Merge pull request #2888 from fluent/support-tls-verify_callback

server: Add cert_verifier parameter for TLS transport
fluent · Mar 18, 2020 · 5e4bd7b · 5e4bd7b
2 parents 2b7ed60 + f37307b
commit 5e4bd7b
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/lib/fluent/plugin_helper/cert_option.rb b/lib/fluent/plugin_helper/cert_option.rb
@@ -36,7 +36,7 @@ def cert_option_create_context(version, insecure, ciphers, conf)
         end
 
         if conf.client_cert_auth
-            ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+          ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
         end
 
         ctx.ca_file = conf.ca_path
@@ -45,6 +45,16 @@ def cert_option_create_context(version, insecure, ciphers, conf)
         if extra && !extra.empty?
           ctx.extra_chain_cert = extra
         end
+        if conf.cert_verifier
+          sandbox = Class.new
+          ctx.verify_callback = if File.exist?(conf.cert_verifier)
+                                  verifier = File.read(conf.cert_verifier)
+                                  sandbox.instance_eval(verifier, File.basename(conf.cert_verifier))
+                                else
+                                  sandbox.instance_eval(conf.cert_verifier)
+                                end
+        end
+
         Fluent::TLS.set_version_to_context(ctx, version, conf.min_version, conf.max_version)
 
         ctx

diff --git a/lib/fluent/plugin_helper/server.rb b/lib/fluent/plugin_helper/server.rb
@@ -243,7 +243,7 @@ def server_create_for_tls_connection(shared, bind, port, conf, backlog, socket_o
         :protocol, :version, :min_version, :max_version, :ciphers, :insecure,
         :ca_path, :cert_path, :private_key_path, :private_key_passphrase, :client_cert_auth,
         :ca_cert_path, :ca_private_key_path, :ca_private_key_passphrase,
-        :generate_private_key_length,
+        :cert_verifier, :generate_private_key_length,
         :generate_cert_country, :generate_cert_state, :generate_cert_state,
         :generate_cert_locality, :generate_cert_common_name,
         :generate_cert_expiration, :generate_cert_digest,
@@ -281,6 +281,8 @@ module ServerTransportParams
           config_param :ca_private_key_path, :string, default: nil
           config_param :ca_private_key_passphrase, :string, default: nil, secret: true
 
+          config_param :cert_verifier, :string, default: nil
+
           # Options for generating certs by private CA certs or self-signed
           config_param :generate_private_key_length, :integer, default: 2048
           config_param :generate_cert_country, :string, default: 'US'