tls: Verify vhost when tls.verify is enabled #8934

cosmo0920 · 2024-06-10T10:05:46Z

As mentioned in the TLS hostname issue ticket, this issue will be reproduced easily.
After applied this patch, Fluent Bit will deny to connect inappropriate server name against for the certificates' data.

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

Example configuration file for the change

As mentioned in #8072

Debug log output from testing the change

After applied this patch, Fluent Bit does safely disconnect from the not matched vhost.

Fluent Bit v3.1.0
* Copyright (C) 2015-2024 The Fluent Bit Authors
* Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
* https://fluentbit.io

___________.__                        __    __________.__  __          ________  
\_   _____/|  |  __ __   ____   _____/  |_  \______   \__|/  |_  ___  _\_____  \ 
 |    __)  |  | |  |  \_/ __ \ /    \   __\  |    |  _/  \   __\ \  \/ / _(__  < 
 |     \   |  |_|  |  /\  ___/|   |  \  |    |    |   \  ||  |    \   / /       \
 \___  /   |____/____/  \___  >___|  /__|    |______  /__||__|     \_/ /______  /
     \/                     \/     \/               \/                        \/ 

[2024/06/10 18:41:32] [ info] Configuration:
[2024/06/10 18:41:32] [ info]  flush time     | 1.000000 seconds
[2024/06/10 18:41:32] [ info]  grace          | 5 seconds
[2024/06/10 18:41:32] [ info]  daemon         | 0
[2024/06/10 18:41:32] [ info] ___________
[2024/06/10 18:41:32] [ info]  inputs:
[2024/06/10 18:41:32] [ info]      dummy
[2024/06/10 18:41:32] [ info] ___________
[2024/06/10 18:41:32] [ info]  filters:
[2024/06/10 18:41:32] [ info] ___________
[2024/06/10 18:41:32] [ info]  outputs:
[2024/06/10 18:41:32] [ info]      forward.0
[2024/06/10 18:41:32] [ info] ___________
[2024/06/10 18:41:32] [ info]  collectors:
[2024/06/10 18:41:33] [ info] [fluent bit] version=3.1.0, commit=40935fabd7, pid=103380
[2024/06/10 18:41:33] [debug] [engine] coroutine stack size: 24576 bytes (24.0K)
[2024/06/10 18:41:33] [ info] [storage] ver=1.1.6, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2024/06/10 18:41:33] [ info] [cmetrics] version=0.9.1
[2024/06/10 18:41:33] [ info] [ctraces ] version=0.5.1
[2024/06/10 18:41:33] [ info] [input:dummy:dummy.0] initializing
[2024/06/10 18:41:33] [ info] [input:dummy:dummy.0] storage_strategy='memory' (memory only)
[2024/06/10 18:41:33] [debug] [dummy:dummy.0] created event channels: read=21 write=22
[2024/06/10 18:41:33] [debug] [forward:forward.0] created event channels: read=23 write=24
[2024/06/10 18:41:33] [ info] [sp] stream processor started
[2024/06/10 18:41:33] [ info] [output:forward:forward.0] worker #1 started
[2024/06/10 18:41:33] [ info] [output:forward:forward.0] worker #0 started
[2024/06/10 18:41:34] [debug] [task] created task=0x617db40 id=0 OK
[2024/06/10 18:41:34] [debug] [output:forward:forward.0] task_id=0 assigned to thread #0
[2024/06/10 18:41:34] [debug] [output:forward:forward.0] request 51 bytes to flush
[2024/06/10 18:41:35] [error] [tls] error: unexpected EOF with reason: certificate verify failed
[2024/06/10 18:41:35] [debug] [upstream] connection #49 failed to other.fluent-backoffice.de:24224
[2024/06/10 18:41:35] [debug] [retry] new retry created for task_id=0 attempts=1
[2024/06/10 18:41:35] [error] [output:forward:forward.0] no upstream connections available
[2024/06/10 18:41:35] [ warn] [engine] failed to flush chunk '103380-1718012493.702233148.flb', retry in 8 seconds: task_id=0, input=dummy.0 > output=forward.0 (out_id=0)
[2024/06/10 18:41:35] [debug] [out flush] cb_destroy coro_id=0
[2024/06/10 18:41:35] [debug] [task] created task=0x8243cd0 id=1 OK
[2024/06/10 18:41:35] [debug] [output:forward:forward.0] task_id=1 assigned to thread #1
[2024/06/10 18:41:35] [debug] [output:forward:forward.0] request 51 bytes to flush
[2024/06/10 18:41:35] [error] [tls] error: unexpected EOF with reason: certificate verify failed
[2024/06/10 18:41:35] [debug] [upstream] connection #50 failed to other.fluent-backoffice.de:24224
[2024/06/10 18:41:35] [error] [output:forward:forward.0] no upstream connections available
[2024/06/10 18:41:35] [debug] [out flush] cb_destroy coro_id=0
[2024/06/10 18:41:35] [debug] [retry] new retry created for task_id=1 attempts=1
[2024/06/10 18:41:35] [ warn] [engine] failed to flush chunk '103380-1718012494.740826531.flb', retry in 9 seconds: task_id=1, input=dummy.0 > output=forward.0 (out_id=0)
^C[2024/06/10 18:41:36] [engine] caught signal (SIGINT)
[2024/06/10 18:41:36] [debug] [task] created task=0x82f02c0 id=2 OK
