fluent-plugin-syslog-tls 1.2.1 → 2.0.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 0a516dcc34ed21eeb6b543a98fab7aa0db940557
4
- data.tar.gz: cb40780e2f416387b4a3efa31ff9365342688f01
2
+ SHA256:
3
+ metadata.gz: 262868fd779671864af8b5cef830ce93520fead4d2180961594f6fa936eeeb85
4
+ data.tar.gz: b8268ed11a3bd9f0735894d7ff53593f4a1f505b0ed2cb754d40faab78cecd2f
5
5
  SHA512:
6
- metadata.gz: 3b6560e0417cd77accc8afdc6dcaf39314c05194cf10e4ac8a677e4a36e335a56e56108ae81e896cf0d76308bfa800b55e5ea20521904e92aed60908d2b8eb32
7
- data.tar.gz: 6e04b86be9b0d5227ed339f91d5bf924f4ab60c289e1d1aab28f3a4c35919c118dae2193f30ffc92d39367393e9a9f31bc56083cd377cc4f715f40bee24d1d03
6
+ metadata.gz: a867380a0f4fec32d2db3a2713b1d0249c0ffbac667517d38163e3215c59c82a1ed1f73c14e78c9ec60a68cc4d93a4b1c36d7fe9f90a2c73d13d6d7c3429ad51
7
+ data.tar.gz: 1815edfd8f9faf39328de0c2690f13e95572dfd7d0e34e828562a83dcb1aee3c1890a1950491696ed573c33a33884b80b89cebde473ede9b48ba13e4ef089b66
@@ -1,3 +1,11 @@
1
+ #### 2.0.0
2
+
3
+ * Require Ruby 2.4
4
+ * Support SNI and enable cert name verification by default. **This changes the default behavior** and may cause issues if the remote server's cert does not match the configured hostname.
5
+ * Add `verify_cert_name` to enable (default) or disable cert name verification.
6
+ Note: `ca_cert` verifies the certificate signing chain. `verify_cert_name` verifies the CN/SAN name on the cert.
7
+
8
+
1
9
  #### 1.2.1
2
10
 
3
11
  * Support Fluentd 1.0 (same API as 0.14).
@@ -1,26 +1,26 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- fluent-plugin-syslog-tls (1.2.1)
4
+ fluent-plugin-syslog-tls (2.0.0)
5
5
  fluentd (>= 0.14.0, < 2)
6
6
 
