From 7526f978a15fcdcb961fcc92a7248035b7e83895 Mon Sep 17 00:00:00 2001 From: Masahiro Nakagawa Date: Thu, 22 Nov 2018 15:36:00 +0900 Subject: [PATCH] out_forward: Support mutual TLS. fix #1879 Signed-off-by: Masahiro Nakagawa --- lib/fluent/plugin/out_forward.rb | 9 +++++++++ lib/fluent/plugin_helper/socket.rb | 5 ++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/lib/fluent/plugin/out_forward.rb b/lib/fluent/plugin/out_forward.rb index c93706732a..6263fc3acb 100644 --- a/lib/fluent/plugin/out_forward.rb +++ b/lib/fluent/plugin/out_forward.rb @@ -93,6 +93,12 @@ class ConnectionClosedError < Error; end desc 'The additional CA certificate path for TLS.' config_param :tls_ca_cert_path, :array, value_type: :string, default: nil config_param :tls_cert_path, :array, value_type: :string, default: nil, deprecated: "Use tls_ca_cert_path instead" + desc 'The client certificate path for TLS.' + config_param :tls_client_cert_path, :string, default: nil + desc 'The client private key path for TLS.' + config_param :tls_client_private_key_path, :string, default: nil + desc 'The client private key passphrase for TLS.' + config_param :tls_client_private_key_passphrase, :string, default: nil config_section :security, required: false, multi: false do desc 'The hostname' @@ -330,6 +336,9 @@ def create_transfer_socket(host, port, hostname, &block) fqdn: hostname, allow_self_signed_cert: @tls_allow_self_signed_cert, cert_paths: @tls_ca_cert_path, + cert_path: @tls_client_cert_path, + private_key_path: @tls_client_private_key_path, + private_key_passphrase: @tls_client_private_key_passphrase, linger_timeout: @send_timeout, send_timeout: @send_timeout, recv_timeout: @ack_response_timeout, diff --git a/lib/fluent/plugin_helper/socket.rb b/lib/fluent/plugin_helper/socket.rb index b751fe7b85..09ffd3168f 100644 --- a/lib/fluent/plugin_helper/socket.rb +++ b/lib/fluent/plugin_helper/socket.rb @@ -89,7 +89,8 @@ def socket_create_udp(host, port, resolve_name: false, connect: false, **kwargs, def socket_create_tls( host, port, version: TLS_DEFAULT_VERSION, ciphers: CIPHERS_DEFAULT, insecure: false, verify_fqdn: true, fqdn: nil, - enable_system_cert_store: true, allow_self_signed_cert: false, cert_paths: nil, **kwargs, &block) + enable_system_cert_store: true, allow_self_signed_cert: false, cert_paths: nil, + cert_path: nil, private_key_path: nil, private_key_passphrase: nil, **kwargs, &block) host_is_ipaddress = IPAddr.new(host) rescue false fqdn ||= host unless host_is_ipaddress @@ -131,6 +132,8 @@ def socket_create_tls( context.verify_mode = OpenSSL::SSL::VERIFY_PEER context.cert_store = cert_store context.verify_hostname = true if verify_fqdn && fqdn && context.respond_to?(:verify_hostname=) + context.cert = OpenSSL::X509::Certificate.new(File.read(cert_path)) if cert_path + context.key = OpenSSL::PKey::RSA.new(File.read(private_key_path), private_key_passphrase) if private_key_path end tcpsock = socket_create_tcp(host, port, **kwargs)