Skip to content

Commit 3c678d1

Browse files
edbingoedbingo
committed
input: add option for verifying client certificates in TLS settings
Signed-off-by: Edward Lancaster <edward.lancaster@siemens.com>
1 parent d6e65fb commit 3c678d1

2 files changed

Lines changed: 20 additions & 0 deletions

File tree

include/fluent-bit/flb_input.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -446,6 +446,7 @@ struct flb_input_instance {
446446
/* TLS settings */
447447
int use_tls; /* bool, try to use TLS for I/O */
448448
int tls_verify; /* Verify certs (default: true) */
449+
int tls_verify_client; /* Verify client certs (default: false) */
449450
int tls_verify_hostname; /* Verify hostname (default: false) */
450451
int tls_debug; /* mbedtls debug level */
451452
char *tls_vhost; /* Virtual hostname for SNI */

src/flb_input.c

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -400,6 +400,7 @@ struct flb_input_instance *flb_input_new(struct flb_config *config,
400400
instance->tls = NULL;
401401
instance->tls_debug = -1;
402402
instance->tls_verify = FLB_TRUE;
403+
instance->tls_verify_client = FLB_FALSE;
403404
instance->tls_verify_hostname = FLB_FALSE;
404405
instance->tls_vhost = NULL;
405406
instance->tls_ca_path = NULL;
@@ -663,6 +664,14 @@ int flb_input_set_property(struct flb_input_instance *ins,
663664
ins->tls_verify = flb_utils_bool(tmp);
664665
flb_sds_destroy(tmp);
665666
}
667+
else if (prop_key_check("tls.verify_client_cert", k, len) == 0 && tmp) {
668+
ret = flb_utils_bool(tmp);
669+
flb_sds_destroy(tmp);
670+
if (ret == -1) {
671+
return -1;
672+
}
673+
ins->tls_verify_client = ret;
674+
}
666675
else if (prop_key_check("tls.verify_hostname", k, len) == 0 && tmp) {
667676
ins->tls_verify_hostname = flb_utils_bool(tmp);
668677
flb_sds_destroy(tmp);
@@ -1390,6 +1399,16 @@ int flb_input_instance_init(struct flb_input_instance *ins,
13901399
return -1;
13911400
}
13921401
}
1402+
1403+
if (ins->tls_verify_client == FLB_TRUE) {
1404+
ret = flb_tls_set_verify_client(ins->tls, ins->tls_verify_client);
1405+
if (ret == -1) {
1406+
flb_error("[input %s] error set up to verify client certificate in TLS context",
1407+
ins->name);
1408+
1409+
return -1;
1410+
}
1411+
}
13931412
}
13941413

13951414
struct flb_config_map *m;

0 commit comments

Comments
 (0)