fluentd icon indicating copy to clipboard operation
fluentd copied to clipboard

Published 20 hours ago verified publisher icon fluent

Syslog TLS: [client_cert_auth false] settings is not applied if [insecure true] is not set.

Open MaxTownley opened this issue 2 months ago • 4 comments

Describe the bug

When creating a source to receive syslog messages using the TLS transport method the client_cert_auth false setting is not applied/ So when a client cert is provided it will still attempt to validate the certificate.

This is because if the insecure setting is set to false the SSLContext:DEFAULT_PARAMS are set. This sets the verify_mode to VERIFY_PEER https://github.com/ruby/openssl/blob/master/lib/openssl/ssl.rb#L25

The verify_mode is only changed in cert_option_create_context if conf.client_cert_auth is set to true.

It seems the if statement here should also have an else that will explicitly set the verify_mode to VERIFY_NONE.

https://github.com/fluent/fluentd/blob/284bf4064a9831f5262330a94e3505e09ef6a068/lib/fluent/plugin_helper/cert_option.rb#L34-L36

if conf.client_cert_auth
    ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
else
    ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
end

To Reproduce

  1. Set up a source for syslog over TLS.
  2. Set client_cert_auth to false -- this is the default anyway.
  3. Create a syslog client that has client certificates set up.
  4. Attempt to send a log to fluentd.

Client config

global(
DefaultNetstreamDriver="ossl"
DefaultNetstreamDriverCAFile="my_ca_cert.pem"
DefaultNetstreamDriverCertFile="my_client_cer.pem"
DefaultNetstreamDriverKeyFile="my_client_key.pem"
)

Expected behavior

The server will ignore the certificate and allow you to proceed without validation.

Your Environment

- Fluentd version: fluent-package 5.0.3 fluentd 1.16.5 (95d130aaa44fc09b14a4e9686ee8018253185fc5)
- TD Agent version:
- Operating system: RHEL 8.6
- Kernel version: 4.18.0-372.9.1.el8.x86_64

Your Configuration

<source>
  @type syslog
  port 5140
  bind 0.0.0.0
  <transport tls>
    ca_path /etc/syslog_tls/syslog_ca_cert.pem
    cert_path /etc/syslog_tls/certificate.pem
    private_key_path /etc/syslog_tls/requests/server.key
    client_cert_auth false
    min_version TLS1_2
    max_version TLS1_3
  </transport>
  tag system
</source>

<match system.**>
  @type stdout
</match>

Your Error Log

2024-04-11 13:18:52 +0100 [info]: starting fluentd-1.16.5 pid=471933 ruby="3.2.3"
2024-04-11 13:18:52 +0100 [info]: spawn command to main:  cmdline=["/opt/fluent/bin/ruby", "-Eascii-8bit:ascii-8bit", "/opt/fluent/bin/fluentd", "--log", "/var/log/fluent/fluentd.log", "--daemon", "/var/run/fluent/fluentd.pid", "--under-supervisor"]
2024-04-11 13:18:53 +0100 [info]: #0 init worker0 logger path="/var/log/fluent/fluentd.log" rotate_age=nil rotate_size=nil
2024-04-11 13:18:53 +0100 [info]: adding match pattern="td.*.*" type="tdlog"
2024-04-11 13:18:53 +0100 [info]: adding match pattern="debug.**" type="stdout"
2024-04-11 13:18:53 +0100 [info]: adding match pattern="system.**" type="stdout"
2024-04-11 13:18:53 +0100 [info]: adding source type="syslog"
2024-04-11 13:18:53 +0100 [warn]: #0 For security reason, setting private_key_passphrase is recommended when cert_path is specified
2024-04-11 13:18:53 +0100 [info]: adding source type="http"
2024-04-11 13:18:53 +0100 [info]: adding source type="debug_agent"
2024-04-11 13:18:53 +0100 [info]: #0 starting fluentd worker pid=471945 ppid=471942 worker=0
2024-04-11 13:18:54 +0100 [info]: #0 [input_debug_agent] listening dRuby uri="druby://127.0.0.1:24230" object="Fluent::Engine" worker=0
2024-04-11 13:18:54 +0100 [info]: #0 listening syslog socket on 0.0.0.0:5140 with tls
2024-04-11 13:18:54 +0100 [warn]: #0 For security reason, setting private_key_passphrase is recommended when cert_path is specified
2024-04-11 13:18:54 +0100 [info]: #0 fluentd worker is now running worker=0
2024-04-11 13:18:57 +0100 [warn]: #0 unexpected error before accepting TLS connection by OpenSSL addr="XXXX" host="XXXX" port=58960 error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 peeraddr=XXXX state=error: certificate verify failed (self signed certificate in certificate chain)"
2024-04-11 13:19:39 +0100 [warn]: #0 unexpected error before accepting TLS connection by OpenSSL addr="XXXX" host="XXXX" port=46584 error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 peeraddr=XXXX state=error: certificate verify failed (self signed certificate in certificate chain)"
2024-04-11 13:19:40 +0100 [warn]: #0 unexpected error before accepting TLS connection by OpenSSL addr="XXXX" host="XXXX" port=46596 error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 peeraddr=XXXX state=error: certificate verify failed (self signed certificate in certificate chain)"
2024-04-11 13:19:40 +0100 [warn]: #0 unexpected error before accepting TLS connection by OpenSSL addr="XXXX" host="XXXX" port=42242 error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 peeraddr=XXXX state=error: certificate verify failed (self signed certificate in certificate chain)"
2024-04-11 13:19:41 +0100 [warn]: #0 unexpected error before accepting TLS connection by OpenSSL addr="XXXX" host="XXXX" port=42246 error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 peeraddr=XXXX state=error: certificate verify failed (self signed certificate in certificate chain)"
2024-04-11 13:19:47 +0100 [warn]: #0 unexpected error before accepting TLS connection by OpenSSL addr="XXXX host="XXXX" port=38338 error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 peeraddr=XXXX state=error: certificate verify failed (self signed certificate in certificate chain)"
2024-04-11 13:19:48 +0100 [warn]: #0 unexpected error before accepting TLS connection by OpenSSL addr="XXXX" host="XXXX" port=38340 error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 peeraddr=XXXXstate=error: certificate verify failed (self signed certificate in certificate chain)"
Waiting for data... (interrupt to abort)

Additional context

If you specify insecure this will work as the DEFAULT_PARAMS are not loaded in and the verify_mode will be set to none which is the default. This doesn't seem like the intention behind the insecure setting though it seems the actual intention is to stop weak ciphers from being used.

MaxTownley avatar Apr 11 '24 12:04 MaxTownley