Skip to content

Commit 2a3e268

Browse files
edbingoedbingo
committed
input: add option for verifying client certificates in TLS settings
Signed-off-by: Edward Lancaster <edward.lancaster@siemens.com>
1 parent d6e65fb commit 2a3e268

2 files changed

Lines changed: 16 additions & 0 deletions

File tree

include/fluent-bit/flb_input.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -446,6 +446,7 @@ struct flb_input_instance {
446446
/* TLS settings */
447447
int use_tls; /* bool, try to use TLS for I/O */
448448
int tls_verify; /* Verify certs (default: true) */
449+
int tls_verify_client; /* Verify client certs (default: false) */
449450
int tls_verify_hostname; /* Verify hostname (default: false) */
450451
int tls_debug; /* mbedtls debug level */
451452
char *tls_vhost; /* Virtual hostname for SNI */

src/flb_input.c

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -400,6 +400,7 @@ struct flb_input_instance *flb_input_new(struct flb_config *config,
400400
instance->tls = NULL;
401401
instance->tls_debug = -1;
402402
instance->tls_verify = FLB_TRUE;
403+
instance->tls_verify_client = FLB_FALSE;
403404
instance->tls_verify_hostname = FLB_FALSE;
404405
instance->tls_vhost = NULL;
405406
instance->tls_ca_path = NULL;
@@ -663,6 +664,10 @@ int flb_input_set_property(struct flb_input_instance *ins,
663664
ins->tls_verify = flb_utils_bool(tmp);
664665
flb_sds_destroy(tmp);
665666
}
667+
else if (prop_key_check("tls.verify_client_cert", k, len) == 0 && tmp) {
668+
ins->tls_verify_client = flb_utils_bool(tmp);
669+
flb_sds_destroy(tmp);
670+
}
666671
else if (prop_key_check("tls.verify_hostname", k, len) == 0 && tmp) {
667672
ins->tls_verify_hostname = flb_utils_bool(tmp);
668673
flb_sds_destroy(tmp);
@@ -1390,6 +1395,16 @@ int flb_input_instance_init(struct flb_input_instance *ins,
13901395
return -1;
13911396
}
13921397
}
1398+
1399+
if (ins->tls_verify_client == FLB_TRUE) {
1400+
ret = flb_tls_set_verify_client(ins->tls, ins->tls_verify_client);
1401+
if (ret == -1) {
1402+
flb_error("[input %s] error set up to verify client certificate in TLS context",
1403+
ins->name);
1404+
1405+
return -1;
1406+
}
1407+
}
13931408
}
13941409

13951410
struct flb_config_map *m;

0 commit comments

Comments
 (0)