add verify_cert_name option

zarqman · zarqman · commit e3a6950d73d6 · 2019-05-31T19:13:47.000-06:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
-* Support SNI and enable cert name verification.
+#### 2.0.0
+
 * Require Ruby 2.4
+* Support SNI and enable cert name verification by default. **This changes the default behavior** and may cause issues if the remote server's cert does not match the configured hostname.
+* Add `verify_cert_name` to enable (default) or disable cert name verification.
+  Note: `ca_cert` verifies the certificate signing chain. `verify_cert_name` verifies the CN/SAN name on the cert.
 
 
 #### 1.2.1
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    fluent-plugin-syslog-tls (1.2.1)
+    fluent-plugin-syslog-tls (2.0.0)
       fluentd (>= 0.14.0, < 2)
 
 GEM
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -21,12 +21,16 @@ If a given tag has gone this many seconds between log messages, disconnect and r
 
 ### ca_cert
 
-Whether and how to verify the server's TLS certificate. Examples:
+Whether and how to verify the server's TLS certificate signing chain. Examples:
 * ca_cert system - Default; use the system CA certificate store (which must then be configured correctly)
 * ca_cert false - Disable verification; not recommended
 * ca_cert /path/to/file - A path+filename to a single CA file
 * ca_cert /path/to/dir/ - A directory of CA files (in format that OpenSSL can parse); must end with /
 
+### verify_cert_name
+
+Whether to verify that the server's cert matches `host`. Enabled by default (except when `ca_cert false`). Recommended; helps prevent MitM attacks. Example: `true`
+
 ### token
 
 Some services require a token to identify the account. Example: `ABABABABABABA@99999`. Not required for Papertrail.
@@ -114,6 +118,7 @@ Optionally record key where to get msgid from the record. If not provided nil va
   token [token]@[iana-id]
   client_cert /path/to/cert/file.crt
   client_key /path/to/key/file.key
+  verify_cert_name true
 
   hostname static-hostname
   facility SYSLOG
diff --git a/lib/fluent/plugin/out_syslog_tls.rb b/lib/fluent/plugin/out_syslog_tls.rb
@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016 t.e.morgan.
+# Copyright 2016-2019 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@ class SyslogTlsOutput < Output
     config_param :port, :integer
     config_param :idle_timeout, :integer, default: nil
     config_param :ca_cert, :string, default: 'system'
+    config_param :verify_cert_name, :bool, default: true
     config_param :token, :string, default: nil
     config_param :client_cert, :string, default: nil
     config_param :client_key, :string, default: nil
@@ -98,7 +99,14 @@ def logger(tag)
     end
 
     def new_logger(tag)
-      transport = ::SyslogTls::SSLTransport.new(host, port, idle_timeout: idle_timeout, ca_cert: ca_cert, client_cert: client_cert, client_key: client_key, max_retries: 3)
+      transport = ::SyslogTls::SSLTransport.new(host, port,
+        idle_timeout: idle_timeout,
+        ca_cert: ca_cert,
+        client_cert: client_cert,
+        client_key: client_key,
+        verify_cert_name: verify_cert_name,
+        max_retries: 3,
+      )
       logger = ::SyslogTls::Logger.new(transport, token)
       logger.facility(facility)
       logger.hostname(hostname)
diff --git a/lib/syslog_tls/ssl_transport.rb b/lib/syslog_tls/ssl_transport.rb
@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016 t.e.morgan.
+# Copyright 2016-2019 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -25,17 +25,18 @@ class SSLTransport
 
     attr_accessor :socket
 
-    attr_reader :host, :port, :idle_timeout, :ca_cert, :client_cert, :client_key, :ssl_version
+    attr_reader :host, :port, :idle_timeout, :ca_cert, :client_cert, :client_key, :verify_cert_name, :ssl_version
 
     attr_writer :retries
 
-    def initialize(host, port, idle_timeout: nil, ca_cert: 'system', client_cert: nil, client_key: nil, ssl_version: :TLSv1_2, max_retries: 1)
+    def initialize(host, port, idle_timeout: nil, ca_cert: 'system', client_cert: nil, client_key: nil, verify_cert_name: true, ssl_version: :TLSv1_2, max_retries: 1)
       @host = host
       @port = port
       @idle_timeout = idle_timeout
       @ca_cert = ca_cert
       @client_cert = client_cert
       @client_key = client_key
+      @verify_cert_name = verify_cert_name
       @ssl_version = ssl_version
       @retries = max_retries
       connect
@@ -97,12 +98,15 @@ def get_ssl_connection
       ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
       ctx.ssl_version = ssl_version
 
+      ctx.verify_hostname = verify_cert_name != false
+
       case ca_cert
       when true, 'true', 'system'
         # use system certs, same as openssl cli
         ctx.cert_store = OpenSSL::X509::Store.new
         ctx.cert_store.set_default_paths
       when false, 'false'
+        ctx.verify_hostname = false
         ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
       when %r{/$} # ends in /
         ctx.ca_path = ca_cert
diff --git a/lib/syslog_tls/version.rb b/lib/syslog_tls/version.rb
@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016-2018 t.e.morgan.
+# Copyright 2016-2019 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,5 +14,5 @@
 # limitations under the License.
 
 module SyslogTls
-  VERSION = '1.2.1'
+  VERSION = '2.0.0'
 end
diff --git a/test/fluent/test_out_syslog_tls.rb b/test/fluent/test_out_syslog_tls.rb
@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016 t.e.morgan.
+# Copyright 2016-2019 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -55,6 +55,7 @@ def test_configure
       port   6514
       client_cert
       client_key
+      verify_cert_name true
       token  1234567890
     }
     instance = driver(config).instance
@@ -63,6 +64,7 @@ def test_configure
     assert_equal '6514', instance.port
     assert_equal '', instance.client_cert
     assert_equal '', instance.client_key
+    assert_equal true, instance.verify_cert_name
     assert_equal '1234567890', instance.token
   end
 
