fluent-plugin-syslog-tls 1.2.1 → 2.1.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 0a516dcc34ed21eeb6b543a98fab7aa0db940557
-  data.tar.gz: cb40780e2f416387b4a3efa31ff9365342688f01
+SHA256:
+  metadata.gz: 645976d5334d9574e292336a7a04fe771f42c2d6a3a4117157ac765002b0cd59
+  data.tar.gz: 93e1cd22473b4924810765608d9b6741a30faea7f416169f33f4eec07661a607
 SHA512:
-  metadata.gz: 3b6560e0417cd77accc8afdc6dcaf39314c05194cf10e4ac8a677e4a36e335a56e56108ae81e896cf0d76308bfa800b55e5ea20521904e92aed60908d2b8eb32
-  data.tar.gz: 6e04b86be9b0d5227ed339f91d5bf924f4ab60c289e1d1aab28f3a4c35919c118dae2193f30ffc92d39367393e9a9f31bc56083cd377cc4f715f40bee24d1d03
+  metadata.gz: acbe5677f687a549b3133af9a19079ee6ffdba5bc0640b2ddd8b44f0487d6b19c41bd2dd78e4406bf358624600d7509190b29c8048c52a59225998a3a4eae14e
+  data.tar.gz: 5e1c5004e04d102c9b143c37d12117032ac2aec885ad7429bdc68c3887cb75224d9ad46e6325bb38c517cfb706bf27bc036f7d622c49e8cde2cca15d88b70347

data/CHANGELOG.md

@@ -1,3 +1,17 @@
+#### 2.1.0
+
+* Require Ruby 2.5
+* Allow TLS 1.3 (minimum remains TLS 1.2)
+
+
+#### 2.0.0
+
+* Require Ruby 2.4
+* Support SNI and enable cert name verification by default. **This changes the default behavior** and may cause issues if the remote server's cert does not match the configured hostname.
+* Add `verify_cert_name` to enable (default) or disable cert name verification.
+  Note: `ca_cert` verifies the certificate signing chain. `verify_cert_name` verifies the CN/SAN name on the cert.
+
+
 #### 1.2.1
 
 * Support Fluentd 1.0 (same API as 0.14).

data/Gemfile

@@ -15,5 +15,3 @@
 source 'https://rubygems.org'
 
 gemspec
-
-gem 'coveralls', require: false

data/Gemfile.lock

@@ -1,84 +1,74 @@
 PATH
   remote: .
   specs:
-    fluent-plugin-syslog-tls (1.2.1)
+    fluent-plugin-syslog-tls (2.1.0.rc1)
       fluentd (>= 0.14.0, < 2)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.5.2)
-      public_suffix (>= 2.0.2, < 4.0)
-    cool.io (1.5.3)
-    coveralls (0.8.21)
-      json (>= 1.8, < 3)
-      simplecov (~> 0.14.1)
-      term-ansicolor (~> 1.3)
-      thor (~> 0.19.4)
-      tins (~> 1.6)
-    crack (0.4.3)
-      safe_yaml (~> 1.0.0)
-    dig_rb (1.0.1)
-    docile (1.1.5)
-    fluentd (1.1.0)
+    addressable (2.8.1)
+      public_suffix (>= 2.0.2, < 6.0)
+    concurrent-ruby (1.1.10)
+    cool.io (1.7.1)
+    crack (0.4.5)
+      rexml
+    docile (1.4.0)
+    fluentd (1.15.3)
+      bundler
       cool.io (>= 1.4.5, < 2.0.0)
-      dig_rb (~> 1.0.0)
-      http_parser.rb (>= 0.5.1, < 0.7.0)
-      msgpack (>= 0.7.0, < 2.0.0)
-      serverengine (>= 2.0.4, < 3.0.0)
+      http_parser.rb (>= 0.5.1, < 0.9.0)
+      msgpack (>= 1.3.1, < 2.0.0)
+      serverengine (>= 2.3.0, < 3.0.0)
       sigdump (~> 0.2.2)
-      strptime (>= 0.2.2, < 1.0.0)
-      tzinfo (~> 1.0)
+      strptime (>= 0.2.4, < 1.0.0)
+      tzinfo (>= 1.0, < 3.0)
       tzinfo-data (~> 1.0)
+      webrick (>= 1.4.2, < 1.8.0)
       yajl-ruby (~> 1.0)
-    hashdiff (0.3.7)
-    http_parser.rb (0.6.0)
-    json (2.1.0)
-    minitest (5.10.3)
-    minitest-stub_any_instance (1.0.1)
-    msgpack (1.2.2)
-    power_assert (1.1.1)
-    public_suffix (3.0.1)
-    rake (12.3.0)
-    safe_yaml (1.0.4)
-    serverengine (2.0.6)
+    hashdiff (1.0.1)
+    http_parser.rb (0.8.0)
+    minitest (5.17.0)
+    minitest-stub_any_instance (1.0.3)
+    msgpack (1.6.0)
+    power_assert (2.0.3)
+    public_suffix (5.0.1)
+    rake (13.0.6)
+    rexml (3.2.5)
+    serverengine (2.3.1)
       sigdump (~> 0.2.2)
     sigdump (0.2.4)
-    simplecov (0.14.1)
-      docile (~> 1.1.0)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
-    strptime (0.2.3)
-    term-ansicolor (1.6.0)
-      tins (~> 1.0)
-    test-unit (3.2.6)
+    simplecov (0.22.0)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.12.3)
+    simplecov_json_formatter (0.1.4)
+    strptime (0.2.5)
+    test-unit (3.5.7)
       power_assert
-    thor (0.19.4)
-    thread_safe (0.3.6)
-    tins (1.16.0)
-    tzinfo (1.2.4)
-      thread_safe (~> 0.1)
-    tzinfo-data (1.2017.3)
+    tzinfo (2.0.5)
+      concurrent-ruby (~> 1.0)
+    tzinfo-data (1.2022.7)
       tzinfo (>= 1.0.0)
-    webmock (2.3.2)
-      addressable (>= 2.3.6)
+    webmock (3.18.1)
+      addressable (>= 2.8.0)
       crack (>= 0.3.2)
-      hashdiff
-    yajl-ruby (1.3.1)
+      hashdiff (>= 0.4.0, < 2.0.0)
+    webrick (1.7.0)
+    yajl-ruby (1.4.3)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  coveralls
   fluent-plugin-syslog-tls!
   minitest (~> 5.8)
   minitest-stub_any_instance (~> 1.0.0)
   rake
   simplecov (~> 0.11)
   test-unit (~> 3.1)
-  webmock (~> 2.0)
+  webmock (~> 3.0)
 
 BUNDLED WITH
-   1.16.1
+   2.3.26

data/docs/configuration.md

@@ -21,12 +21,16 @@ If a given tag has gone this many seconds between log messages, disconnect and r
 
 ### ca_cert
 
-Whether and how to verify the server's TLS certificate. Examples:
+Whether and how to verify the server's TLS certificate signing chain. Examples:
 * ca_cert system - Default; use the system CA certificate store (which must then be configured correctly)
 * ca_cert false - Disable verification; not recommended
 * ca_cert /path/to/file - A path+filename to a single CA file
 * ca_cert /path/to/dir/ - A directory of CA files (in format that OpenSSL can parse); must end with /
 
+### verify_cert_name
+
+Whether to verify that the server's cert matches `host`. Enabled by default (except when `ca_cert false`). Recommended; helps prevent MitM attacks. Example: `true`
+
 ### token
 
 Some services require a token to identify the account. Example: `ABABABABABABA@99999`. Not required for Papertrail.
@@ -114,6 +118,7 @@ Optionally record key where to get msgid from the record. If not provided nil va
   token [token]@[iana-id]
   client_cert /path/to/cert/file.crt
   client_key /path/to/key/file.key
+  verify_cert_name true
 
   hostname static-hostname
   facility SYSLOG

data/fluent-plugin-syslog-tls.gemspec

@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016-2018 t.e.morgan.
+# Copyright 2016-2023 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -30,7 +30,7 @@ Gem::Specification.new do |s|
   s.executables   = s.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   s.test_files    = s.files.grep(%r{^(test|spec|features)/})
   s.require_paths = ['lib']
-  s.required_ruby_version = '>= 2.3.0'
+  s.required_ruby_version = '>= 2.5'
 
   s.add_runtime_dependency 'fluentd', [">= 0.14.0", "< 2"]
 
