Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS: Tls.vhost is not validating the common name(CN/HostName) of the server #7682

Closed
wants to merge 5 commits into from

Conversation

muttanna2972
Copy link
Contributor

@muttanna2972 muttanna2972 commented Jul 11, 2023

While using the TLS, we set verify to true if we want to verify server certificate. What fluent-bit verifies here is mostly only the validity and authenticity (signed by known CA or not) or not. But If vhost is configured and verify is set to true, it does not validate hostname/common-name field of server certificate.

As part of this commit, if verify is set and vhost is configured, the server will be validated against the configuerd hostname. If it does not match then TLS handshake fails with invalid certificate error.
Code change details:
Using X509_VERIFY_PARAM_set1_host to set verification of host parameter so that server certificate is validated during the handshake

Signed-off-by: Muttanna Hosur [email protected]

#7178

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

  • [] Configuration
    Configuration at Client:
  • [INPUT]
    Name Tail
    Tag local3_2.3.4.5
    Path /var/log/firewall
    DB /tmp/local3_2.3.4.5
    Buffer_Max_Size 64k
    Buffer_Chunk_Size 64k
    Mem_Buf_Limit 512
    Refresh_Interval 30

[OUTPUT]
Name Syslog
Match local3_2.3.4.5
Host 10.10.10.30
Port 38867
Mode TCP
Syslog_Format rfc3164
Syslog_Message_Key log
net.connect_timeout 50
tls on
tls.verify true
tls.vhost devserver.com
tls.ca_file /home/mhosur/keys/ca.crt
tls.crt_file /home/mhosur/keys/flb_client.crt
tls.key_file /home/mhosur/keys/flb_client.key

  • Configuration of Server

[INPUT]
Name Tail
Tag local3_2.3.4.5
Path /var/log/firewall
DB /tmp/local3_2.3.4.5
Buffer_Max_Size 64k
Buffer_Chunk_Size 64k
Mem_Buf_Limit 512
Refresh_Interval 30

[INPUT]
Name syslog
#Tag local3_2.3.4.5
Listen 10.10.10.30
Port 38867
Parser syslog-rfc3164
Mode TCP
Buffer_Chunk_Size 64KB
tls on
tls.ca_file /home/mhosur/keys/ca.crt
tls.crt_file /home/mhosur/keys/server.crt
tls.key_file /home/mhosur/keys/server.key

