tls: openssl: output: Handle certificates thumbprints

[cosmo0920]

This change implements Windows certificate thumbprint handling in Fluent Bit’s OpenSSL backend.
It allows specifying tls.windows.client_thumbprints to load additional trusted certificates from the Windows CertStore, matching Fluentd’s behavior.
The feature supports SHA1 and SHA256 hashes, multiple comma-separated thumbprints, and integrates cleanly into the existing TLS initialization flow.

Closes #11004.

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change

service:
  flush_interval: 2
  log_level: debug

pipeline:
  inputs:
    - name: dummy
      tag: test

  outputs:
    - name: forward
      match: "test"
      host: 127.0.0.1
      port: 24284
      tls:  on
      tls.verify: on
      tls.vhost: localhost

      tls.windows.certstore_name:         Root
      tls.windows.use_enterprise_store:   false
      tls.windows.client_thumbprints:     <specific thumbprint>

PS> openssl s_server -accept 24284 -cert server.crt -key server.key -www
<after launching the fluent-bit process>
Using default temp DH parameters
ACCEPT

• Debug log output from testing the change

Fluent Bit v4.1.2
* Copyright (C) 2015-2025 The Fluent Bit Authors
* Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
* https://fluentbit.io

______ _                  _    ______ _ _             ___   __
|  ___| |                | |   | ___ (_) |           /   | /  |
| |_  | |_   _  ___ _ __ | |_  | |_/ /_| |_  __   __/ /| | `| |
|  _| | | | | |/ _ \ '_ \| __| | ___ \ | __| \ \ / / /_| |  | |
| |   | | |_| |  __/ | | | |_  | |_/ / | |_   \ V /\___  |__| |_
\_|   |_|\__,_|\___|_| |_|\__| \____/|_|\__|   \_/     |_(_)___/


[2025/10/15 15:38:12.365463100] [ info] Configuration:
[2025/10/15 15:38:12.365736900] [ info]  flush time     | 1.000000 seconds
[2025/10/15 15:38:12.365777700] [ info]  grace          | 5 seconds
[2025/10/15 15:38:12.365798300] [ info]  daemon         | 0
[2025/10/15 15:38:12.365816100] [ info] ___________
[2025/10/15 15:38:12.365834000] [ info]  inputs:
[2025/10/15 15:38:12.365851400] [ info]      dummy
[2025/10/15 15:38:12.365869000] [ info] ___________
[2025/10/15 15:38:12.365886000] [ info]  filters:
[2025/10/15 15:38:12.365903500] [ info] ___________
[2025/10/15 15:38:12.365920600] [ info]  outputs:
[2025/10/15 15:38:12.365937900] [ info]      forward.0
[2025/10/15 15:38:12.365955200] [ info] ___________
[2025/10/15 15:38:12.365972300] [ info]  collectors:
[2025/10/15 15:38:12.367207600] [ info] [fluent bit] version=4.1.2, commit=0def4e6ada, pid=26216
[2025/10/15 15:38:12.367219500] [debug] [engine] maxstdio set: 512
[2025/10/15 15:38:12.367231400] [debug] [engine] coroutine stack size: 98302 bytes (96.0K)
[2025/10/15 15:38:12.367441600] [ info] [storage] ver=1.5.3, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2025/10/15 15:38:12.367460500] [ info] [simd    ] SSE2
[2025/10/15 15:38:12.367467500] [ info] [cmetrics] version=1.0.5
[2025/10/15 15:38:12.367476800] [ info] [ctraces ] version=0.6.6
[2025/10/15 15:38:12.367714400] [ info] [input:dummy:dummy.0] initializing
[2025/10/15 15:38:12.367724400] [ info] [input:dummy:dummy.0] storage_strategy='memory' (memory only)
[2025/10/15 15:38:12.367820000] [debug] [dummy:dummy.0] created event channels: read=768 write=772
[2025/10/15 15:38:12.367937100] [debug] [forward:forward.0] created event channels: read=776 write=780
[2025/10/15 15:38:12.373435700] [debug] [tls] successfully loaded certificates from windows system Root store.
[2025/10/15 15:38:12.373481800] [debug] [tls] parsed 1 allowed thumbprint(s).
[2025/10/15 15:38:12.373491500] [debug] [output forward.0] starting to load Root certstore in TLS context
[2025/10/15 15:38:12.373499300] [debug] [output forward.0] attempting to load Root certstore in TLS context
[2025/10/15 15:38:12.374433100] [debug] [tls] loaded 1 certificate(s) by thumbprint from 'Root'.
[2025/10/15 15:38:12.375758600] [ info] [sp] stream processor started
[2025/10/15 15:38:12.376100100] [ info] [output:forward:forward.0] worker #0 started
[2025/10/15 15:38:12.376136600] [ info] [engine] Shutdown Grace Period=5, Shutdown Input Grace Period=2
[2025/10/15 15:38:12.376270700] [ info] [output:forward:forward.0] worker #1 started
[2025/10/15 15:38:14.371617500] [debug] [task] created task=00000245EAB02E00 id=0 OK
[2025/10/15 15:38:14.371710000] [debug] [output:forward:forward.0] request 36 bytes to flush
[2025/10/15 15:38:14.371643000] [debug] [output:forward:forward.0] task_id=0 assigned to thread #0
[2025/10/15 15:38:15.379059900] [debug] [task] created task=00000245EAB022C0 id=1 OK
[2025/10/15 15:38:15.379084600] [debug] [output:forward:forward.0] task_id=1 assigned to thread #1
[2025/10/15 15:38:15.379140200] [debug] [output:forward:forward.0] request 36 bytes to flush
[2025/10/15 15:38:16] [engine] caught signal (SIGINT)
[2025/10/15 15:38:16.385678100] [debug] [task] created task=00000245EAB02360 id=2 OK
[2025/10/15 15:38:16.385779900] [debug] [output:forward:forward.0] task_id=2 assigned to thread #0
[2025/10/15 15:38:16.386021100] [debug] [output:forward:forward.0] request 36 bytes to flush
[2025/10/15 15:38:16.400958100] [debug] [task] created task=00000245EAB024A0 id=3 OK
[2025/10/15 15:38:16.400996900] [debug] [output:forward:forward.0] task_id=3 assigned to thread #1
[2025/10/15 15:38:16.401063700] [debug] [output:forward:forward.0] request 36 bytes to flush