@@ -38,6 +38,6 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'minitest-stub_any_instance', '~> 1.0.0'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'test-unit', '~> 3.1'
-  s.add_development_dependency 'webmock', '~> 2.0'
+  s.add_development_dependency 'webmock', '~> 3.0'
   s.add_development_dependency 'simplecov', '~> 0.11'
 end

data/lib/fluent/plugin/out_syslog_tls.rb

@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016 t.e.morgan.
+# Copyright 2016-2019 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@ module Fluent::Plugin
     config_param :port, :integer
     config_param :idle_timeout, :integer, default: nil
     config_param :ca_cert, :string, default: 'system'
+    config_param :verify_cert_name, :bool, default: true
     config_param :token, :string, default: nil
     config_param :client_cert, :string, default: nil
     config_param :client_key, :string, default: nil
@@ -98,7 +99,14 @@ module Fluent::Plugin
     end
 
     def new_logger(tag)
-      transport = ::SyslogTls::SSLTransport.new(host, port, idle_timeout: idle_timeout, ca_cert: ca_cert, client_cert: client_cert, client_key: client_key, max_retries: 3)
+      transport = ::SyslogTls::SSLTransport.new(host, port,
+        idle_timeout: idle_timeout,
+        ca_cert: ca_cert,
+        client_cert: client_cert,
+        client_key: client_key,
+        verify_cert_name: verify_cert_name,
+        max_retries: 3,
+      )
       logger = ::SyslogTls::Logger.new(transport, token)
       logger.facility(facility)
       logger.hostname(hostname)

data/lib/syslog_tls/ssl_transport.rb

@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016 t.e.morgan.
+# Copyright 2016-2023 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -25,17 +25,18 @@ module SyslogTls
 
     attr_accessor :socket
 
-    attr_reader :host, :port, :idle_timeout, :ca_cert, :client_cert, :client_key, :ssl_version
+    attr_reader :host, :port, :idle_timeout, :ca_cert, :client_cert, :client_key, :verify_cert_name, :ssl_version
 
     attr_writer :retries
 
-    def initialize(host, port, idle_timeout: nil, ca_cert: 'system', client_cert: nil, client_key: nil, ssl_version: :TLSv1_2, max_retries: 1)
+    def initialize(host, port, idle_timeout: nil, ca_cert: 'system', client_cert: nil, client_key: nil, verify_cert_name: true, ssl_version: :TLS1_2, max_retries: 1)
       @host = host
       @port = port
       @idle_timeout = idle_timeout
       @ca_cert = ca_cert
       @client_cert = client_cert
       @client_key = client_key
+      @verify_cert_name = verify_cert_name
       @ssl_version = ssl_version
       @retries = max_retries
       connect
@@ -95,7 +96,9 @@ module SyslogTls
 
       ctx = OpenSSL::SSL::SSLContext.new
       ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
-      ctx.ssl_version = ssl_version
+      ctx.min_version = ssl_version
+
+      ctx.verify_hostname = verify_cert_name != false
 
       case ca_cert
       when true, 'true', 'system'
@@ -103,6 +106,7 @@ module SyslogTls
         ctx.cert_store = OpenSSL::X509::Store.new
         ctx.cert_store.set_default_paths
       when false, 'false'
+        ctx.verify_hostname = false
         ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
       when %r{/$} # ends in /
         ctx.ca_path = ca_cert
@@ -113,6 +117,7 @@ module SyslogTls
       ctx.cert = OpenSSL::X509::Certificate.new(File.read(client_cert)) if client_cert
       ctx.key = OpenSSL::PKey::read(File.read(client_key)) if client_key
       socket = OpenSSL::SSL::SSLSocket.new(tcp, ctx)
+      socket.hostname = host
       socket.sync_close = true
       socket
     end

data/lib/syslog_tls/version.rb

@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016-2018 t.e.morgan.
+# Copyright 2016-2019 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,5 +14,5 @@
 # limitations under the License.
 