-->

  • [*] Debug log output from testing the change

[[1m[^[[0m2023/06/28 16:41:07^[[1m]^[[0m [^[[92m info^[[0m] [sp] stream processor started
^[[1m[^[[0m2023/06/28 16:41:07^[[1m]^[[0m [^[[93mdebug^[[0m] [input:tail:tail.0] inode=2270112 file=/var/log/firewall promote to TAIL_EVENT
^[[1m[^[[0m2023/06/28 16:41:07^[[1m]^[[0m [^[[92m info^[[0m] [input:tail:tail.0] inotify_fs_add(): inode=2270112 watch_fd=1 name=/var/log/firewall
^[[1m[^[[0m2023/06/28 16:41:07^[[1m]^[[0m [^[[93mdebug^[[0m] [input:tail:tail.0] [static files] processed 0b, done
^[[1m[^[[0m2023/06/28 16:41:07^[[1m]^[[0m [^[[92m info^[[0m] [output:stdout:stdout.1] worker #0 started
^[[1m[^[[0m2023/06/28 16:41:09^[[1m]^[[0m [^[[93mdebug^[[0m] [input:tail:tail.0] inode=2270112 events: IN_MODIFY
^[[1m[^[[0m2023/06/28 16:41:09^[[1m]^[[0m [^[[93mdebug^[[0m] [input chunk] update output instances with new chunk size diff=28
^[[1m[^[[0m2023/06/28 16:41:09^[[1m]^[[0m [^[[93mdebug^[[0m] [task] created task=0x7f56f412f020 id=0 OK
^[[1m[^[[0m2023/06/28 16:41:09^[[1m]^[[0m [^[[93mdebug^[[0m] [output:stdout:stdout.1] task_id=0 assigned to thread #0
^[[1m[^[[0m2023/06/28 16:41:09^[[1m]^[[0m [^[[91merror^[[0m] XXX the value of tls vhost devserver.com and vhost (null)
^[[1m[^[[0m2023/06/28 16:41:09^[[1m]^[[0m [^[[93mdebug^[[0m] [out flush] cb_destroy coro_id=0
^[[1m[^[[0m2023/06/28 16:41:09^[[1m]^[[0m [^[[93mdebug^[[0m] [out flush] cb_destroy coro_id=0
^[[1m[^[[0m2023/06/28 16:41:09^[[1m]^[[0m [^[[93mdebug^[[0m] [task] destroy task=0x7f56f412f020 (task_id=0)
^[[1m[^[[0m2023/06/28 16:41:09^[[1m]^[[0m [^[[93mdebug^[[0m] [socket] could not validate socket status for #56 (don't worry)
^[[1m[^[[0m2023/06/28 16:41:21^[[1m]^[[0m [^[[93mdebug^[[0m] [input:tail:tail.0] inode=2270112 events: IN_MODIFY
^[[1m[^[[0m2023/06/28 16:41:21^[[1m]^[[0m [^[[93mdebug^[[0m] [input chunk] update output instances with new chunk size diff=28
^[[1m[^[[0m2023/06/28 16:41:21^[[1m]^[[0m [^[[93mdebug^[[0m] [task] created task=0x7f56f4158e40 id=0 OK
^[[1m[^[[0m2023/06/28 16:41:21^[[1m]^[[0m [^[[93mdebug^[[0m] [output:stdout:stdout.1] task_id=0 assigned to thread #0
^[[1m[^[[0m2023/06/28 16:41:21^[[1m]^[[0m [^[[93mdebug^[[0m] [out flush] cb_destroy coro_id=1
^[[1m[^[[0m2023/06/28 16:41:21^[[1m]^[[0m [^[[91merror^[[0m] XXX the value of tls vhost devserver.com and vhost (null)
^[[1m[^[[0m2023/06/28 16:41:21^[[1m]^[[0m [^[[93mdebug^[[0m] [input:tail:tail.0] inode=2270112 events: IN_MODIFY
^[[1m[^[[0m2023/06/28 16:41:21^[[1m]^[[0m [^[[93mdebug^[[0m] [input chunk] update output instances with new chunk size diff=28
^[[1m[^[[0m2023/06/28 16:41:21^[[1m]^[[0m [^[[93mdebug^[[0m] [out flush] cb_destroy coro_id=1
^[[1m[^[[0m2023/06/28 16:41:21^[[1m]^[[0m [^[[93mdebug^[[0m] [task] destroy task=0x7f56f4158e40 (task_id=0)
^[[1m[^[[0m2023/06/28 16:41:21^[[1m]^[[0m [^[[93mdebug^[[0m] [socket] could not validate socket status for #56 (don't worry)
^[[1m[^[[0m2023/06/28 16:41:22^[[1m]^[[0m [^[[93mdebug^[[0m] [task] created task=0x7f56f4156d10 id=0 OK
^[[1m[^[[0m2023/06/28 16:41:22^[[1m]^[[0m [^[[93mdebug^[[0m] [output:stdout:stdout.1] task_id=0 assigned to thread #0
^[[1m[^[[0m2023/06/28 16:41:22^[[1m]^[[0m [^[[93mdebug^[[0m] [out flush] cb_destroy coro_id=2
^[[1m[^[[0m2023/06/28 16:41:22^[[1m]^[[0m [^[[91merror^[[0m] XXX the value of tls vhost devserver.com and vhost (null)
^[[1m[^[[0m2023/06/28 16:41:22^[[1m]^[[0m [^[[93mdebug^[[0m] [out flush] cb_destroy coro_id=2

