New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue 8914 x509sni #9289
Issue 8914 x509sni #9289
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jjh74 thanks for digging into this and submitting this PR. I added a comment and a question in the code, so it would be nice if you can comment on those.
However, taking a quick look at the code I think the issue arises from a conceptual weakness in the code. We reuse c.tlsCfg
for multiple location
s and are thus stateful in the code. IMO we should restructure the code such that we create one c.tlsCfg
for each location
in an Init()
function making it an array. This way we can setup everything correctly there and do not need to clear fields in the loop over the locations. @jjh74 what is your opinion on this suggestion?
In addition to what @srebhan said, I think it'd be a good idea to add a unit test to make sure that URLs and file paths/globs are parsed correctly, so this doesn't come up again in the future. Also, please fix the issue raised by the linter. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have one remaining question regarding uriregexp
in the code...
I have no strong opinion one way or another. I think tests are missing a test case where you have more than one https/tcp sources and the test would check that correct SNI is used for each one. |
Currently we are using the user configuration and create one |
…e>:\ sources. This expects that globpath works on windows. See: influxdata#9289 for more information.
@jjh74 seems like the windows test is failing (even for non-globbing tests)... :-( Maybe conversion of path-separators might be involved... |
(not on sources starting with <driveletter>:\) See: influxdata#9289 for more information.
@srebhan I just pushed a commit changing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. The CI error is unrelated (in plugins/inputs/tcp_listener
). Thanks for caring @jjh74.
!retry-failed |
…e>:\ sources. This expects that globpath works on windows. See: influxdata#9289 for more information.
(not on sources starting with <driveletter>:\) See: influxdata#9289 for more information.
@srebhan now should be rebased to current master |
@jjh74 seems like something went wrong with the rebase as you now have 139 files changed. 8-/ |
(not on sources starting with <driveletter>:\) See: influxdata#9289 for more information.
this multiple remote sources (sources = [ "tcp://remote1.example.org:443", "tcp://remote2.example.org:443" ]) reuse first SNI. Telegraf will request wrong certificate and can fail validation when SAN/SNI doesn't match.
6d9c327
to
d85ccd4
Compare
@srebhan new attempt with current master. I hope it goes better this time. |
Looks like new artifacts were built from this PR. Get them here!Artifact URLs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome! Thank you for fixing these issues and explaining everything so clearly.
…e>:\ sources. This expects that globpath works on windows. See: influxdata#9289 for more information.
(not on sources starting with <driveletter>:\) See: influxdata#9289 for more information.
Any ETA for a new release of this? I noticed this is essential for a multi-chain certificate solution. For example, the common Traefik LetsEncrypt setup uses a multichain setup that uses the server name to correctly pick the chain (LetsEncrypt vs Default Cert). Thanks for these fixes btw :) |
The next scheduled patch release is July 7. We've been considering making an early patch release to fix a few regressions in 1.19.0, including this one, but we haven't settled on a date yet. It might be June 30. |
(cherry picked from commit ac9bf5a)
Required for all PRs:
resolves #8914
resolves #9278
resolves #9384