7
7
  GEM
8
8
  remote: https://rubygems.org/
9
9
  specs:
10
- addressable (2.5.2)
10
+ addressable (2.6.0)
11
11
  public_suffix (>= 2.0.2, < 4.0)
12
- cool.io (1.5.3)
13
- coveralls (0.8.21)
12
+ cool.io (1.5.4)
13
+ coveralls (0.8.23)
14
14
  json (>= 1.8, < 3)
15
- simplecov (~> 0.14.1)
15
+ simplecov (~> 0.16.1)
16
16
  term-ansicolor (~> 1.3)
17
- thor (~> 0.19.4)
17
+ thor (>= 0.19.4, < 2.0)
18
18
  tins (~> 1.6)
19
19
  crack (0.4.3)
20
20
  safe_yaml (~> 1.0.0)
21
21
  dig_rb (1.0.1)
22
- docile (1.1.5)
23
- fluentd (1.1.0)
22
+ docile (1.3.1)
23
+ fluentd (1.5.0)
24
24
  cool.io (>= 1.4.5, < 2.0.0)
25
25
  dig_rb (~> 1.0.0)
26
26
  http_parser.rb (>= 0.5.1, < 0.7.0)
@@ -31,41 +31,41 @@ GEM
31
31
  tzinfo (~> 1.0)
32
32
  tzinfo-data (~> 1.0)
33
33
  yajl-ruby (~> 1.0)
34
- hashdiff (0.3.7)
34
+ hashdiff (0.4.0)
35
35
  http_parser.rb (0.6.0)
36
- json (2.1.0)
37
- minitest (5.10.3)
38
- minitest-stub_any_instance (1.0.1)
39
- msgpack (1.2.2)
40
- power_assert (1.1.1)
41
- public_suffix (3.0.1)
42
- rake (12.3.0)
43
- safe_yaml (1.0.4)
44
- serverengine (2.0.6)
36
+ json (2.2.0)
37
+ minitest (5.11.3)
38
+ minitest-stub_any_instance (1.0.2)
39
+ msgpack (1.2.10)
40
+ power_assert (1.1.4)
41
+ public_suffix (3.1.0)
42
+ rake (12.3.2)
43
+ safe_yaml (1.0.5)
44
+ serverengine (2.1.1)
45
45
  sigdump (~> 0.2.2)
46
46
  sigdump (0.2.4)
47
- simplecov (0.14.1)
48
- docile (~> 1.1.0)
47
+ simplecov (0.16.1)
48
+ docile (~> 1.1)
49
49
  json (>= 1.8, < 3)
50
50
  simplecov-html (~> 0.10.0)
51
51
  simplecov-html (0.10.2)
52
52
  strptime (0.2.3)
53
- term-ansicolor (1.6.0)
53
+ term-ansicolor (1.7.1)
54
54
  tins (~> 1.0)
55
- test-unit (3.2.6)
55
+ test-unit (3.3.3)
56
56
  power_assert
57
- thor (0.19.4)
57
+ thor (0.20.3)
58
58
  thread_safe (0.3.6)
59
- tins (1.16.0)
60
- tzinfo (1.2.4)
59
+ tins (1.20.3)
60
+ tzinfo (1.2.5)
61
61
  thread_safe (~> 0.1)
62
- tzinfo-data (1.2017.3)
62
+ tzinfo-data (1.2019.1)
63
63
  tzinfo (>= 1.0.0)
64
- webmock (2.3.2)
64
+ webmock (3.5.1)
65
65
  addressable (>= 2.3.6)
66
66
  crack (>= 0.3.2)
67
67
  hashdiff
68
- yajl-ruby (1.3.1)
68
+ yajl-ruby (1.4.1)
69
69
 
70
70
  PLATFORMS
71
71
  ruby
@@ -78,7 +78,7 @@ DEPENDENCIES
78
78
  rake
79
79
  simplecov (~> 0.11)
80
80
  test-unit (~> 3.1)
81
- webmock (~> 2.0)
81
+ webmock (~> 3.0)
82
82
 
83
83
  BUNDLED WITH
84
- 1.16.1
84
+ 1.17.3
@@ -21,12 +21,16 @@ If a given tag has gone this many seconds between log messages, disconnect and r
21
21
 
22
22
  ### ca_cert
23
23
 
24
- Whether and how to verify the server's TLS certificate. Examples:
24
+ Whether and how to verify the server's TLS certificate signing chain. Examples:
25
25
  * ca_cert system - Default; use the system CA certificate store (which must then be configured correctly)
26
26
  * ca_cert false - Disable verification; not recommended
27
27
  * ca_cert /path/to/file - A path+filename to a single CA file
28
28
  * ca_cert /path/to/dir/ - A directory of CA files (in format that OpenSSL can parse); must end with /
29
29
 
30
+ ### verify_cert_name
31
+
32
+ Whether to verify that the server's cert matches `host`. Enabled by default (except when `ca_cert false`). Recommended; helps prevent MitM attacks. Example: `true`
33
+
30
34
  ### token
31
35
 
32
36
  Some services require a token to identify the account. Example: `ABABABABABABA@99999`. Not required for Papertrail.
@@ -114,6 +118,7 @@ Optionally record key where to get msgid from the record. If not provided nil va
114
118
  token [token]@[iana-id]
115
119
  client_cert /path/to/cert/file.crt
116
120
  client_key /path/to/key/file.key
121
+ verify_cert_name true
117
122
 
118
123
  hostname static-hostname
119
124
  facility SYSLOG
@@ -1,5 +1,5 @@
1
1
  # Copyright 2016 Acquia, Inc.
2
- # Copyright 2016-2018 t.e.morgan.
2
+ # Copyright 2016-2019 t.e.morgan.
3
3
  #
4
4
  # Licensed under the Apache License, Version 2.0 (the "License");
5
5
  # you may not use this file except in compliance with the License.
@@ -30,7 +30,7 @@ Gem::Specification.new do |s|
30
30
  s.executables = s.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
31
31
  s.test_files = s.files.grep(%r{^(test|spec|features)/})
32
32
  s.require_paths = ['lib']
33
- s.required_ruby_version = '>= 2.3.0'
33
+ s.required_ruby_version = '>= 2.4'
34
34
 
