Fix SSL Subject regression in server mode #199
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yaauie
force-pushed
the
restore-missing-ssl-subject
branch
from
af8540c to
77c63f8
Compare
Alters the TCP#decode_buffer signature to accept the _ssl subject_ instead of expecting a ruby socket, so that it can be interoperable between the ruby-based client mode and the netty-powered server mode. In server mode, the SSL subject is extracted _once_ when initializing the connection IFF SSL is enabled and verification is turned on. Co-authored-by: Will Weber <[email protected]> Closes: logstash-plugins#159
yaauie
force-pushed
the
restore-missing-ssl-subject
branch
from
77c63f8 to
9c643c8
Compare
kares
reviewed
May 4, 2022
There was a problem hiding this comment.
not sure what the old format was but it would be nice to use the same (RFC) format.
otherwise the formats are different (the RFC format is cleaner IMHO) :
- Ruby
"/OU=foo bar; please fix your client./CN=sample.name" - Java
"CN=sample.name,OU=foo bar\\; please fix your client."
| def extract_sslsubject(channel) | ||
| return nil unless @tcp.ssl_enable && @tcp.ssl_verify | ||
|
|
||
| channel.pipeline().get("ssl-handler").engine().getSession().getPeerPrincipal().getName() |
There was a problem hiding this comment.
Suggested change
| channel.pipeline().get("ssl-handler").engine().getSession().getPeerPrincipal().getName() | |
| channel.pipeline().get("ssl-handler").engine.getSession.getPeerCertificates[0].getSubjectX500Principal.getName |
| return nil unless @tcp.ssl_enable && @tcp.ssl_verify | ||
|
|
||
| channel.pipeline().get("ssl-handler").engine().getSession().getPeerPrincipal().getName() | ||
| rescue Exception => e |
There was a problem hiding this comment.
let's not use the anti-pattern or rescuing everything
Suggested change
| rescue Exception => e | |
| rescue java.lang.Exception |
also might be worth logging the exception at least on the debug level
| def handle_socket(socket) | ||
| client_address = socket.peeraddr[3] | ||
| client_ip_address = socket.peeraddr[2] | ||
| client_port = socket.peeraddr[1] | ||
|
|
||
| # Client mode sslsubject extraction, server mode happens in DecoderImpl#decode | ||
| ssl_subject = socket.peer_cert.subject.to_s if @ssl_enable && @ssl_verify |
There was a problem hiding this comment.
Suggested change
| ssl_subject = socket.peer_cert.subject.to_s if @ssl_enable && @ssl_verify | |
| ssl_subject = socket.peer_cert.subject.to_s(OpenSSL::X509::Name::RFC2253) if @ssl_enable && @ssl_verify |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Alters the TCP#decode_buffer signature to accept the ssl subject instead of
expecting a ruby socket, so that it can be interoperable between the ruby-based
client mode and the netty-powered server mode.
In server mode, the SSL subject is extracted once when initializing the
connection IFF SSL is enabled and verification is turned on.
Co-authored-by: Will Weber [email protected]
Closes: #159