Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add server_name override for x509_cert plugin #6917

Merged
merged 1 commit into from
Jan 22, 2020
Merged

Add server_name override for x509_cert plugin #6917

merged 1 commit into from
Jan 22, 2020

Conversation

hackery
Copy link
Contributor

@hackery hackery commented Jan 17, 2020
edited
Loading

Closes #6809.

As it's my first contrib to this project:

  • signed CLA
  • make check && make test
  • integration test: docker-compose up would not start, problem with docker-credential-secretservice
  • add unit test: I couldn't identify a suitable test to add - I could update PR if you have some guidance on that.

@hackery
Copy link
Contributor Author

hackery commented Jan 19, 2020

Here's the ad hoc test that I've run:

  • set up local nginx server with TLS and separate self-signed certs for two virtual hosts, localhost (default) and example.com with CN= to match, no SAN.
  • ran x509_cert against localhost without server_name, and then with server_name = example.com
  • (not shown here) observed TLS traffic to verify seeing expected SNI in ClientHello message

root@zen:/etc/nginx/tls# sudo openssl req -x509 -newkey rsa:4096 -keyout example.com.key -out example.com.crt -days 365 -nodes -subj '/CN=example.com'

[[inputs.x509_cert]]
  sources = [ "https://localhost:488/" ]
  tls_ca = "/etc/nginx/tls/localhost.crt

./telegraf -config ~/telegraf-conf.d/http.conf  --test
> x509_cert,common_name=localhost,host=zen,issuer_common_name=localhost,public_key_algorithm=RSA,serial_number=27bd5b0513a066e09e23415f65e07605e1ffe855,signature_algorithm=SHA256-RSA,source=https://localhost:488/,verification=valid age=146337i,enddate=1610783209i,expiry=31389662i,startdate=1579247209i,verification_code=0i 1579393546000000000

vs.

[[inputs.x509_cert]]
  sources = [ "https://localhost:488/" ]
  tls_ca = "/etc/nginx/tls/example.com.crt"
  server_name = "example.com"

> x509_cert,common_name=example.com,host=zen,issuer_common_name=example.com,public_key_algorithm=RSA,serial_number=2cb2a733142eb77af2048051573c11f1f7cb6f69,signature_algorithm=SHA256-RSA,source=https://localhost:488/,verification=valid age=468i,enddate=1610929452i,expiry=31535531i,startdate=1579393452i,verification_code=0i 1579393921000000000

Changing server_name = not.example.com (with either CA):

> > x509_cert,common_name=localhost,host=zen,issuer_common_name=localhost,public_key_algorithm=RSA,serial_number=27bd5b0513a066e09e23415f65e07605e1ffe855,signature_algorithm=SHA256-RSA,source=https://localhost:488/,verification=invalid age=147086i,enddate=1610783209i,expiry=31388913i,startdate=1579247209i,verification_code=1i,verification_error="x509: certificate is valid for localhost, not not.example.com" 1579394295000000000

@danielnelson danielnelson added this to the 1.14.0 milestone Jan 22, 2020
@danielnelson danielnelson added the feat Improvement on an existing feature such as adding a new setting/mode to an existing plugin label Jan 22, 2020
@danielnelson danielnelson merged commit 916f39d into influxdata:master Jan 22, 2020
@hackery hackery deleted the feat/6809 branch January 23, 2020 10:20
athoune pushed a commit to bearstech/telegraf that referenced this pull request Apr 17, 2020
@hackery
Add server_name override for x509_cert plugin (influxdata#6917)
b40b8ce
idohalevi pushed a commit to idohalevi/telegraf that referenced this pull request Sep 29, 2020
@hackery
Add server_name override for x509_cert plugin (influxdata#6917)
aaa997f
arstercz pushed a commit to arstercz/telegraf that referenced this pull request Mar 5, 2023
@hackery @danielnelson
Add server_name override for x509_cert plugin (influxdata#6917)
a89e268
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
feat Improvement on an existing feature such as adding a new setting/mode to an existing plugin
Projects
None yet
Milestone
1.14.0
Development

Successfully merging this pull request may close these issues.

x509_cert: allow specifying target hostname
2 participants
@hackery @danielnelson