fluent-plugin-syslog-tls 1.2.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 0a516dcc34ed21eeb6b543a98fab7aa0db940557
-  data.tar.gz: cb40780e2f416387b4a3efa31ff9365342688f01
+SHA256:
+  metadata.gz: 262868fd779671864af8b5cef830ce93520fead4d2180961594f6fa936eeeb85
+  data.tar.gz: b8268ed11a3bd9f0735894d7ff53593f4a1f505b0ed2cb754d40faab78cecd2f
 SHA512:
-  metadata.gz: 3b6560e0417cd77accc8afdc6dcaf39314c05194cf10e4ac8a677e4a36e335a56e56108ae81e896cf0d76308bfa800b55e5ea20521904e92aed60908d2b8eb32
-  data.tar.gz: 6e04b86be9b0d5227ed339f91d5bf924f4ab60c289e1d1aab28f3a4c35919c118dae2193f30ffc92d39367393e9a9f31bc56083cd377cc4f715f40bee24d1d03
+  metadata.gz: a867380a0f4fec32d2db3a2713b1d0249c0ffbac667517d38163e3215c59c82a1ed1f73c14e78c9ec60a68cc4d93a4b1c36d7fe9f90a2c73d13d6d7c3429ad51
+  data.tar.gz: 1815edfd8f9faf39328de0c2690f13e95572dfd7d0e34e828562a83dcb1aee3c1890a1950491696ed573c33a33884b80b89cebde473ede9b48ba13e4ef089b66

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+#### 2.0.0
+
+* Require Ruby 2.4
+* Support SNI and enable cert name verification by default. **This changes the default behavior** and may cause issues if the remote server's cert does not match the configured hostname.
+* Add `verify_cert_name` to enable (default) or disable cert name verification.
+  Note: `ca_cert` verifies the certificate signing chain. `verify_cert_name` verifies the CN/SAN name on the cert.
+
+
 #### 1.2.1
 
 * Support Fluentd 1.0 (same API as 0.14).

data/Gemfile.lock

@@ -1,26 +1,26 @@
 PATH
   remote: .
   specs:
-    fluent-plugin-syslog-tls (1.2.1)
+    fluent-plugin-syslog-tls (2.0.0)
       fluentd (>= 0.14.0, < 2)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.5.2)
+    addressable (2.6.0)
       public_suffix (>= 2.0.2, < 4.0)
-    cool.io (1.5.3)
-    coveralls (0.8.21)
+    cool.io (1.5.4)
+    coveralls (0.8.23)
       json (>= 1.8, < 3)
-      simplecov (~> 0.14.1)
+      simplecov (~> 0.16.1)
       term-ansicolor (~> 1.3)
-      thor (~> 0.19.4)
+      thor (>= 0.19.4, < 2.0)
       tins (~> 1.6)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
     dig_rb (1.0.1)
-    docile (1.1.5)
-    fluentd (1.1.0)
+    docile (1.3.1)
+    fluentd (1.5.0)
       cool.io (>= 1.4.5, < 2.0.0)
       dig_rb (~> 1.0.0)
       http_parser.rb (>= 0.5.1, < 0.7.0)
@@ -31,41 +31,41 @@ GEM
       tzinfo (~> 1.0)
       tzinfo-data (~> 1.0)
       yajl-ruby (~> 1.0)
-    hashdiff (0.3.7)
+    hashdiff (0.4.0)
     http_parser.rb (0.6.0)
-    json (2.1.0)
-    minitest (5.10.3)
-    minitest-stub_any_instance (1.0.1)
-    msgpack (1.2.2)
-    power_assert (1.1.1)
-    public_suffix (3.0.1)
-    rake (12.3.0)
-    safe_yaml (1.0.4)
-    serverengine (2.0.6)
+    json (2.2.0)
+    minitest (5.11.3)
+    minitest-stub_any_instance (1.0.2)
+    msgpack (1.2.10)
+    power_assert (1.1.4)
+    public_suffix (3.1.0)
+    rake (12.3.2)
+    safe_yaml (1.0.5)
+    serverengine (2.1.1)
       sigdump (~> 0.2.2)
     sigdump (0.2.4)
-    simplecov (0.14.1)
-      docile (~> 1.1.0)
+    simplecov (0.16.1)
+      docile (~> 1.1)
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
     strptime (0.2.3)
-    term-ansicolor (1.6.0)
+    term-ansicolor (1.7.1)
       tins (~> 1.0)
-    test-unit (3.2.6)
+    test-unit (3.3.3)
       power_assert
-    thor (0.19.4)
+    thor (0.20.3)
     thread_safe (0.3.6)
-    tins (1.16.0)
-    tzinfo (1.2.4)
+    tins (1.20.3)
+    tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    tzinfo-data (1.2017.3)
+    tzinfo-data (1.2019.1)
       tzinfo (>= 1.0.0)
-    webmock (2.3.2)
+    webmock (3.5.1)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff
-    yajl-ruby (1.3.1)
+    yajl-ruby (1.4.1)
 
 PLATFORMS
   ruby
@@ -78,7 +78,7 @@ DEPENDENCIES
   rake
   simplecov (~> 0.11)
   test-unit (~> 3.1)
-  webmock (~> 2.0)
+  webmock (~> 3.0)
 
 BUNDLED WITH
-   1.16.1
+   1.17.3

data/docs/configuration.md

@@ -21,12 +21,16 @@ If a given tag has gone this many seconds between log messages, disconnect and r
 
 ### ca_cert
 
-Whether and how to verify the server's TLS certificate. Examples:
+Whether and how to verify the server's TLS certificate signing chain. Examples:
 * ca_cert system - Default; use the system CA certificate store (which must then be configured correctly)
 * ca_cert false - Disable verification; not recommended
 * ca_cert /path/to/file - A path+filename to a single CA file
 * ca_cert /path/to/dir/ - A directory of CA files (in format that OpenSSL can parse); must end with /
 
+### verify_cert_name
+
+Whether to verify that the server's cert matches `host`. Enabled by default (except when `ca_cert false`). Recommended; helps prevent MitM attacks. Example: `true`
+
 ### token
 
 Some services require a token to identify the account. Example: `ABABABABABABA@99999`. Not required for Papertrail.
@@ -114,6 +118,7 @@ Optionally record key where to get msgid from the record. If not provided nil va
   token [token]@[iana-id]
   client_cert /path/to/cert/file.crt
   client_key /path/to/key/file.key
+  verify_cert_name true
 
   hostname static-hostname
   facility SYSLOG

data/fluent-plugin-syslog-tls.gemspec

@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016-2018 t.e.morgan.
+# Copyright 2016-2019 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -30,7 +30,7 @@ Gem::Specification.new do |s|
   s.executables   = s.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   s.test_files    = s.files.grep(%r{^(test|spec|features)/})
   s.require_paths = ['lib']
-  s.required_ruby_version = '>= 2.3.0'
+  s.required_ruby_version = '>= 2.4'
 
   s.add_runtime_dependency 'fluentd', [">= 0.14.0", "< 2"]
 
@@ -38,6 +38,6 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'minitest-stub_any_instance', '~> 1.0.0'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'test-unit', '~> 3.1'
-  s.add_development_dependency 'webmock', '~> 2.0'
+  s.add_development_dependency 'webmock', '~> 3.0'
   s.add_development_dependency 'simplecov', '~> 0.11'
 end

data/lib/fluent/plugin/out_syslog_tls.rb

@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016 t.e.morgan.
+# Copyright 2016-2019 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@ module Fluent::Plugin
     config_param :port, :integer
     config_param :idle_timeout, :integer, default: nil
     config_param :ca_cert, :string, default: 'system'
+    config_param :verify_cert_name, :bool, default: true
     config_param :token, :string, default: nil
     config_param :client_cert, :string, default: nil
     config_param :client_key, :string, default: nil
@@ -98,7 +99,14 @@ module Fluent::Plugin
     end
 
     def new_logger(tag)
-      transport = ::SyslogTls::SSLTransport.new(host, port, idle_timeout: idle_timeout, ca_cert: ca_cert, client_cert: client_cert, client_key: client_key, max_retries: 3)
+      transport = ::SyslogTls::SSLTransport.new(host, port,
+        idle_timeout: idle_timeout,
+        ca_cert: ca_cert,
+        client_cert: client_cert,
+        client_key: client_key,
+        verify_cert_name: verify_cert_name,
+        max_retries: 3,
+      )
       logger = ::SyslogTls::Logger.new(transport, token)
       logger.facility(facility)
       logger.hostname(hostname)

data/lib/syslog_tls/ssl_transport.rb

@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016 t.e.morgan.
+# Copyright 2016-2019 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -25,17 +25,18 @@ module SyslogTls
 
     attr_accessor :socket
 
-    attr_reader :host, :port, :idle_timeout, :ca_cert, :client_cert, :client_key, :ssl_version
+    attr_reader :host, :port, :idle_timeout, :ca_cert, :client_cert, :client_key, :verify_cert_name, :ssl_version
 
     attr_writer :retries
 
-    def initialize(host, port, idle_timeout: nil, ca_cert: 'system', client_cert: nil, client_key: nil, ssl_version: :TLSv1_2, max_retries: 1)
+    def initialize(host, port, idle_timeout: nil, ca_cert: 'system', client_cert: nil, client_key: nil, verify_cert_name: true, ssl_version: :TLSv1_2, max_retries: 1)
       @host = host
       @port = port
       @idle_timeout = idle_timeout
       @ca_cert = ca_cert
       @client_cert = client_cert
       @client_key = client_key
+      @verify_cert_name = verify_cert_name
       @ssl_version = ssl_version
       @retries = max_retries
       connect
@@ -97,12 +98,15 @@ module SyslogTls
       ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
       ctx.ssl_version = ssl_version
 
+      ctx.verify_hostname = verify_cert_name != false
+
       case ca_cert
       when true, 'true', 'system'
         # use system certs, same as openssl cli
         ctx.cert_store = OpenSSL::X509::Store.new
         ctx.cert_store.set_default_paths
       when false, 'false'
+        ctx.verify_hostname = false
         ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
       when %r{/$} # ends in /
         ctx.ca_path = ca_cert
@@ -113,6 +117,7 @@ module SyslogTls
       ctx.cert = OpenSSL::X509::Certificate.new(File.read(client_cert)) if client_cert
       ctx.key = OpenSSL::PKey::read(File.read(client_key)) if client_key
       socket = OpenSSL::SSL::SSLSocket.new(tcp, ctx)
+      socket.hostname = host
       socket.sync_close = true
       socket
     end

data/lib/syslog_tls/version.rb

@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016-2018 t.e.morgan.
+# Copyright 2016-2019 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,5 +14,5 @@
 # limitations under the License.
 
 module SyslogTls
-  VERSION = '1.2.1'
+  VERSION = '2.0.0'
 end

data/test/fluent/test_out_syslog_tls.rb

@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016 t.e.morgan.
+# Copyright 2016-2019 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -55,6 +55,7 @@ class SyslogTlsOutputTest < Test::Unit::TestCase
       port   6514
       client_cert
       client_key
+      verify_cert_name true
       token  1234567890
     }
     instance = driver(config).instance
@@ -63,6 +64,7 @@ class SyslogTlsOutputTest < Test::Unit::TestCase
     assert_equal '6514', instance.port
     assert_equal '', instance.client_cert
     assert_equal '', instance.client_key
+    assert_equal true, instance.verify_cert_name
     assert_equal '1234567890', instance.token
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-syslog-tls
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 2.0.0
 platform: ruby
 authors:
 - thomas morgan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-01-19 00:00:00.000000000 Z
+date: 2019-06-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fluentd
@@ -92,14 +92,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -158,15 +158,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.0
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Fluent Syslog TLS output plugin