Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support TLS by socket/server plugin helper #1423

Merged
merged 17 commits into from
Jan 30, 2017

Conversation

tagomoris
Copy link
Member

This change is to add a functionality to support TLS, mainly for in/out forward plugins.

The server plugin helper's TLS support is:

  • plugins can use tls_options hash argument to specify various options about TLS options and certifications in programatic way
  • plugins can load configurations about TLS via <transport tls> section of configuration transparently to control them by users directly (not to write any code in plugins)

This feature supports these certificate management:

  • load a server certificate (signed by public/private CA)
  • load a private CA certificate and private key, and generate server certificates dynamically
  • generate self-signed server certificate dynamically

With this feature, v0.14 forward input/output plugins are compatible with 3rd party secure-forward plugin.

@tagomoris tagomoris added feature request *Deprecated Label* Use enhancement label in general v0.14 labels Jan 18, 2017
@tagomoris tagomoris self-assigned this Jan 18, 2017
@tagomoris tagomoris requested a review from repeatedly January 18, 2017 10:58
@tagomoris
Copy link
Member Author

@repeatedly could you review this change?

@repeatedly
Copy link
Member

Okay. I will review it later.

if @tls_cert_path && !@tls_cert_path.empty?
@tls_cert_path.each do |path|
raise Fluent::ConfigError, "specified cert path does not exist:#{path}" unless File.exist?(path)
raise Fluent::ConfigError, "specified cert path is not readable:#{path}" unless File.exist?(path)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why use same condition?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops. It's just mistake.

host_is_hostname = !(IPAddr.new(@host) rescue false)
@hostname = case
when host_is_hostname then @host
when @name then @name
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

using @name is correct way for certificate verification?
<server>name xxx</server> is not limitation for now.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I changed the meaning of name in <server> section.
But in past versions, this name is used to indicate the role (or other human readable thing) of this server node in logging.
The "human readable role" is just FQDN server name signed by server certificate, isn't it?

cert_store.add_file(cert_path)
end
else
cert_path = cert_paths
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why re-assing to cert_path? just for readability?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right.

cert_store.set_default_paths
end
rescue OpenSSL::X509::StoreError
log.warn "failed to load system default certificate store", error: e
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is warn ok?
This failure is not critical for actual connection?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It depends on many things including env variables to specify default cert store path configured by end users, and not to make connections failure directly (because many other parameters can control it - e.g., self signed certs, manually specified cert path and others).
So, I left it as warned, not critical.

@@ -76,6 +81,19 @@ class ConnectionClosedError < Error; end
desc 'Compress buffered data.'
config_param :compress, :enum, list: [:text, :gzip], default: :text

desc 'The default version of TLS transport.'
config_param :tls_version, :enum, list: Fluent::PluginHelper::Socket::TLS_SUPPORTED_VERSIONS, default: Fluent::PluginHelper::Socket::TLS_DEFAULT_VERSION
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using tls_ prefix instead of <tls> is for avoiding confustion with <transport tls>?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As you mentioned, these parameters are named in different way from servers' <transport> section.
I think that almost users just specify one or (at most) two parameters in these tls_ prefixed parameters (tls_cert_path, and sometimes tls_allow_self_signed_cert). Many users don't change the default TLS version nor TLS ciphers.
In such cases, tls_cert_path ... is much more simple than <tls> tls_cert_path ... </tls>.

@repeatedly
Copy link
Member

Sorry for the late. LGTM

@tagomoris tagomoris force-pushed the support-tls-by-server-plugin-helper branch from 3d75306 to 9a011dd Compare January 30, 2017 04:29
@tagomoris
Copy link
Member Author

Rebased. I'll merge this after CI green.

@tagomoris
Copy link
Member Author

Green!

@tagomoris tagomoris merged commit c95fa22 into master Jan 30, 2017
@repeatedly repeatedly deleted the support-tls-by-server-plugin-helper branch March 9, 2018 23:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature request *Deprecated Label* Use enhancement label in general v0.14
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants