Skip to content

tls: openssl: Fail verification if client certificate is not provided #11254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
edbingo wants to merge 1 commit into
base: master
Choose a base branch
from
Open

tls: openssl: Fail verification if client certificate is not provided #11254

edbingo wants to merge 1 commit into from

Conversation

@edbingo
Copy link

@edbingo edbingo commented Dec 4, 2025
edited by coderabbitai bot
Loading

We are interested in using fluentbit with mTLS. However, currently fluentbit accepts connections from clients who do not provide a certificate at all. This change to the openssl library forces the connection to fail if certificates are not provided when fluent-bit is in server mode.

Tested with following configuration:

pipeline:
  inputs:
    - name: syslog
      mode: tcp
      parser: syslog-rfc5424
      listen: 0.0.0.0
      port: 6514
      tag: syslog.remote.log

      tls: on
      tls.verify: on
      tls.debug: 1
      tls.crt_file: ./certs/server.crt
      tls.key_file: ./certs/server.key
      tls.ca_file: ./certs/ca.crt

Output without client certificate

[2025/12/04 16:04:26.322586020] [debug] [tls] connection #102 SSL_accept: before SSL initialization
[2025/12/04 16:04:26.322606762] [debug] [tls] connection #102 WANT_READ
[2025/12/04 16:04:26.822746151] [debug] [tls] connection #102 SSL_accept: before SSL initialization
[2025/12/04 16:04:26.823028373] [debug] [tls] connection #102 SSL_accept: SSLv3/TLS read client hello
[2025/12/04 16:04:26.823332483] [debug] [tls] connection #102 SSL_accept: SSLv3/TLS write server hello
[2025/12/04 16:04:26.823417104] [debug] [tls] connection #102 SSL_accept: SSLv3/TLS write change cipher spec
[2025/12/04 16:04:26.823435740] [debug] [tls] connection #102 SSL_accept: TLSv1.3 write encrypted extensions
[2025/12/04 16:04:26.823458629] [debug] [tls] connection #102 SSL_accept: SSLv3/TLS write certificate request
[2025/12/04 16:04:26.823796114] [debug] [tls] connection #102 SSL_accept: SSLv3/TLS write certificate
[2025/12/04 16:04:26.825319389] [debug] [tls] connection #102 SSL_accept: TLSv1.3 write server certificate verify
[2025/12/04 16:04:26.825394738] [debug] [tls] connection #102 SSL_accept: SSLv3/TLS write finished
[2025/12/04 16:04:26.825401950] [debug] [tls] connection #102 SSL_accept: TLSv1.3 early data
[2025/12/04 16:04:26.825411284] [debug] [tls] connection #102 WANT_READ
[2025/12/04 16:04:27.325601341] [debug] [tls] connection #102 SSL_accept: TLSv1.3 early data
[2025/12/04 16:04:27.325751148] [debug] [tls] connection #102 SSL3 alert write:fatal:unknown
[2025/12/04 16:04:27.325765551] [error] [tls] connection #102 SSL_accept: error in error
[2025/12/04 16:04:27.325771902] [error] [tls] error: unexpected EOF
[2025/12/04 16:04:27.325826387] [debug] [downstream] connection #102 failed
[2025/12/04 16:04:27.325867515] [error] [input:syslog:syslog.4] could not accept new connection

Output with client certificate

[2025/12/04 16:05:52.618787245] [debug] [tls] connection #102 SSL_accept: before SSL initialization
[2025/12/04 16:05:52.618802905] [debug] [tls] connection #102 WANT_READ
[2025/12/04 16:05:53.118952005] [debug] [tls] connection #102 SSL_accept: before SSL initialization
[2025/12/04 16:05:53.119237744] [debug] [tls] connection #102 SSL_accept: SSLv3/TLS read client hello
[2025/12/04 16:05:53.119554356] [debug] [tls] connection #102 SSL_accept: SSLv3/TLS write server hello
[2025/12/04 16:05:53.119639994] [debug] [tls] connection #102 SSL_accept: SSLv3/TLS write change cipher spec
[2025/12/04 16:05:53.119658718] [debug] [tls] connection #102 SSL_accept: TLSv1.3 write encrypted extensions
[2025/12/04 16:05:53.119679475] [debug] [tls] connection #102 SSL_accept: SSLv3/TLS write certificate request
[2025/12/04 16:05:53.120048759] [debug] [tls] connection #102 SSL_accept: SSLv3/TLS write certificate
[2025/12/04 16:05:53.121813125] [debug] [tls] connection #102 SSL_accept: TLSv1.3 write server certificate verify
[2025/12/04 16:05:53.121901348] [debug] [tls] connection #102 SSL_accept: SSLv3/TLS write finished
[2025/12/04 16:05:53.121908052] [debug] [tls] connection #102 SSL_accept: TLSv1.3 early data
[2025/12/04 16:05:53.121920830] [debug] [tls] connection #102 WANT_READ
[2025/12/04 16:05:53.622055891] [debug] [tls] connection #102 SSL_accept: TLSv1.3 early data
[2025/12/04 16:05:53.622447387] [debug] [tls] connection #102 SSL_accept: TLSv1.3 read client compressed certificate
[2025/12/04 16:05:53.622526465] [debug] [tls] connection #102 SSL_accept: SSLv3/TLS read certificate verify
[2025/12/04 16:05:53.622563918] [debug] [tls] connection #102 SSL_accept: SSLv3/TLS read finished
[2025/12/04 16:05:53.622741077] [debug] [tls] connection #102 SSL_accept: SSLv3/TLS write session ticket
[2025/12/04 16:05:53.622810213] [debug] [tls] connection #102 SSL_accept: SSLv3/TLS write session ticket

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

  • Bug Fixes
    • TLS peer verification refined: server connections now correctly require a peer certificate when verification is enabled.
    • Client connections preserve previous verification behavior, avoiding unintended certificate requirement changes.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link

coderabbitai bot commented Dec 4, 2025
edited
Loading

Walkthrough

Modified OpenSSL peer verification flag computation to start from SSL_VERIFY_PEER and conditionally OR SSL_VERIFY_FAIL_IF_NO_PEER_CERT only when running in server mode, leaving client-mode behavior unchanged.

Changes

Cohort / File(s) Summary
TLS peer verification flag logic
src/tls/openssl.c		 Compute verify_flags from SSL_VERIFY_PEER and add SSL_VERIFY_FAIL_IF_NO_PEER_CERT only when in server mode, so peer certificates are required only for servers.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

  • Review TLS mode detection and branching in src/tls/openssl.c
  • Verify surrounding code does not assume the previous always-on SSL_VERIFY_FAIL_IF_NO_PEER_CERT
  • Check for tests or runtime scenarios where server/client roles may be misdetected

Suggested reviewers

  • edsiper
  • cosmo0920

Poem

🐰 I nudged a flag with gentle paw,
Server-only demand, no client law.
Certificates asked where servers keep,
Quiet tunnels hum and softly sleep.
Hop, encrypt, and nibble bugs away 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: modifying OpenSSL server behavior to require client certificates during verification.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0819c37 and 4cf27c6.

📒 Files selected for processing (1)
  • src/tls/openssl.c (1 hunks)

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@edbingo
tls: openssl: Fail verification if client certificate is not provided
4cf27c6 
Signed-off-by: Edward Lancaster <edward.lancaster@siemens.com>
@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Dec 4, 2025

💡 Codex Review

fluent-bit/src/tls/openssl.c

Lines 804 to 808 in 0819c37

int verify_flags = SSL_VERIFY_PEER;
if (mode == FLB_TLS_SERVER_MODE) {
verify_flags |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
}
SSL_CTX_set_verify(ssl_ctx, verify_flags, NULL);

P1 Badge mTLS now forced for TLS inputs using default verify

When verify is enabled you now OR SSL_VERIFY_FAIL_IF_NO_PEER_CERT into the server verify flags, which causes the handshake to abort if a client does not present a certificate. All input plugins default tls.verify to on (see src/flb_input.c:400 and the call at line 1308), so simply enabling TLS on an input without explicitly turning verification off will now require client certificates and reject ordinary TLS clients that do not send one—a behavior change from the previous optional client-auth flow.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@edsiper edsiper Awaiting requested review from edsiper edsiper is a code owner

@cosmo0920 cosmo0920 Awaiting requested review from cosmo0920 cosmo0920 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

docs-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@edbingo