Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: include X509 error string when verify result is not x509_V_OK. #9527

Merged
merged 1 commit into from
Oct 29, 2024
Merged

tls: include X509 error string when verify result is not x509_V_OK. #9527

merged 1 commit into from
Oct 29, 2024

Conversation

niedbalski
Copy link
Collaborator

@niedbalski niedbalski commented Oct 25, 2024
edited
Loading

Description

Users with expired CA never got to understand the root cause by reading the log message, although this information is available on the x509 error details. (https://x509errors.org/)

[2024/09/16 10:00:38] [error] [tls] error: unexpected EOF with reason: certificate verify failed

This patch adds the X509_verify_cert_error_string to the log message when SSL verification result != X509_V_OK.

With this patch applied, the following information is returned

[2024/10/28 22:35:46] [error] [tls] certificate verification failed, reason: unable to get local issuer certificate (X509 code: 20)

Testing

Configuration I have used.

[SERVICE]
    log_level debug

[CUSTOM]
    name calyptia
    api_key xxx
    fleet_name test-jorge
    calyptia_tls.verify on
    calyptia_host cloud-api-staging.calyptia.com

Documentation

N/A

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

@niedbalski niedbalski self-assigned this Oct 25, 2024
@niedbalski niedbalski changed the title tls: improve cert load and error logging for handshake. tls: add detailed windows store and x509 verification error logs. Oct 25, 2024
@niedbalski niedbalski marked this pull request as ready for review October 25, 2024 12:24
@niedbalski niedbalski mentioned this pull request Oct 25, 2024
Closed
4 tasks
@niedbalski niedbalski marked this pull request as draft October 25, 2024 14:51
edsiper
edsiper requested changes Oct 25, 2024
View reviewed changes
src/tls/openssl.c Outdated Show resolved Hide resolved
src/tls/openssl.c Outdated Show resolved Hide resolved
src/tls/openssl.c Outdated Show resolved Hide resolved
@edsiper edsiper added this to the Fluent Bit v3.2.0 milestone Oct 25, 2024
cosmo0920
cosmo0920 requested changes Oct 28, 2024
View reviewed changes
Copy link
Contributor

@cosmo0920 cosmo0920 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found other code style issues. Basically, the added diffs are properly handled for errors. But, we need to /* ... */ style of one line comments.

src/tls/openssl.c Outdated Show resolved Hide resolved
src/tls/openssl.c Outdated Show resolved Hide resolved
src/tls/openssl.c Outdated Show resolved Hide resolved
@niedbalski niedbalski marked this pull request as ready for review October 28, 2024 12:39
@niedbalski
Copy link
Collaborator Author

niedbalski commented Oct 28, 2024
edited
Loading

@edsiper @cosmo0920 fixed the issues, will provide some unit tests to ensure this is not breaking.

@niedbalski niedbalski marked this pull request as draft October 28, 2024 20:52
@niedbalski niedbalski changed the title tls: add detailed windows store and x509 verification error logs. tls: include X509 error string when verify result is not x509_V_OK. Oct 28, 2024
tls: include X509 error string when verify result is not x509_V_OK.
a0d7192 
Add the X509_verify_cert_error_string to the log message
when SSL verification result != X509_V_OK.

Signed-off-by: Jorge Niedbalski <[email protected]>
@niedbalski niedbalski mentioned this pull request Oct 28, 2024
Merged
@niedbalski niedbalski marked this pull request as ready for review October 28, 2024 21:57
@niedbalski niedbalski merged commit 642716a into master Oct 29, 2024
51 checks passed
@niedbalski niedbalski deleted the calyptia-tls-debug branch October 29, 2024 08:26
@niedbalski niedbalski mentioned this pull request Oct 29, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cosmo0920 cosmo0920 cosmo0920 approved these changes

@leonardo-albertovich leonardo-albertovich Awaiting requested review from leonardo-albertovich leonardo-albertovich is a code owner

@fujimotos fujimotos Awaiting requested review from fujimotos fujimotos is a code owner

@koleini koleini Awaiting requested review from koleini koleini is a code owner

@edsiper edsiper Awaiting requested review from edsiper edsiper is a code owner

Assignees

@cosmo0920 cosmo0920

@niedbalski niedbalski

Labels
docs-required
Projects
None yet
Milestone
Fluent Bit v3.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@niedbalski @edsiper @cosmo0920