output: io_tls: new tls.debug option

Signed-off-by: Eduardo Silva <[email protected]>
fluent · Aug 10, 2017 · d44ea7c · d44ea7c
1 parent c64b0ae
commit d44ea7c
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 4 deletions.
diff --git a/include/fluent-bit/flb_io_tls.h b/include/fluent-bit/flb_io_tls.h
@@ -36,6 +36,7 @@
 /* mbedTLS library context */
 struct flb_tls_context {
  int verify; /* FLB_TRUE | FLB_FALSE */
+ int debug; /* mbedtls debug level */
  uint16_t certs_set; /* CA_ROOT | CERT | PRIV_KEY */
  mbedtls_x509_crt ca_cert; /* CA Root */
  mbedtls_x509_crt cert; /* Certificate */

diff --git a/include/fluent-bit/flb_output.h b/include/fluent-bit/flb_output.h
@@ -121,6 +121,7 @@ struct flb_output_instance {
 
 #ifdef FLB_HAVE_TLS
  int tls_verify; /* Verify certs (default: true) */
+ int tls_debug; /* mbedtls debug level */
  char *tls_ca_file; /* CA root cert */
  char *tls_crt_file; /* Certificate */
  char *tls_key_file; /* Cert Key */

diff --git a/src/flb_io_tls.c b/src/flb_io_tls.c
@@ -72,6 +72,7 @@ static inline int io_tls_event_switch(struct flb_upstream_conn *u_conn,
 }
 
 struct flb_tls_context *flb_tls_context_new(int verify,
+ int debug,
  char *ca_file, char *crt_file,
  char *key_file, char *key_passwd)
 {
@@ -84,11 +85,11 @@ struct flb_tls_context *flb_tls_context_new(int verify,
  return NULL;
  }
  ctx->verify = verify;
+ ctx->debug = debug;
  ctx->certs_set = 0;
 
  mbedtls_entropy_init(&ctx->entropy);
  mbedtls_ctr_drbg_init(&ctx->ctr_drbg);
-
  ret = mbedtls_ctr_drbg_seed(&ctx->ctr_drbg,
  mbedtls_entropy_func,
  &ctx->entropy,
@@ -158,6 +159,22 @@ void flb_tls_context_destroy(struct flb_tls_context *ctx)
  flb_free(ctx);
 }
 
+static void flb_tls_debug(void *ctx, int level,
+ const char *file, int line,
+ const char *str)
+{
+ int len;
+ char *p;
+ ((void) level);
+
+ len = strlen(str);
+ p = (char *) str;
+ p[len - 1] = '\0';
+
+ flb_debug("[io_tls] %s %04d: %s", file + sizeof(FLB_SOURCE_DIR) - 1,
+ line, str);
+}
+
 struct flb_tls_session *flb_tls_session_new(struct flb_tls_context *ctx)
 {
  int ret;
@@ -182,6 +199,11 @@ struct flb_tls_session *flb_tls_session_new(struct flb_tls_context *ctx)
  mbedtls_ctr_drbg_random,
  &ctx->ctr_drbg);
 
+ if (ctx->debug >= 0) {
+ mbedtls_ssl_conf_dbg(&session->conf, flb_tls_debug, NULL);
+ mbedtls_debug_set_threshold(ctx->debug);
+ }
+
  if (ctx->verify == FLB_TRUE) {
  mbedtls_ssl_conf_authmode(&session->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
  }

diff --git a/src/flb_output.c b/src/flb_output.c
@@ -107,9 +107,6 @@ void flb_output_exit(struct flb_config *config)
 {
  struct mk_list *tmp;
  struct mk_list *head;
- struct mk_list *tmp_prop;
- struct mk_list *head_prop;
- struct flb_config_prop *prop;
  struct flb_output_instance *ins;
  struct flb_output_plugin *p;
 
@@ -248,6 +245,7 @@ struct flb_output_instance *flb_output_new(struct flb_config *config,
  instance->use_tls = FLB_FALSE;
 #ifdef FLB_HAVE_TLS
  instance->tls.context = NULL;
+ instance->tls_debug = -1;
  instance->tls_verify = FLB_TRUE;
  instance->tls_ca_file = NULL;
  instance->tls_crt_file = NULL;
@@ -351,6 +349,10 @@ int flb_output_set_property(struct flb_output_instance *out, char *k, char *v)
  }
  flb_free(tmp);
  }
+ else if (prop_key_check("tls.debug", k, len) == 0 && tmp) {
+ out->tls_debug = atoi(tmp);
+ flb_free(tmp);
+ }
  else if (prop_key_check("tls.ca_file", k, len) == 0) {
  out->tls_ca_file = tmp;
  }
@@ -416,6 +418,7 @@ int flb_output_init(struct flb_config *config)
 #ifdef FLB_HAVE_TLS
  if (p->flags & FLB_IO_TLS && ins->use_tls) {
  ins->tls.context = flb_tls_context_new(ins->tls_verify,
+ ins->tls_debug,
  ins->tls_ca_file,
  ins->tls_crt_file,
  ins->tls_key_file,