From 144eb23dcd1eb2581b197eef84797ea00eca723a Mon Sep 17 00:00:00 2001 From: Daijiro Fukuda Date: Thu, 28 Nov 2024 11:02:43 +0900 Subject: [PATCH] transport tls: use SSL_VERIFY_NONE by default VERIFY_NONE should be used when `client_cert_auth false` (default). Before this fix, we need to set `insecure true` for this. However, `insecure` option should mainly be for cipher strength. It would not be intended VERIFY_PEER without VERIFY_FAIL_IF_NO_PEER_CERT was used even if `client_cert_auth false`. (When VERIFY_PEER without VERIFY_FAIL_IF_NO_PEER_CERT, server does certification only when clients send its certificate. This would be why we overlooked it long time) Before: | insecure | client_cert_auth | verify_mode | | false | fales | VERIFY_PEER | | false | true | VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT | | true | false | VERIFY_NONE | | true | true | VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT | After: | insecure | client_cert_auth | verify_mode | | false | fales | VERIFY_NONE | | false | true | VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT | | true | false | VERIFY_NONE | | true | true | VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT | Signed-off-by: Daijiro Fukuda --- lib/fluent/plugin_helper/cert_option.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/fluent/plugin_helper/cert_option.rb b/lib/fluent/plugin_helper/cert_option.rb index 270917d327..8702f772c7 100644 --- a/lib/fluent/plugin_helper/cert_option.rb +++ b/lib/fluent/plugin_helper/cert_option.rb @@ -33,6 +33,8 @@ def cert_option_create_context(version, insecure, ciphers, conf) if conf.client_cert_auth ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT + else + ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE end ctx.ca_file = conf.ca_path