-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Syslog TLS: [client_cert_auth false] settings is not applied if [insecure true] is not set. #4462
Comments
I am just trying to work out if on the latest versions of openssl loading in the DEFAULT_PARAMS even makes the system anymore secure by default - as currently in my tests with "OpenSSL 1.1.1k FIPS 25 Mar 2021" it would seem that the list of ciphers with insecure false are weaker than with it set to true..... |
@MaxTownley Thanks for reporting this in detail!
In my first impression, this looks reasonable. If you know anything about the version of the package that causes this problem, please let us know. |
I think it has been this way for a very long time. I am just using the latest package (fluentd 1.16.5) but if we take a look a git blame it been this way for 6 years (d20d686) You wouldn't notice if you just don't present a certificate at all as the verify cert code is just not called and it doesn't set VERIFY_FAIL_IF_NO_PEER_CERT by default. So it only tried to verify the client cert if one is provided but some clients might connect to many syslog servers some requiring a cert and some not. I believe the correct behavior here should be to ignore to ignore the client certificate if client_cert_auth is false. |
There seems to be a more troubling problem here to in further tests I have conducted. It seems the original intention of using open ssl DEFAULT_PARAMS is to stop using weak ciphers. It would appear if you are using a newer version of openssl the I am using
With
The list with insecure true is actually a list of stronger cipher suites. I do have the min_version set to tls 1.2 and the max set to tls 1.3 But I guess this is a separate issue to one I have opened this for....... |
Sorry for my late response. |
This code prevents from selecting insecure TLS version. |
It looks good, we should just apply this.
Why we overlooked it long time is that it's only affected only when clients send its certificate. DEFAULT_PARAMS = { # :nodoc:
:verify_mode => OpenSSL::SSL::VERIFY_PEER,
:verify_hostname => true,
:options => -> {
opts = OpenSSL::SSL::OP_ALL
opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
opts |= OpenSSL::SSL::OP_NO_COMPRESSION
opts
}.call
} In this case, verification won't performed. https://docs.openssl.org/3.3/man3/SSL_CTX_set_verify/#notes
|
Describe the bug
When creating a source to receive syslog messages using the TLS transport method the
client_cert_auth false
setting is not applied/ So when a client cert is provided it will still attempt to validate the certificate.This is because if the insecure setting is set to false the SSLContext:DEFAULT_PARAMS are set. This sets the verify_mode to VERIFY_PEER https://github.com/ruby/openssl/blob/master/lib/openssl/ssl.rb#L25
The verify_mode is only changed in
cert_option_create_context
if conf.client_cert_auth is set to true.It seems the if statement here should also have an else that will explicitly set the verify_mode to VERIFY_NONE.
fluentd/lib/fluent/plugin_helper/cert_option.rb
Lines 34 to 36 in 284bf40
To Reproduce
Client config
Expected behavior
The server will ignore the certificate and allow you to proceed without validation.
Your Environment
Your Configuration
Your Error Log
Additional context
If you specify insecure this will work as the DEFAULT_PARAMS are not loaded in and the verify_mode will be set to none which is the default. This doesn't seem like the intention behind the insecure setting though it seems the actual intention is to stop weak ciphers from being used.
The text was updated successfully, but these errors were encountered: