-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: macos_load_system_certificates using security framework. #9528
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
niedbalski
requested review from
edsiper,
leonardo-albertovich,
fujimotos and
koleini
as code owners
October 25, 2024 13:53
edsiper
requested changes
Oct 25, 2024
cosmo0920
reviewed
Oct 28, 2024
niedbalski
force-pushed
the
calyptia-tls-debug
branch
4 times, most recently
from
October 28, 2024 21:47
0a76e1a
to
a0d7192
Compare
* Adds betters checks to windows cert loading, extra debug logs. * Adds betters checks for TLS handshake error handling, extra debug logs. * General debug logs on conditionals for handshake and certificate loads, clarified the SNI setup. Signed-off-by: Jorge Niedbalski <[email protected]>
niedbalski
force-pushed
the
calyptia-tls-macos
branch
from
October 29, 2024 11:00
d385940
to
a4a9a10
Compare
Load certificates from SecTrustSettingsCopyCertificates using the security framework to avoid relying on local certificates. Signed-off-by: Jorge Niedbalski <[email protected]>
niedbalski
force-pushed
the
calyptia-tls-macos
branch
from
October 29, 2024 11:04
a4a9a10
to
3a2ae23
Compare
Closing in favour of #9539 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This patch should be stacked after
I realised that none of the expected locations for the PEM files was available on my machine. I had some PEM files created by the brew installer but none of them were being detected by fluent-bit.
If the plugin didn't have explicilty set to tls.verify off, I would get a certify verify failed, no matter on which
location I place my CA ring or my pem files.
Configuration used before
[CUSTOM] name calyptia api_key xxxx fleet_name test-jorge calyptia_tls.verify on calyptia_host cloud-api.calyptia.com
Therefore, I decided to check if the security framework had the certificates I needed for Letsencrypt, and to my surprise all of those certs were available on the machine
security find-certificate -a /System/Library/Keychains/SystemRootCertificates.keychain
Therefore I decided to load certificates from SecTrustSettingsCopyCertificates using the security framework to avoid relying on local certificate paths.
This patch is an implementation of that approach. With this patch applied I get the following output:
Testing
Documentation
Backporting
Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.