35
35
  s.add_runtime_dependency 'fluentd', [">= 0.14.0", "< 2"]
36
36
 
@@ -38,6 +38,6 @@ Gem::Specification.new do |s|
38
38
  s.add_development_dependency 'minitest-stub_any_instance', '~> 1.0.0'
39
39
  s.add_development_dependency 'rake'
40
40
  s.add_development_dependency 'test-unit', '~> 3.1'
41
- s.add_development_dependency 'webmock', '~> 2.0'
41
+ s.add_development_dependency 'webmock', '~> 3.0'
42
42
  s.add_development_dependency 'simplecov', '~> 0.11'
43
43
  end
@@ -1,5 +1,5 @@
1
1
  # Copyright 2016 Acquia, Inc.
2
- # Copyright 2016 t.e.morgan.
2
+ # Copyright 2016-2019 t.e.morgan.
3
3
  #
4
4
  # Licensed under the Apache License, Version 2.0 (the "License");
5
5
  # you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@ module Fluent::Plugin
29
29
  config_param :port, :integer
30
30
  config_param :idle_timeout, :integer, default: nil
31
31
  config_param :ca_cert, :string, default: 'system'
32
+ config_param :verify_cert_name, :bool, default: true
32
33
  config_param :token, :string, default: nil
33
34
  config_param :client_cert, :string, default: nil
34
35
  config_param :client_key, :string, default: nil
@@ -98,7 +99,14 @@ module Fluent::Plugin
98
99
  end
99
100
 
100
101
  def new_logger(tag)
101
- transport = ::SyslogTls::SSLTransport.new(host, port, idle_timeout: idle_timeout, ca_cert: ca_cert, client_cert: client_cert, client_key: client_key, max_retries: 3)
102
+ transport = ::SyslogTls::SSLTransport.new(host, port,
103
+ idle_timeout: idle_timeout,
104
+ ca_cert: ca_cert,
105
+ client_cert: client_cert,
106
+ client_key: client_key,
107
+ verify_cert_name: verify_cert_name,
108
+ max_retries: 3,
109
+ )
102
110
  logger = ::SyslogTls::Logger.new(transport, token)
103
111
  logger.facility(facility)
104
112
  logger.hostname(hostname)
@@ -1,5 +1,5 @@
1
1
  # Copyright 2016 Acquia, Inc.
2
- # Copyright 2016 t.e.morgan.
2
+ # Copyright 2016-2019 t.e.morgan.
3
3
  #
4
4
  # Licensed under the Apache License, Version 2.0 (the "License");
5
5
  # you may not use this file except in compliance with the License.
@@ -25,17 +25,18 @@ module SyslogTls
25
25
 
26
26
  attr_accessor :socket
27
27
 
28
- attr_reader :host, :port, :idle_timeout, :ca_cert, :client_cert, :client_key, :ssl_version
28
+ attr_reader :host, :port, :idle_timeout, :ca_cert, :client_cert, :client_key, :verify_cert_name, :ssl_version
29
29
 
30
30
  attr_writer :retries
31
31
 
32
- def initialize(host, port, idle_timeout: nil, ca_cert: 'system', client_cert: nil, client_key: nil, ssl_version: :TLSv1_2, max_retries: 1)
32
+ def initialize(host, port, idle_timeout: nil, ca_cert: 'system', client_cert: nil, client_key: nil, verify_cert_name: true, ssl_version: :TLSv1_2, max_retries: 1)
33
33
  @host = host
34
34
  @port = port
35
35
  @idle_timeout = idle_timeout
36
36
  @ca_cert = ca_cert
37
37
  @client_cert = client_cert
38
38
  @client_key = client_key
39
+ @verify_cert_name = verify_cert_name
39
40
  @ssl_version = ssl_version
40
41
  @retries = max_retries
41
42
  connect
@@ -97,12 +98,15 @@ module SyslogTls
97
98
  ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
98
99
  ctx.ssl_version = ssl_version
99
100
 