[[1m[^[[0m2023/06/28 16:41:22^[[1m]^[[0m [^[[91merror^[[0m] XXX the value of tls vhost devserver.com and vhost (null)
^[[1m[^[[0m2023/06/28 16:41:22^[[1m]^[[0m [^[[93mdebug^[[0m] [out flush] cb_destroy coro_id=2
^[[1m[^[[0m2023/06/28 16:41:22^[[1m]^[[0m [^[[93mdebug^[[0m] [task] destroy task=0x7f56f4156d10 (task_id=0)
^[[1m[^[[0m2023/06/28 16:41:22^[[1m]^[[0m [^[[93mdebug^[[0m] [socket] could not validate socket status for #56 (don't worry)
^[[1m[^[[0m2023/06/28 16:41:37^[[1m]^[[0m [^[[93mdebug^[[0m] [input:tail:tail.0] scanning path /var/log/firewall
^[[1m[^[[0m2023/06/28 16:41:37^[[1m]^[[0m [^[[93mdebug^[[0m] [input:tail:tail.0] scan_blog add(): dismissed: /var/log/firewall, inode 2270112
^[[1m[^[[0m2023/06/28 16:41:37^[[1m]^[[0m [^[[93mdebug^[[0m] [input:tail:tail.0] 0 new files found on path '/var/log/firewall'
^[[1m[^[[0m2023/06/28 16:42:07^[[1m]^[[0m [^[[93mdebug^[[0m] [input:tail:tail.0] scanning path /var/log/firewall
^[[1m[^[[0m2023/06/28 16:42:07^[[1m]^[[0m [^[[93mdebug^[[0m] [input:tail:tail.0] scan_blog add(): dismissed: /var/log/firewall, inode 2270112
^[[1m[^[[0m2023/06/28 16:42:07^[[1m]^[[0m [^[[93mdebug^[[0m] [input:tail:tail.0] 0 new files found on path '/var/log/firewall'

  • Attached Valgrind output that shows no leaks or memory corruption was found
    root@mhosur:/home/mhosur/flb_dev/fork/fluent-bit# valgrind ./build/bin/fluent-bit -f1 -c /usr/local/etc/fluent-bit/fluent-bit.conf
    ==61949== Memcheck, a memory error detector
    ==61949== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
    ==61949== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
    ==61949== Command: ./build/bin/fluent-bit -f1 -c /usr/local/etc/fluent-bit/fluent-bit.conf
    ==61949==
    Fluent Bit v2.1.7
  • Copyright (C) 2015-2022 The Fluent Bit Authors
  • Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
  • https://fluentbit.io

[2023/07/11 10:25:08] [ info] Configuration:
[2023/07/11 10:25:08] [ info] flush time | 1.000000 seconds
[2023/07/11 10:25:08] [ info] grace | 5 seconds
[2023/07/11 10:25:08] [ info] daemon | 0
[2023/07/11 10:25:08] [ info] ___________
[2023/07/11 10:25:08] [ info] inputs:
[2023/07/11 10:25:08] [ info] tail
[2023/07/11 10:25:08] [ info] ___________
[2023/07/11 10:25:08] [ info] filters:
[2023/07/11 10:25:08] [ info] ___________
[2023/07/11 10:25:08] [ info] outputs:
[2023/07/11 10:25:08] [ info] syslog.0
[2023/07/11 10:25:08] [ info] stdout.1
[2023/07/11 10:25:08] [ info] ___________
[2023/07/11 10:25:08] [ info] collectors:
==61949== Warning: client switching stacks? SP change: 0x5fea148 --> 0x57cb550
==61949== to suppress, use: --max-stackframe=8514552 or greater
==61949== Warning: client switching stacks? SP change: 0x57cb4a8 --> 0x5fea148
==61949== to suppress, use: --max-stackframe=8514720 or greater
==61949== Warning: client switching stacks? SP change: 0x6ff42a8 --> 0x57d1900
==61949== to suppress, use: --max-stackframe=25307560 or greater
==61949== further instances of this message will not be shown.
[0] local3_2.3.4.5: [[1689071109.650585363, {}], {"log"=>"hello firewall 2"}]
[0] local3_2.3.4.5: [[1689071161.882649655, {}], {"log"=>"hello firewall 3"}]

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

  • [*] Run local packaging test showing all targets (including any new ones) build.
  • [*
    Server_cert_details
    Validation_pass
    Handshake_failure_bec_of_validation
    ] Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

  • Documentation required for this feature

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

…in server certificate

While using the TLS, we set verify to true if we want to verify server certificate. What fluent-bit
verifies here is mostly only the validitiy. If vhost is configured and verify is set to true,
it does not validate hostname/common-name field of server certificate.

