choose a reason for hiding this comment

Uh oh!

ganmacs Dec 3, 2019

Choose a reason for hiding this comment

Uh oh!

mmussomele Dec 12, 2019

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

mmussomele commented Nov 26, 2019

Uh oh!

repeatedly commented Dec 12, 2019

Uh oh!

mmussomele commented Dec 12, 2019

Uh oh!

ganmacs commented Apr 6, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

mmussomele commented Nov 14, 2019 •

edited

Loading

mmussomele Nov 26, 2019 •

edited

Loading

ganmacs commented Apr 6, 2020 •

edited

Loading