tls: support TLS-in-TLS for HTTPS proxy tunnels

antoniomrfranco · antoniomrfranco · commit 23e2f2b3d184 · 2026-05-07T17:37:07.000-03:00
Two related changes:

SNI priority fix: when the TLS context carries an explicit vhost
(e.g. the proxy hostname on a proxy TLS context), that vhost now
takes priority over proxied_host in flb_tls_session_create.
Previously proxied_host was used unconditionally for upstream
connections, causing the proxy TLS handshake to advertise the
destination hostname instead of the proxy hostname.

TLS-in-TLS chaining: add session_set_outer to struct flb_tls_backend
and implement tls_session_set_outer in the OpenSSL backend using
BIO_f_ssl.  When flb_tls_session_create detects an existing
tls_session on the connection (the proxy TLS session), it chains
the new inner session's I/O through the outer session via
SSL_set_bio, so that the destination TLS handshake travels inside
the already-established proxy TLS tunnel rather than going directly
to the raw socket.

Signed-off-by: Antônio Franco &lt;13881523+antoniomrfranco@users.noreply.github.com&gt;
diff --git a/include/fluent-bit/tls/flb_tls.h b/include/fluent-bit/tls/flb_tls.h
@@ -88,6 +88,14 @@ struct flb_tls_backend {
     void (*session_invalidate) (void *);
     int (*session_destroy) (void *);
     const char *(*session_alpn_get) (void *);
+    /*
+     * Chain an inner TLS session's I/O through an outer TLS session.
+     * Used for TLS-in-TLS when connecting through an HTTPS proxy: after
+     * HTTP CONNECT is established over the proxy TLS, the destination TLS
+     * handshake data must be sent through (and encrypted by) the proxy TLS.
+     * Optional: may be NULL if the backend does not support it.
+     */
+    int (*session_set_outer) (void *inner, void *outer);
 
     /* I/O */
     int (*net_read) (struct flb_tls_session *, void *, size_t);
diff --git a/src/tls/flb_tls.c b/src/tls/flb_tls.c
@@ -617,13 +617,20 @@ int flb_tls_session_create(struct flb_tls *tls,
     vhost = NULL;
 
     if (connection->type == FLB_UPSTREAM_CONNECTION) {
-        if (connection->upstream->proxied_host != NULL) {
+        if (tls->vhost != NULL) {
+            /*
+             * An explicit vhost in the TLS context takes priority. This
+             * covers the HTTPS proxy case where the proxy TLS context has
+             * its own vhost (= tcp_host) and must not fall through to
+             * proxied_host which belongs to the inner destination.
+             * Leave vhost as NULL so net_handshake() picks up tls->vhost.
+             */
+        }
+        else if (connection->upstream->proxied_host != NULL) {
             vhost = flb_rtrim(connection->upstream->proxied_host, '.');
         }
         else {
-            if (tls->vhost == NULL) {
-                vhost = flb_rtrim(connection->upstream->tcp_host, '.');
-            }
+            vhost = flb_rtrim(connection->upstream->tcp_host, '.');
         }
     }
 
@@ -643,6 +650,40 @@ int flb_tls_session_create(struct flb_tls *tls,
         return -1;
     }
 
+    /*
+     * If an existing TLS session is already active on this connection
+     * (e.g. the proxy TLS session for an HTTPS proxy), chain the new
+     * session's I/O through it.  The inner (destination) TLS handshake
+     * data must travel inside the outer (proxy) TLS tunnel rather than
+     * going directly to the raw socket.
+     */
+    if (connection->tls_session != NULL &&
+        tls->api->session_set_outer != NULL) {
+        result = tls->api->session_set_outer(session->ptr,
+                                             connection->tls_session->ptr);
+        if (result != 0) {
+            flb_error("[tls] failed to chain TLS session over proxy tunnel for %s",
+                      flb_connection_get_remote_address(connection));
+
+            if (vhost != NULL) {
+                flb_free(vhost);
+            }
+
+            tls->api->session_destroy(session->ptr);
+            flb_free(session);
+            return -1;
+        }
+
+        /*
+         * The outer backend session ptr is now owned by the inner session
+         * (via outer_session).  Release the outer flb_tls_session wrapper
+         * without going through flb_tls_session_destroy, which would free
+         * the backend ptr we just transferred.
+         */
+        flb_free(connection->tls_session);
+        connection->tls_session = NULL;
+    }
+
     session->tls = tls;
     session->connection = connection;
 
diff --git a/src/tls/openssl.c b/src/tls/openssl.c
@@ -76,6 +76,7 @@ struct tls_session {
     char alpn[FLB_TLS_ALPN_MAX_LENGTH];
     int continuation_flag;
     struct tls_context *parent;    /* parent struct tls_context ref */
+    struct tls_session *outer_session; /* outer TLS session for TLS-in-TLS (HTTPS proxy) */
 };
 
 static int tls_init(void)
@@ -1279,10 +1280,40 @@ static void *tls_session_create(struct flb_tls *tls,
     return session;
 }
 
+/*
+ * Chain inner TLS session I/O through an outer TLS session.
+ * Used for TLS-in-TLS when connecting through an HTTPS proxy: the inner
+ * (destination) SSL object's BIO is replaced with a BIO_f_ssl wrapper
+ * around the outer (proxy) SSL object, so all inner TLS bytes flow
+ * through the already-established outer TLS tunnel.
+ */
+static int tls_session_set_outer(void *inner_ptr, void *outer_ptr)
+{
+    struct tls_session *inner = (struct tls_session *) inner_ptr;
+    struct tls_session *outer = (struct tls_session *) outer_ptr;
+    BIO *bio;
+
+    bio = BIO_new(BIO_f_ssl());
+    if (!bio) {
+        flb_error("[tls] could not create BIO for TLS-in-TLS tunnel");
+        return -1;
+    }
+
+    /*
+     * BIO_NOCLOSE: the outer SSL object must NOT be freed when this BIO
+     * is freed; we manage its lifecycle via inner->outer_session.
+     */
+    BIO_set_ssl(bio, outer->ssl, BIO_NOCLOSE);
+    SSL_set_bio(inner->ssl, bio, bio);
+    inner->outer_session = outer;
+    return 0;
+}
+
 static int tls_session_destroy(void *session)
 {
     struct tls_session *ptr = session;
     struct tls_context *ctx;
+    struct tls_context *outer_ctx;
 
     if (!ptr) {
         return 0;
@@ -1296,6 +1327,20 @@ static int tls_session_destroy(void *session)
     }
 
     SSL_free(ptr->ssl);
+
+    /*
+     * If this session was chained over an outer TLS session (HTTPS proxy),
+     * BIO_NOCLOSE ensured SSL_free above did not free the outer SSL object.
+     * Free it explicitly now, under its own context mutex.
+     */
+    if (ptr->outer_session != NULL) {
+        outer_ctx = ptr->outer_session->parent;
+        pthread_mutex_lock(&outer_ctx->mutex);
+        SSL_free(ptr->outer_session->ssl);
+        flb_free(ptr->outer_session);
+        pthread_mutex_unlock(&outer_ctx->mutex);
+    }
+
     flb_free(ptr);
 
     pthread_mutex_unlock(&ctx->mutex);
@@ -1688,6 +1733,7 @@ static struct flb_tls_backend tls_openssl = {
     .session_create       = tls_session_create,
     .session_invalidate   = tls_session_invalidate,
     .session_destroy      = tls_session_destroy,
+    .session_set_outer    = tls_session_set_outer,
     .net_read             = tls_net_read,
     .net_write            = tls_net_write,
     .net_handshake        = tls_net_handshake,
