From 8193d8816760a7f277034bf0035cf67804d71752 Mon Sep 17 00:00:00 2001 From: Muttanna Hosur Date: Tue, 11 Jul 2023 08:37:57 +0000 Subject: [PATCH 1/3] [Bug-7178] Tls.vhost is not validating the common name of the server in server certificate While using the TLS, we set verify to true if we want to verify server certificate. What fluent-bit verifies here is mostly only the validitiy. If vhost is configured and verify is set to true, it does not validate hostname/common-name field of server certificate. As part of this commit, if verify is set and vhost is configured, the server will be validated against the configuerd hostname. If it does not match then TLS handshake fails with invalid certificate error. --- src/tls/openssl.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/tls/openssl.c b/src/tls/openssl.c index cdd8953bacf..2462b483186 100644 --- a/src/tls/openssl.c +++ b/src/tls/openssl.c @@ -529,9 +529,15 @@ static int tls_net_handshake(struct flb_tls *tls, pthread_mutex_unlock(&ctx->mutex); return -1; } - - if (vhost != NULL) { - SSL_set_tlsext_host_name(session->ssl, vhost); + if (tls->vhost != NULL) { + SSL_set_tlsext_host_name(session->ssl, tls->vhost); + /* set host name validation only if vhost is configured + * explicitely */ + X509_VERIFY_PARAM *param = SSL_get0_param(session->ssl); + if (!X509_VERIFY_PARAM_set1_host(param, tls->vhost, 0)) { + flb_error("[tls] error: vhost parameter set failed : %s", vhost); + return -1; + } } else if (tls->vhost) { SSL_set_tlsext_host_name(session->ssl, tls->vhost); From 749e9d16c5ea54c7f86a60c1e5e1f66e2fb3f091 Mon Sep 17 00:00:00 2001 From: Muttanna Hosur Date: Fri, 1 Sep 2023 15:49:44 +0000 Subject: [PATCH 2/3] TLS: Tls.vhost is not validating the common name(CN/HostName) of the server #7682 --- src/tls/openssl.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/tls/openssl.c b/src/tls/openssl.c index 2462b483186..da526726694 100644 --- a/src/tls/openssl.c +++ b/src/tls/openssl.c @@ -513,6 +513,7 @@ static int tls_net_handshake(struct flb_tls *tls, char err_buf[256]; struct tls_session *session = ptr_session; struct tls_context *ctx; + X509_VERIFY_PARAM *param; ctx = session->parent; pthread_mutex_lock(&ctx->mutex); @@ -529,19 +530,24 @@ static int tls_net_handshake(struct flb_tls *tls, pthread_mutex_unlock(&ctx->mutex); return -1; } + if (tls->vhost != NULL) { SSL_set_tlsext_host_name(session->ssl, tls->vhost); /* set host name validation only if vhost is configured * explicitely */ - X509_VERIFY_PARAM *param = SSL_get0_param(session->ssl); - if (!X509_VERIFY_PARAM_set1_host(param, tls->vhost, 0)) { - flb_error("[tls] error: vhost parameter set failed : %s", vhost); - return -1; + if (tls->verify == FLB_TRUE) { + param = SSL_get0_param(session->ssl); + if (param) { + ret = X509_VERIFY_PARAM_set1_host(param, tls->vhost, 0); + if (ret != 1) { + flb_error("[tls] error: vhost parameter validation " + "failed for: %s", (vhost)?vhost:tls->vhost); + pthread_mutex_unlock(&ctx->mutex); + return -1; + } + } } } - else if (tls->vhost) { - SSL_set_tlsext_host_name(session->ssl, tls->vhost); - } } ERR_clear_error(); From 65e5a6e5f6cfb9d893810ce72805a1265010eb0a Mon Sep 17 00:00:00 2001 From: Muttanna Hosur Date: Fri, 1 Sep 2023 15:49:44 +0000 Subject: [PATCH 3/3] TLS: Tls.vhost is not validating the common name(CN/HostName) of the server #7682 signed-off-by: Muttanna Hosur muttanna2972@gmail.com --- src/tls/openssl.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/tls/openssl.c b/src/tls/openssl.c index 2462b483186..da526726694 100644 --- a/src/tls/openssl.c +++ b/src/tls/openssl.c @@ -513,6 +513,7 @@ static int tls_net_handshake(struct flb_tls *tls, char err_buf[256]; struct tls_session *session = ptr_session; struct tls_context *ctx; + X509_VERIFY_PARAM *param; ctx = session->parent; pthread_mutex_lock(&ctx->mutex); @@ -529,19 +530,24 @@ static int tls_net_handshake(struct flb_tls *tls, pthread_mutex_unlock(&ctx->mutex); return -1; } + if (tls->vhost != NULL) { SSL_set_tlsext_host_name(session->ssl, tls->vhost); /* set host name validation only if vhost is configured * explicitely */ - X509_VERIFY_PARAM *param = SSL_get0_param(session->ssl); - if (!X509_VERIFY_PARAM_set1_host(param, tls->vhost, 0)) { - flb_error("[tls] error: vhost parameter set failed : %s", vhost); - return -1; + if (tls->verify == FLB_TRUE) { + param = SSL_get0_param(session->ssl); + if (param) { + ret = X509_VERIFY_PARAM_set1_host(param, tls->vhost, 0); + if (ret != 1) { + flb_error("[tls] error: vhost parameter validation " + "failed for: %s", (vhost)?vhost:tls->vhost); + pthread_mutex_unlock(&ctx->mutex); + return -1; + } + } } } - else if (tls->vhost) { - SSL_set_tlsext_host_name(session->ssl, tls->vhost); - } } ERR_clear_error();