Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for client certificate validation to x509_cert input plugin #7754

Closed
cruscio opened this issue Jun 27, 2020 · 4 comments · Fixed by #7760
Closed

Add support for client certificate validation to x509_cert input plugin #7754

cruscio opened this issue Jun 27, 2020 · 4 comments · Fixed by #7760
Labels
bug unexpected problem or unintended behavior
Milestone
1.14.5

Comments

@cruscio
Copy link
Contributor

cruscio commented Jun 27, 2020

Feature Request (possibly Bug Report)

Add support for client certificate validation to x509_cert input plugin

Current behavior:

For a certificate with only TLS Web Client Authentication key usage and no TLS Web Server Authentication, the plugin outputs verification=invalid and verification_error="x509: certificate specifies an incompatible key usage.

For the same certificate, with the following extensions, openssl verify outputs OK

        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                4F:97:3B:EE:D4:1A:F5:34:3E:3D:9B:E0:8E:D0:22:61:6B:CC:5E:E0
            X509v3 Authority Key Identifier:
                keyid:3C:88:FB:67:50:81:F4:6A:FD:71:31:0A:98:42:B2:68:90:EE:B3:04

            X509v3 Subject Alternative Name:
                DNS:some.client.server.name.com

Desired behavior:

Valid TLS Web Client Authentication certificates without TLS Web Server Authentication should be identified as valid.

Use case:

My Telegraf agents output to Kafka using TLS client certificates for authentication. I'd like to monitor the client certificates and alert when they near expiration. It works in the current version of Telegraf (1.14), but includes a message that they're invalid, when they are not.

For reference, these certificates were generated by CFSSL with the following usage

      "client": {
        "usages": [
          "signing",
          "key encipherment",
          "client auth"
        ],
@cruscio
Copy link
Contributor Author

cruscio commented Jun 29, 2020

The more I think about it, the more it seems a bug, not a feature request. If it's a valid x509 certificate (and can be validated by openssl) then it shouldn't be reported as invalid by Telegraf.

@danielnelson danielnelson added the bug unexpected problem or unintended behavior label Jun 29, 2020
@danielnelson danielnelson added this to the Planned milestone Jun 29, 2020
@danielnelson danielnelson mentioned this issue Jun 29, 2020
Merged
3 tasks
@danielnelson danielnelson modified the milestones: Planned, 1.14.5 Jun 29, 2020
@cruscio
Copy link
Contributor Author

cruscio commented Jun 29, 2020

Here are steps_to_reproduce.txt using cfssl (to generate certificates) and telegraf docker containers in Linux. Note that the issue also occurs in Telegraf for windows.

@danielnelson
Copy link
Contributor

I think the change in #7760 will take care of the issue, would you be able to test with any of these development builds:

@cruscio
Copy link
Contributor Author

cruscio commented Jul 1, 2020

Hey @danielnelson - I just tested the 1.14.5 release and it's working great. Thanks for turning this around so quickly!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug unexpected problem or unintended behavior
Projects
None yet
Milestone
1.14.5
Development

Successfully merging a pull request may close this issue.

Allow any key usage type on x509 certificate influxdata/telegraf
2 participants
@danielnelson @cruscio