Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inputs can not read trusted TLS certs from directory #5939

Closed
mpfz0r opened this issue May 14, 2019 · 1 comment · Fixed by #5958
Closed

Inputs can not read trusted TLS certs from directory #5939

mpfz0r opened this issue May 14, 2019 · 1 comment · Fixed by #5958
Assignees
@mpfz0r
Labels
bug inputs triaged

Comments

@mpfz0r
Copy link
Member

mpfz0r commented May 14, 2019

The Input configuration TLS Client Auth Trusted Certs used to support
either a file, or a directory of certificates.

Expected Behavior

Providing a directory should read all the certs within it

Current Behavior

2019-05-14 09:34:15,120 WARN : io.netty.channel.ChannelInitializer - Failed to initialize a channel. Closing: [id: 0x45383efc, L:/172.16.1.1:5044 - R:/172.16.1.2:46930]
java.security.cert.CertificateException: java.io.IOException: Is a directory
	at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:358) ~[?:1.8.0_191]
	at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462) ~[?:1.8.0_191]
	at org.graylog2.plugin.inputs.transports.util.KeyUtil.loadCertificates(KeyUtil.java:112) ~[classes/:?]
[...]

Possible Solution

Bring back the code that got dropped in 3.0 with #4397

The former code handled directories:
https://github.com/Graylog2/graylog2-server/blob/2.4/graylog2-server/src/main/java/org/graylog2/plugin/inputs/transports/util/KeyUtil.java#L87

Possible Workaround

cat(1) all the needed certificates into one file (untested)
$ cat *.crt > jumbo.crt

Your Environment

  • Graylog Version: 3.0
@mpfz0r
Copy link
Member Author

mpfz0r commented May 16, 2019

duplicate of #5856

@mpfz0r mpfz0r self-assigned this May 22, 2019
mpfz0r added a commit that referenced this issue May 22, 2019
@mpfz0r
Fix support for TLS input trusted certs directories
7e121a4 
The Input configuration TLS Client Auth Trusted Certs used to support
either a file, or a directory of certificates.
This got broken in 3.0 with PR #4397

- Fix this by extending also handling directories in loadCertificates().
- Delete the old TrustManager based version that is not used anymore.
- Extend the KeyUtilTest and use `Resources.getResource()` instead,
  which does not rely on the resources to exist in the target directory.

Fixes #5939
This was referenced May 22, 2019
Closed
Merged
mpfz0r added a commit that referenced this issue May 22, 2019
@mpfz0r
Fix support for TLS input trusted certs directories
f488fbe 
The Input configuration TLS Client Auth Trusted Certs used to support
either a file, or a directory of certificates.
This got broken in 3.0 with PR #4397

- Fix this by extending loadCertificates() to also handle directories.
- Delete the old TrustManager based version that is not used anymore.
- Extend the KeyUtilTest and use `Resources.getResource()` instead,
  which does not rely on the resources to exist in the target directory.

Fixes #5939
kmerz pushed a commit that referenced this issue Jul 9, 2019
@mpfz0r @kmerz
Fix support for TLS input trusted certs directories (#5958)
ee071b9 
The Input configuration TLS Client Auth Trusted Certs used to support
either a file, or a directory of certificates.
This got broken in 3.0 with PR #4397

- Fix this by extending loadCertificates() to also handle directories.
- Delete the old TrustManager based version that is not used anymore.
- Extend the KeyUtilTest and use `Resources.getResource()` instead,
  which does not rely on the resources to exist in the target directory.

Fixes #5939
kmerz pushed a commit that referenced this issue Jul 9, 2019
@mpfz0r @kmerz
Fix support for TLS input trusted certs directories (#5958)
91750c9 
The Input configuration TLS Client Auth Trusted Certs used to support
either a file, or a directory of certificates.
This got broken in 3.0 with PR #4397

- Fix this by extending loadCertificates() to also handle directories.
- Delete the old TrustManager based version that is not used anymore.
- Extend the KeyUtilTest and use `Resources.getResource()` instead,
  which does not rely on the resources to exist in the target directory.

Fixes #5939
@kmerz kmerz mentioned this issue Jul 9, 2019
Merged
mpfz0r pushed a commit that referenced this issue Jul 9, 2019
@kmerz @mpfz0r
Fix support for TLS input trusted certs directories (#5958) (#6102)
ed5ad1d 
The Input configuration TLS Client Auth Trusted Certs used to support
either a file, or a directory of certificates.
This got broken in 3.0 with PR #4397

- Fix this by extending loadCertificates() to also handle directories.
- Delete the old TrustManager based version that is not used anymore.
- Extend the KeyUtilTest and use `Resources.getResource()` instead,
  which does not rely on the resources to exist in the target directory.

Fixes #5939
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mpfz0r mpfz0r

Labels
bug inputs triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix support for TLS input trusted certs directories Graylog2/graylog2-server
2 participants
@mpfz0r @florianpopp