inputs.x509_cert: Reset c.tlsCfg.ServerName between certs. Without

jjh74 · jjh74 · commit 4e1e6f392bc1 · 2021-05-21T14:59:24.000+03:00
this multiple remote sources (sources = [ "tcp://remote1.example.org:443",
"tcp://remote2.example.org:443" ]) reuse first SNI. Telegraf will
request wrong certificate and can fail validation when SAN/SNI doesn't match.
diff --git a/plugins/inputs/x509_cert/x509_cert.go b/plugins/inputs/x509_cert/x509_cert.go
@@ -131,10 +131,12 @@ func (c *X509Cert) getCert(u *url.URL, timeout time.Duration) ([]*x509.Certifica
 
 		hsErr := conn.Handshake()
 		if hsErr != nil {
+			c.tlsCfg.ServerName = "" // reset SNI, otherwise we reuse c.tlsCfg.ServerName
 			return nil, hsErr
 		}
 
 		certs := conn.ConnectionState().PeerCertificates
+		c.tlsCfg.ServerName = "" // reset SNI, otherwise we reuse c.tlsCfg.ServerName
 
 		return certs, nil
 	case "file":
@@ -248,6 +250,16 @@ func (c *X509Cert) collectCertURLs() ([]*url.URL, error) {
 // Gather adds metrics into the accumulator.
 func (c *X509Cert) Gather(acc telegraf.Accumulator) error {
 	now := time.Now()
+
+	if c.tlsCfg.ServerName != "" && c.ServerName == "" {
+		// Save SNI from c.tlsCfg.ServerName to c.ServerName and reset c.tlsCfg.ServerName.
+		// We need to reset c.tlsCfg.ServerName for each certificate when there's
+		// no explicit SNI (c.tlsCfg.ServerName or c.ServerName) otherwise we'll always use
+		// first uri HostName for all certs (see issue 8914)
+		c.ServerName = c.tlsCfg.ServerName
+		c.tlsCfg.ServerName = ""
+	}
+
 	collectedUrls, err := c.collectCertURLs()
 	if err != nil {
 		acc.AddError(fmt.Errorf("cannot get file: %s", err.Error()))
