Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: include X509 error string when verify result is not x509_V_OK. #9527

Merged
merged 1 commit into from
Oct 29, 2024

Conversation

niedbalski
Copy link
Collaborator

@niedbalski niedbalski commented Oct 25, 2024

Description

Users with expired CA never got to understand the root cause by reading the log message, although this information is available on the x509 error details. (https://x509errors.org/)

[2024/09/16 10:00:38] [error] [tls] error: unexpected EOF with reason: certificate verify failed

This patch adds the X509_verify_cert_error_string to the log message when SSL verification result != X509_V_OK.

With this patch applied, the following information is returned

[2024/10/28 22:35:46] [error] [tls] certificate verification failed, reason: unable to get local issuer certificate (X509 code: 20)

Testing

Configuration I have used.

[SERVICE]
    log_level debug

[CUSTOM]
    name calyptia
    api_key xxx
    fleet_name test-jorge
    calyptia_tls.verify on
    calyptia_host cloud-api-staging.calyptia.com

Documentation

N/A

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

@niedbalski niedbalski self-assigned this Oct 25, 2024
@niedbalski niedbalski changed the title tls: improve cert load and error logging for handshake. tls: add detailed windows store and x509 verification error logs. Oct 25, 2024
@niedbalski niedbalski marked this pull request as ready for review October 25, 2024 12:24
@niedbalski niedbalski marked this pull request as draft October 25, 2024 14:51
src/tls/openssl.c Outdated Show resolved Hide resolved
src/tls/openssl.c Outdated Show resolved Hide resolved
src/tls/openssl.c Outdated Show resolved Hide resolved
@edsiper edsiper added this to the Fluent Bit v3.2.0 milestone Oct 25, 2024
Copy link
Contributor

@cosmo0920 cosmo0920 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found other code style issues. Basically, the added diffs are properly handled for errors. But, we need to /* ... */ style of one line comments.

src/tls/openssl.c Outdated Show resolved Hide resolved
src/tls/openssl.c Outdated Show resolved Hide resolved
src/tls/openssl.c Outdated Show resolved Hide resolved
@niedbalski
Copy link
Collaborator Author

niedbalski commented Oct 28, 2024

@edsiper @cosmo0920 fixed the issues, will provide some unit tests to ensure this is not breaking.

@niedbalski niedbalski marked this pull request as draft October 28, 2024 20:52
@niedbalski niedbalski changed the title tls: add detailed windows store and x509 verification error logs. tls: include X509 error string when verify result is not x509_V_OK. Oct 28, 2024
Add the X509_verify_cert_error_string to the log message
when SSL verification result != X509_V_OK.

Signed-off-by: Jorge Niedbalski <[email protected]>
@niedbalski niedbalski merged commit 642716a into master Oct 29, 2024
51 checks passed
@niedbalski niedbalski deleted the calyptia-tls-debug branch October 29, 2024 08:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants