Skip to content

tls: openssl: Reload and watch certificates mainly on Linux #11950

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cosmo0920 wants to merge 4 commits into
base: master
Choose a base branch
from
Open

tls: openssl: Reload and watch certificates mainly on Linux #11950

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1330ce0
tls: openssl: Implement reloading certificates feature
cosmo0920 Jun 16, 2026
86549f1
tests: internal: Add a test case for reloading certificates
cosmo0920 Jun 16, 2026
a8f76c8
tls: Process for short-circuit of macOS and Windows systems
cosmo0920 Jun 16, 2026
78f867c
tls: openssl: Handle alpn more rigidly
cosmo0920 Jun 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions include/fluent-bit/tls/flb_tls.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,9 @@
#include <fluent-bit/flb_info.h>
#include <fluent-bit/flb_config.h>
#include <fluent-bit/flb_coro.h>
#include <fluent-bit/flb_pthread.h>
#include <stddef.h>
#include <stdint.h>

#define FLB_TLS_ALPN_MAX_LENGTH 16

Expand All @@ -50,6 +52,13 @@
struct flb_tls;
struct flb_connection;

struct flb_tls_file_status {
int exists;
uint64_t size;
uint64_t mtime;
uint64_t ctime;
};

struct flb_tls_session {
/* opaque data type for backend session context */
void *ptr;
Expand All @@ -71,6 +80,9 @@ struct flb_tls_backend {
const char *, const char *,
const char *, const char *);

/* reload backend context */
int (*context_reload) (struct flb_tls *);

/* destroy backend context */
void (*context_destroy) (void *);

Expand Down Expand Up @@ -108,16 +120,32 @@ struct flb_tls {
int verify_client; /* Verify client certificate */
int debug; /* Debug level */
char *vhost; /* Virtual hostname for SNI */
char *ca_path; /* Path to certificates */
char *ca_file; /* CA root cert */
char *crt_file; /* Certificate */
char *key_file; /* Cert Key */
char *key_passwd; /* Cert Key Password */
char *alpn; /* ALPN protocol list */
char *min_version; /* Minimum TLS version */
char *max_version; /* Maximum TLS version */
char *ciphers; /* TLS ciphers */
struct flb_tls_file_status ca_path_status;
struct flb_tls_file_status ca_file_status;
struct flb_tls_file_status crt_file_status;
struct flb_tls_file_status key_file_status;
int mode; /* Client or Server */
int verify_hostname; /* Verify hostname */
int system_certificates_loaded; /* System certs loaded */
#if defined(FLB_SYSTEM_WINDOWS)
char *certstore_name; /* Windows CertStore Name */
int use_enterprise_store; /* Use Enterprise store or not */
char *client_thumbprints; /* Allowed client thumbprints */
#endif

/* Bakend library for TLS */
void *ctx; /* TLS context created */
struct flb_tls_backend *api; /* backend API */
pthread_mutex_t reload_mutex; /* protects reload state */
};

int flb_tls_init();
Expand All @@ -132,6 +160,8 @@ struct flb_tls *flb_tls_create(int mode,

int flb_tls_destroy(struct flb_tls *tls);

int flb_tls_reload_if_needed(struct flb_tls *tls);

int flb_tls_set_alpn(struct flb_tls *tls, const char *alpn);
int flb_tls_set_verify_client(struct flb_tls *tls, int verify_client);

Expand Down
Loading
Loading