From ac9bf5a0ec9d1039bc6f6ffb21906f1fabaffce4 Mon Sep 17 00:00:00 2001 From: Jarno Huuskonen Date: Tue, 22 Jun 2021 19:41:45 +0300 Subject: [PATCH] Fix x509_cert input plugin SNI support (#9289) --- plugins/inputs/x509_cert/x509_cert.go | 15 ++++++++++++--- plugins/inputs/x509_cert/x509_cert_test.go | 10 ++++++++++ 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/plugins/inputs/x509_cert/x509_cert.go b/plugins/inputs/x509_cert/x509_cert.go index 7c1b0657c..fc81ebb71 100644 --- a/plugins/inputs/x509_cert/x509_cert.go +++ b/plugins/inputs/x509_cert/x509_cert.go @@ -66,8 +66,7 @@ func (c *X509Cert) SampleConfig() string { func (c *X509Cert) sourcesToURLs() error { for _, source := range c.Sources { if strings.HasPrefix(source, "file://") || - strings.HasPrefix(source, "/") || - strings.Index(source, ":\\") != 1 { + strings.HasPrefix(source, "/") { source = filepath.ToSlash(strings.TrimPrefix(source, "file://")) g, err := globpath.Compile(source) if err != nil { @@ -82,7 +81,6 @@ func (c *X509Cert) sourcesToURLs() error { if err != nil { return fmt.Errorf("failed to parse cert location - %s", err.Error()) } - c.locations = append(c.locations, u) } } @@ -127,6 +125,9 @@ func (c *X509Cert) getCert(u *url.URL, timeout time.Duration) ([]*x509.Certifica conn := tls.Client(ipConn, c.tlsCfg) defer conn.Close() + // reset SNI between requests + defer func() { c.tlsCfg.ServerName = "" }() + hsErr := conn.Handshake() if hsErr != nil { return nil, hsErr @@ -313,6 +314,14 @@ func (c *X509Cert) Init() error { tlsCfg = &tls.Config{} } + if tlsCfg.ServerName != "" && c.ServerName == "" { + // Save SNI from tlsCfg.ServerName to c.ServerName and reset tlsCfg.ServerName. + // We need to reset c.tlsCfg.ServerName for each certificate when there's + // no explicit SNI (c.tlsCfg.ServerName or c.ServerName) otherwise we'll always (re)use + // first uri HostName for all certs (see issue 8914) + c.ServerName = tlsCfg.ServerName + tlsCfg.ServerName = "" + } c.tlsCfg = tlsCfg return nil diff --git a/plugins/inputs/x509_cert/x509_cert_test.go b/plugins/inputs/x509_cert/x509_cert_test.go index 3253c9ac9..4f09b903b 100644 --- a/plugins/inputs/x509_cert/x509_cert_test.go +++ b/plugins/inputs/x509_cert/x509_cert_test.go @@ -316,6 +316,16 @@ func TestGatherCertMustNotTimeout(t *testing.T) { assert.True(t, acc.HasMeasurement("x509_cert")) } +func TestSourcesToURLs(t *testing.T) { + m := &X509Cert{ + Sources: []string{"https://www.influxdata.com:443", "tcp://influxdata.com:443", "file:///dummy_test_path_file.pem", "/tmp/dummy_test_path_glob*.pem"}, + } + require.NoError(t, m.Init()) + + assert.Equal(t, len(m.globpaths), 2) + assert.Equal(t, len(m.locations), 2) +} + func TestServerName(t *testing.T) { tests := []struct { name string