As part of this commit, if verify is set and vhost is configured, the server will be validated
against the configuerd hostname. If it does not match then TLS handshake fails with invalid certificate
error.
@muttanna2972 muttanna2972 temporarily deployed to pr July 11, 2023 09:06 — with GitHub Actions Inactive
@muttanna2972 muttanna2972 temporarily deployed to pr July 11, 2023 09:06 — with GitHub Actions Inactive
@muttanna2972 muttanna2972 temporarily deployed to pr July 11, 2023 09:06 — with GitHub Actions Inactive
@muttanna2972 muttanna2972 temporarily deployed to pr July 11, 2023 09:30 — with GitHub Actions Inactive
@muttanna2972 muttanna2972 changed the title [Bug-7178] Tls.vhost is not validating the common name of the server [Bug-7178] Tls.vhost is not validating the common name(CN/HostName) of the server Jul 11, 2023
@muttanna2972 muttanna2972 changed the title [Bug-7178] Tls.vhost is not validating the common name(CN/HostName) of the server [Bug-7178] TLS: Tls.vhost is not validating the common name(CN/HostName) of the server Jul 11, 2023
@muttanna2972 muttanna2972 changed the title [Bug-7178] TLS: Tls.vhost is not validating the common name(CN/HostName) of the server TLS: Tls.vhost is not validating the common name(CN/HostName) of the server Jul 13, 2023
@edsiper edsiper added this to the Fluent Bit v2.1.8 milestone Jul 18, 2023
src/tls/openssl.c Show resolved Hide resolved
src/tls/openssl.c Outdated Show resolved Hide resolved
src/tls/openssl.c Show resolved Hide resolved
src/tls/openssl.c Outdated Show resolved Hide resolved
@edsiper
Copy link
Member

edsiper commented Jul 24, 2023

@muttanna2972 pls check the comments provided

@muttanna2972 muttanna2972 temporarily deployed to pr August 16, 2023 08:50 — with GitHub Actions Inactive
@muttanna2972 muttanna2972 temporarily deployed to pr August 16, 2023 08:50 — with GitHub Actions Inactive
@muttanna2972 muttanna2972 temporarily deployed to pr August 16, 2023 08:50 — with GitHub Actions Inactive
@muttanna2972 muttanna2972 temporarily deployed to pr August 16, 2023 09:22 — with GitHub Actions Inactive
@muttanna2972
Copy link
Contributor Author

Currently addressing the review comments. Once testing is done on the new changes, will commit the same

@edsiper
Copy link
Member

edsiper commented Aug 31, 2023

@muttanna2972 ping

@muttanna2972
Copy link
Contributor Author

Hi @edsiper, I have addressed the comments, in my local repo, I just need to test it and push the changes. Apologies for the delay.

@muttanna2972 muttanna2972 temporarily deployed to pr September 1, 2023 15:51 — with GitHub Actions Inactive
@muttanna2972 muttanna2972 temporarily deployed to pr September 1, 2023 15:51 — with GitHub Actions Inactive
@muttanna2972 muttanna2972 temporarily deployed to pr September 1, 2023 15:51 — with GitHub Actions Inactive
@muttanna2972
Copy link
Contributor Author

@leonardo-albertovich , @edsiper I have tried to addressed all the comments and pushed one more commit. Please review.
Along with this, I am attaching the use cases that I have captured, please go through them and let me know if there are any corrections in the behavior
testcases_done_after_addressing_cmts

@muttanna2972 muttanna2972 temporarily deployed to pr September 1, 2023 16:21 — with GitHub Actions Inactive
@edsiper
Copy link
Member

edsiper commented Sep 21, 2023

please sign-off your commits, otherwise we get a DCO error

@muttanna2972 muttanna2972 temporarily deployed to pr September 29, 2023 09:34 — with GitHub Actions Inactive
@muttanna2972 muttanna2972 temporarily deployed to pr September 29, 2023 09:34 — with GitHub Actions Inactive
@muttanna2972 muttanna2972 temporarily deployed to pr September 29, 2023 09:34 — with GitHub Actions Inactive
@muttanna2972
Copy link
Contributor Author

@leonardo-albertovich could you please review the changes?

@muttanna2972 muttanna2972 temporarily deployed to pr September 29, 2023 10:01 — with GitHub Actions Inactive
@cosmo0920
Copy link
Contributor

This is superseded by: #8934

@cosmo0920 cosmo0920 closed this Aug 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants