Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TLS] Fluentd does not accept certificates containing CRLF instead of LF #2889

Closed
pbudner opened this issue Mar 16, 2020 · 0 comments · Fixed by #2890
Closed

[TLS] Fluentd does not accept certificates containing CRLF instead of LF #2889

pbudner opened this issue Mar 16, 2020 · 0 comments · Fixed by #2890

Comments

@pbudner
Copy link
Contributor

pbudner commented Mar 16, 2020
edited
Loading

Describe the bug
Enabling TLS transport using a valid X.509 certificate that contains CRLF instead of LF leads to an unexpected behavior. Fluentd is not able to parse the valid certificate and refuses to do TLS handshakes.

To Reproduce
Specify a forward input using TLS that points to a certificate containing CRLF instead of LF.

Expected behavior
Fluentd should warn if it could not parse and find a valid certificate in the given cert_path content. Also Fluentd should be able to handle certificates that contain CRLF instead of LF.

Your Environment

  • Fluentd or td-agent version: fluentd 1.9.3
  • Operating system: NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/"
  • Kernel version: 4.14.171-136.231.amzn2.x86_64

Your Configuration

<system>
  workers 1
  log_level debug
</system>

<source>
  @type forward
  @id input_forward
  port 24224
  <transport tls>
    cert_path /Users/pascalbudner/Certs/fluentd.dev.broken.cer
    private_key_path /Users/pascalbudner/Certs/fluentd.dev.broken.key
  </transport>
</source>

Your Error Log

[warn]: #0 [input_forward] unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=SSLv3 read client hello C: no shared cipher"

Additional context

nothing to add here
pbudner added a commit to pbudner/fluentd that referenced this issue Mar 16, 2020
@pbudner
Fixes fluent#2889 by supporting CRLF and LF certificates and adding l…
1e98037 
…ogging when parsing certificates
@pbudner pbudner mentioned this issue Mar 16, 2020
Merged
pbudner added a commit to pbudner/fluentd that referenced this issue Mar 16, 2020
@pbudner
Fixes fluent#2889 by supporting CRLF and LF certificates and adding l…
d3f7d62 
…ogging when parsing certificates

Signed-off-by: Pascal Budner <mail@pascalbudner.de>
pbudner added a commit to pbudner/fluentd that referenced this issue Mar 16, 2020
@pbudner
Fixes fluent#2889 by supporting CRLF and LF certificates and adding l…
606de16 
…ogging when parsing certificates

Signed-off-by: Pascal Budner <mail@pascalbudner.de>
pbudner added a commit to pbudner/fluentd that referenced this issue Mar 16, 2020
@pbudner
Fixes fluent#2889 by supporting CRLF and LF certificates and adding l…
90ccbd0 
…ogging when parsing certificates

Signed-off-by: Pascal Budner <mail@pascalbudner.de>
repeatedly added a commit that referenced this issue Mar 17, 2020
@repeatedly
Merge pull request #2890 from pbudner/fix-tls-crlf-certificates
4d7cb81 
Fixes #2889 by supporting CRLF and LF X.509 certificates
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #2889 by supporting CRLF and LF X.509 certificates pbudner/fluentd
1 participant
@pbudner