 module SyslogTls
-  VERSION = '1.2.1'
+  VERSION = '2.1.0.rc1'
 end

data/test/fluent/test_out_syslog_tls.rb

@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016 t.e.morgan.
+# Copyright 2016-2019 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -55,6 +55,7 @@ class SyslogTlsOutputTest < Test::Unit::TestCase
       port   6514
       client_cert
       client_key
+      verify_cert_name true
       token  1234567890
     }
     instance = driver(config).instance
@@ -63,6 +64,7 @@ class SyslogTlsOutputTest < Test::Unit::TestCase
     assert_equal '6514', instance.port
     assert_equal '', instance.client_cert
     assert_equal '', instance.client_key
+    assert_equal true, instance.verify_cert_name
     assert_equal '1234567890', instance.token
   end
 

data/test/helper.rb

@@ -12,13 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require 'coveralls'
 require 'simplecov'
 
 SimpleCov.start
 
-Coveralls.wear! if ENV['TRAVIS']
-
 require 'test/unit'
 require 'fluent/test'
 require 'minitest/pride'

data/test/ssl.rb

@@ -2,12 +2,14 @@ require 'socket'
 require 'openssl'
 
 module SSLTestHelper
-  def ssl_server
+  def ssl_server(min_version: nil, max_version: nil)
     @ssl_server ||= begin
       tcp_server = TCPServer.new("localhost", 33000 + Random.rand(1000))
       ssl_context = OpenSSL::SSL::SSLContext.new
       ssl_context.cert = certificate
       ssl_context.key = rsa_key
+      ssl_context.min_version = min_version if min_version
+      ssl_context.max_version = max_version if max_version
       OpenSSL::SSL::SSLServer.new(tcp_server, ssl_context)
     end
   end

data/test/syslog_tls/test_ssl_transport.rb

@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016 t.e.morgan.
+# Copyright 2016-2023 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,19 +20,36 @@ require 'syslog_tls/ssl_transport'
 class SSLTransportTest < Test::Unit::TestCase
   include SSLTestHelper
 
-  def test_ok_connection
-    server = ssl_server
-    st = Thread.new {
-      client = server.accept
-      assert_equal "TESTTEST2\n", client.gets
-      client.close
-    }
-    SyslogTls::SSLTransport.stub_any_instance(:get_ssl_connection, ssl_client) do
-      t = SyslogTls::SSLTransport.new("localhost", server.addr[1], max_retries: 3)
-      t.write("TEST")
-      t.write("TEST2\n")
+  # srvr-min  srvr-max clnt-min should-raise?
+  [ [:TLS1_2, :TLS1_2, :TLS1_2],
+    [:TLS1_2, :TLS1_3, :TLS1_2],
+    [:TLS1_3, :TLS1_3, :TLS1_2],
+    [:TLS1_2, :TLS1_2, :TLS1_3, true],
+    [:TLS1_2, :TLS1_3, :TLS1_3],
+    [:TLS1_3, :TLS1_3, :TLS1_3],
+  ].each do |(server_min, server_max, client_min, should_raise)|
+    define_method "test_#{server_min}-#{server_max}_server_#{client_min}_client" do
+      Thread.report_on_exception = false
+      blk = lambda do
+        server = ssl_server(min_version: server_min, max_version: server_max)
+        st = Thread.new {
+          client = server.accept
+          assert_equal "TESTTEST2\n", client.gets
+          client.close
+        }
+        t = SyslogTls::SSLTransport.new("localhost", server.addr[1], ca_cert: false, ssl_version: client_min)
+        t.write("TEST")
+        t.write("TEST2\n")
+        st.join
+      end
+      if should_raise
+        assert_raises OpenSSL::SSL::SSLError, &blk
+      else
+        blk.call
+      end
+    ensure
+      Thread.report_on_exception = true
     end
-    st.join
   end
 
   def test_retry

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-syslog-tls
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 2.1.0.rc1
 platform: ruby
 authors:
 - thomas morgan
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-01-19 00:00:00.000000000 Z
+date: 2023-01-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fluentd
@@ -92,14 +92,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -150,7 +150,7 @@ homepage: https://github.com/zarqman/fluent-plugin-syslog-tls
 licenses:
 - Apache v2
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -158,16 +158,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.0
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.13
-signing_key: 
+rubygems_version: 3.3.26
+signing_key:
 specification_version: 4
 summary: Fluent Syslog TLS output plugin
 test_files: