transport tls: use SSL_VERIFY_NONE by default

daipom · daipom · commit 144eb23dcd1e · 2024-11-28T11:02:43.000+09:00
VERIFY_NONE should be used when `client_cert_auth false` (default).

Before this fix, we need to set `insecure true` for this.
However, `insecure` option should mainly be for cipher strength.
It would not be intended VERIFY_PEER without VERIFY_FAIL_IF_NO_PEER_CERT
was used even if `client_cert_auth false`.
(When VERIFY_PEER without VERIFY_FAIL_IF_NO_PEER_CERT, server
does certification only when clients send its certificate.
This would be why we overlooked it long time)

Before:

| insecure | client_cert_auth | verify_mode                              |
| false    | fales            | VERIFY_PEER                              |
| false    | true             | VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT |
| true     | false            | VERIFY_NONE                              |
| true     | true             | VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT |

After:

| insecure | client_cert_auth | verify_mode                              |
| false    | fales            | VERIFY_NONE                              |
| false    | true             | VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT |
| true     | false            | VERIFY_NONE                              |
| true     | true             | VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT |

Signed-off-by: Daijiro Fukuda &lt;fukuda@clear-code.com&gt;
diff --git a/lib/fluent/plugin_helper/cert_option.rb b/lib/fluent/plugin_helper/cert_option.rb
@@ -33,6 +33,8 @@ def cert_option_create_context(version, insecure, ciphers, conf)
 
         if conf.client_cert_auth
           ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+        else
+          ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
         end
 
         ctx.ca_file = conf.ca_path