[2024/06/10 18:41:36] [debug] [output:forward:forward.0] task_id=2 assigned to thread #0
[2024/06/10 18:41:36] [debug] [output:forward:forward.0] request 51 bytes to flush
[2024/06/10 18:41:36] [ warn] [engine] service will shutdown in max 5 seconds
[2024/06/10 18:41:36] [debug] [output:forward:forward.0] request 51 bytes to flush
[2024/06/10 18:41:36] [debug] [engine] re-scheduled retry=0x8243b10 for task 0
[2024/06/10 18:41:36] [debug] [engine] re-scheduled retry=0x82f00b0 for task 1
[2024/06/10 18:41:36] [ info] [input] pausing dummy.0
[2024/06/10 18:41:36] [debug] [output:forward:forward.0] task_id=0 assigned to thread #1
[2024/06/10 18:41:36] [debug] [output:forward:forward.0] task_id=1 assigned to thread #0
[2024/06/10 18:41:36] [debug] [output:forward:forward.0] request 51 bytes to flush
[2024/06/10 18:41:36] [ info] [task] dummy/dummy.0 has 3 pending task(s):
[2024/06/10 18:41:36] [ info] [task]   task_id=0 still running on route(s): forward/forward.0 
[2024/06/10 18:41:36] [ info] [task]   task_id=1 still running on route(s): forward/forward.0 
[2024/06/10 18:41:36] [ info] [task]   task_id=2 still running on route(s): forward/forward.0 
[2024/06/10 18:41:36] [ info] [input] pausing dummy.0
[2024/06/10 18:41:37] [error] [tls] error: unexpected EOF with reason: certificate verify failed
[2024/06/10 18:41:37] [debug] [upstream] connection #50 failed to other.fluent-backoffice.de:24224
[2024/06/10 18:41:37] [error] [output:forward:forward.0] no upstream connections available
[2024/06/10 18:41:37] [debug] [task] task_id=0 reached retry-attempts limit 1/1
[2024/06/10 18:41:37] [debug] [out flush] cb_destroy coro_id=1
[2024/06/10 18:41:37] [error] [engine] chunk '103380-1718012493.702233148.flb' cannot be retried: task_id=0, input=dummy.0 > output=forward.0
[2024/06/10 18:41:37] [debug] [task] destroy task=0x617db40 (task_id=0)
[2024/06/10 18:41:37] [error] [tls] error: unexpected EOF with reason: certificate verify failed
[2024/06/10 18:41:37] [debug] [upstream] connection #51 failed to other.fluent-backoffice.de:24224
[2024/06/10 18:41:37] [error] [output:forward:forward.0] no upstream connections available
[2024/06/10 18:41:37] [debug] [out flush] cb_destroy coro_id=2
[2024/06/10 18:41:37] [debug] [task] task_id=1 reached retry-attempts limit 1/1
[2024/06/10 18:41:37] [error] [engine] chunk '103380-1718012494.740826531.flb' cannot be retried: task_id=1, input=dummy.0 > output=forward.0
[2024/06/10 18:41:37] [debug] [task] destroy task=0x8243cd0 (task_id=1)
[2024/06/10 18:41:37] [ info] [input] pausing dummy.0
[2024/06/10 18:41:38] [error] [tls] error: unexpected EOF with reason: certificate verify failed
[2024/06/10 18:41:38] [debug] [upstream] connection #49 failed to other.fluent-backoffice.de:24224
[2024/06/10 18:41:38] [error] [output:forward:forward.0] no upstream connections available
[2024/06/10 18:41:38] [debug] [out flush] cb_destroy coro_id=1
[2024/06/10 18:41:38] [debug] [retry] new retry created for task_id=2 attempts=1
[2024/06/10 18:41:38] [ warn] [engine] failed to flush chunk '103380-1718012495.669380090.flb', retry in 1 seconds: task_id=2, input=dummy.0 > output=forward.0 (out_id=0)
[2024/06/10 18:41:38] [debug] [output:forward:forward.0] task_id=2 assigned to thread #1
[2024/06/10 18:41:38] [debug] [output:forward:forward.0] request 51 bytes to flush
[2024/06/10 18:41:38] [ info] [input] pausing dummy.0
[2024/06/10 18:41:39] [error] [tls] error: unexpected EOF with reason: certificate verify failed
[2024/06/10 18:41:39] [debug] [upstream] connection #38 failed to other.fluent-backoffice.de:24224
[2024/06/10 18:41:39] [error] [output:forward:forward.0] no upstream connections available
[2024/06/10 18:41:39] [debug] [out flush] cb_destroy coro_id=2
[2024/06/10 18:41:39] [debug] [task] task_id=2 reached retry-attempts limit 1/1
[2024/06/10 18:41:39] [error] [engine] chunk '103380-1718012495.669380090.flb' cannot be retried: task_id=2, input=dummy.0 > output=forward.0
[2024/06/10 18:41:39] [debug] [task] destroy task=0x82f02c0 (task_id=2)
[2024/06/10 18:41:39] [ info] [engine] service has stopped (0 pending tasks)
[2024/06/10 18:41:39] [ info] [input] pausing dummy.0
[2024/06/10 18:41:39] [ info] [output:forward:forward.0] thread worker #0 stopping...
[2024/06/10 18:41:39] [ info] [output:forward:forward.0] thread worker #0 stopped
[2024/06/10 18:41:39] [ info] [output:forward:forward.0] thread worker #1 stopping...
[2024/06/10 18:41:39] [ info] [output:forward:forward.0] thread worker #1 stopped