101
+ ctx.verify_hostname = verify_cert_name != false
102
+
100
103
  case ca_cert
101
104
  when true, 'true', 'system'
102
105
  # use system certs, same as openssl cli
103
106
  ctx.cert_store = OpenSSL::X509::Store.new
104
107
  ctx.cert_store.set_default_paths
105
108
  when false, 'false'
109
+ ctx.verify_hostname = false
106
110
  ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
107
111
  when %r{/$} # ends in /
108
112
  ctx.ca_path = ca_cert
@@ -113,6 +117,7 @@ module SyslogTls
113
117
  ctx.cert = OpenSSL::X509::Certificate.new(File.read(client_cert)) if client_cert
114
118
  ctx.key = OpenSSL::PKey::read(File.read(client_key)) if client_key
115
119
  socket = OpenSSL::SSL::SSLSocket.new(tcp, ctx)
120
+ socket.hostname = host
116
121
  socket.sync_close = true
117
122
  socket
118
123
  end
@@ -1,5 +1,5 @@
1
1
  # Copyright 2016 Acquia, Inc.
2
- # Copyright 2016-2018 t.e.morgan.
2
+ # Copyright 2016-2019 t.e.morgan.
3
3
  #
4
4
  # Licensed under the Apache License, Version 2.0 (the "License");
5
5
  # you may not use this file except in compliance with the License.
@@ -14,5 +14,5 @@
14
14
  # limitations under the License.
15
15
 
16
16
  module SyslogTls
17
- VERSION = '1.2.1'
17
+ VERSION = '2.0.0'
18
18
  end
@@ -1,5 +1,5 @@
1
1
  # Copyright 2016 Acquia, Inc.
2
- # Copyright 2016 t.e.morgan.
2
+ # Copyright 2016-2019 t.e.morgan.
3
3
  #
4
4
  # Licensed under the Apache License, Version 2.0 (the "License");
5
5
  # you may not use this file except in compliance with the License.
@@ -55,6 +55,7 @@ class SyslogTlsOutputTest < Test::Unit::TestCase
55
55
  port 6514
56
56
  client_cert
57
57
  client_key
58
+ verify_cert_name true
58
59
  token 1234567890
59
60
  }
60
61
  instance = driver(config).instance
@@ -63,6 +64,7 @@ class SyslogTlsOutputTest < Test::Unit::TestCase
63
64
  assert_equal '6514', instance.port
64
65
  assert_equal '', instance.client_cert
65
66
  assert_equal '', instance.client_key
67
+ assert_equal true, instance.verify_cert_name
66
68
  assert_equal '1234567890', instance.token
67
69
  end
68
70
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-syslog-tls
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.1
4
+ version: 2.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - thomas morgan
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-01-19 00:00:00.000000000 Z
11
+ date: 2019-06-01 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: fluentd
@@ -92,14 +92,14 @@ dependencies:
92
92
  requirements:
93
93
  - - "~>"
94
94
  - !ruby/object:Gem::Version
95
- version: '2.0'
95
+ version: '3.0'
96
96
  type: :development
97
97
  prerelease: false
98
98
  version_requirements: !ruby/object:Gem::Requirement
99
99
  requirements:
100
100
  - - "~>"
101
101
  - !ruby/object:Gem::Version
102
- version: '2.0'
102
+ version: '3.0'
103
103
  - !ruby/object:Gem::Dependency
104
104
  name: simplecov
105
105
  requirement: !ruby/object:Gem::Requirement
@@ -158,15 +158,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
158
158
  requirements:
159
159
  - - ">="
160
160
  - !ruby/object:Gem::Version
161
- version: 2.3.0
161
+ version: '2.4'
162
162
  required_rubygems_version: !ruby/object:Gem::Requirement
163
163
  requirements:
164
164
  - - ">="
165
165
  - !ruby/object:Gem::Version
166
166
  version: '0'
167
167
  requirements: []
168
- rubyforge_project:
169
- rubygems_version: 2.6.13
168
+ rubygems_version: 3.0.3
170
169
  signing_key:
171
170
  specification_version: 4
172
171
  summary: Fluent Syslog TLS output plugin