add ca_cert to control peer verification

zarqman · zarqman · commit 6db69649b744 · 2016-11-24T23:37:41.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 * Renamed `cert` and `key` to `client_cert` and `client_key` respectively.
 * Change to short timeouts on network calls so logging doesn't go dead for extended periods.
 * Added `idle_timeout` to force upstream reconnection after a period of time with no traffic for a particular tag. Useful for low-traffic senders. Not recommended for high-traffic.
+* Added `ca_cert` to validate the remote certificate. Defaults to 'system' which uses the system certificate store.
 
 
 #### 1.0.0
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -19,6 +19,14 @@ Example: `6514`
 
 If a given tag has gone this many seconds between log messages, disconnect and reconnect before sending logs. Useful in low-traffic logging situations with remote hosts that disconnect after a period of time. Disabled by default. Example: `600`
 
+### ca_cert
+
+Whether and how to verify the server's TLS certificate. Examples:
+* ca_cert system - Default; use the system CA certificate store (which must then be configured correctly)
+* ca_cert false - Disable verification; not recommended
+* ca_cert /path/to/file - A path+filename to a single CA file
+* ca_cert /path/to/dir/ - A directory of CA files (in format that OpenSSL can parse); must end with /
+
 ### token
 
 Some services require a token to identify the account. Example: `ABABABABABABA@99999`. Not required for Papertrail.
diff --git a/lib/fluent/plugin/out_syslog_tls.rb b/lib/fluent/plugin/out_syslog_tls.rb
@@ -30,6 +30,7 @@ class SyslogTlsOutput < Fluent::Output
     config_param :host, :string
     config_param :port, :integer
     config_param :idle_timeout, :integer, default: nil
+    config_param :ca_cert, :string, default: 'system'
     config_param :token, :string, default: nil
     config_param :client_cert, :string, default: nil
     config_param :client_key, :string, default: nil
@@ -100,7 +101,7 @@ def logger(tag)
     end
 
     def new_logger(tag)
-      transport = ::SyslogTls::SSLTransport.new(host, port, idle_timeout: idle_timeout, client_cert: client_cert, client_key: client_key, max_retries: 3)
+      transport = ::SyslogTls::SSLTransport.new(host, port, idle_timeout: idle_timeout, ca_cert: ca_cert, client_cert: client_cert, client_key: client_key, max_retries: 3)
       logger = ::SyslogTls::Logger.new(transport, token)
       logger.facility(facility)
       logger.hostname(hostname)
diff --git a/lib/syslog_tls/ssl_transport.rb b/lib/syslog_tls/ssl_transport.rb
@@ -25,14 +25,15 @@ class SSLTransport
 
     attr_accessor :socket
 
-    attr_reader :host, :port, :idle_timeout, :client_cert, :client_key, :ssl_version
+    attr_reader :host, :port, :idle_timeout, :ca_cert, :client_cert, :client_key, :ssl_version
 
     attr_writer :retries
 
-    def initialize(host, port, idle_timeout: nil, client_cert: nil, client_key: nil, ssl_version: :TLSv1_2, max_retries: 1)
+    def initialize(host, port, idle_timeout: nil, ca_cert: 'system', client_cert: nil, client_key: nil, ssl_version: :TLSv1_2, max_retries: 1)
       @host = host
       @port = port
       @idle_timeout = idle_timeout
+      @ca_cert = ca_cert
       @client_cert = client_cert
       @client_key = client_key
       @ssl_version = ssl_version
@@ -96,6 +97,19 @@ def get_ssl_connection
       ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
       ctx.ssl_version = ssl_version
 
+      case ca_cert
+      when true, 'true', 'system'
+        # use system certs, same as openssl cli
+        ctx.cert_store = OpenSSL::X509::Store.new
+        ctx.cert_store.set_default_paths
+      when false, 'false'
+        ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      when %r{/$} # ends in /
+        ctx.ca_path = ca_cert
+      when String
+        ctx.ca_file = ca_cert
+      end
+
       ctx.cert = OpenSSL::X509::Certificate.new(File.read(client_cert)) if client_cert
       ctx.key = OpenSSL::PKey::read(File.read(client_key)) if client_key
       socket = OpenSSL::SSL::SSLSocket.new(tcp, ctx)