Attached Valgrind output that shows no leaks or memory corruption was found

==103380== 
==103380== HEAP SUMMARY:
==103380==     in use at exit: 0 bytes in 0 blocks
==103380==   total heap usage: 31,700 allocs, 31,700 frees, 4,425,117 bytes allocated
==103380== 
==103380== All heap blocks were freed -- no leaks are possible
==103380== 
==103380== For lists of detected and suppressed errors, rerun with: -s
==103380== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

Run local packaging test showing all targets (including any new ones) build.
Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

Documentation required for this feature

Backporting

Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>

fcuello-fudo · 2024-06-13T12:03:10Z

src/tls/openssl.c

+
+    X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+    if (!X509_VERIFY_PARAM_set1_host(param, hostname, 0)) {
+        flb_error("[tls] error: hostname parameter vailidation is failed : %s",


typo "vailidation"

tls: Verify vhost when tls.verify is enabled

9a3185f

Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>

github-actions bot added the docs-required label Jun 10, 2024

cosmo0920 temporarily deployed to pr June 10, 2024 10:06 — with GitHub Actions Inactive

cosmo0920 temporarily deployed to pr June 10, 2024 10:26 — with GitHub Actions Inactive

cosmo0920 marked this pull request as ready for review June 10, 2024 10:50

cosmo0920 requested review from edsiper, leonardo-albertovich, fujimotos and koleini as code owners June 10, 2024 10:50

edsiper added this to the Fluent Bit v3.0.8 milestone Jun 10, 2024

edsiper merged commit 34c9f5e into master Jun 10, 2024
47 checks passed

edsiper deleted the cosmo0920-verify-vhost-on-tls branch June 10, 2024 18:10

fcuello-fudo reviewed Jun 13, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tls: Verify vhost when tls.verify is enabled #8934

tls: Verify vhost when tls.verify is enabled #8934

cosmo0920 commented Jun 10, 2024

fcuello-fudo Jun 13, 2024

tls: Verify vhost when tls.verify is enabled #8934

tls: Verify vhost when tls.verify is enabled #8934

Conversation

cosmo0920 commented Jun 10, 2024

fcuello-fudo Jun 13, 2024

Choose a reason for hiding this comment