This part of the logs indicates that the newly implemented feature that loads certificates with their thumbprints.

[2025/10/15 15:38:12.373481800] [debug] [tls] parsed 1 allowed thumbprint(s).
[2025/10/15 15:38:12.373491500] [debug] [output forward.0] starting to load Root certstore in TLS context
[2025/10/15 15:38:12.373499300] [debug] [output forward.0] attempting to load Root certstore in TLS context
[2025/10/15 15:38:12.374433100] [debug] [tls] loaded 1 certificate(s) by thumbprint from 'Root'.

• Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds Windows-specific client certificate thumbprint selection for TLS on outputs. Introduces a new output instance field, a config property (tls.windows.client_thumbprints), a public TLS API to set thumbprints, and an OpenSSL backend implementation that parses, stores, and filters certificates by thumbprints from the Windows CertStore.

Changes

Cohort / File(s)	Summary
Public output instance field include/fluent-bit/flb_output.h	Adds char *tls_win_thumbprints to struct flb_output_instance (Windows TLS thumbprints).
TLS public API (Windows) include/fluent-bit/tls/flb_tls.h	Adds backend hook set_client_thumbprints to struct flb_tls_backend and declares flb_tls_set_client_thumbprints(struct flb_tls *, const char *).
Output configuration and lifecycle src/flb_output.c	Registers tls.windows.client_thumbprints config key; stores value in ins->tls_win_thumbprints; applies via flb_tls_set_client_thumbprints during TLS init; ensures cleanup on free; propagates errors.
TLS core dispatcher (Windows) src/tls/flb_tls.c	Implements flb_tls_set_client_thumbprints(...) that calls backend set_client_thumbprints when available; guarded by FLB_SYSTEM_WINDOWS.
OpenSSL Windows backend src/tls/openssl.c	Implements thumbprint-based client cert selection: parsing hex thumbprints, storing as CRYPT_HASH_BLOB array, integrating with CertStore loading; adds tls_set_client_thumbprints and wires to tls_openssl.set_client_thumbprints; adds context fields (allowed_thumbprints, allowed_thumbprints_count), init/free paths, helpers (hex_nibble, compact_hex, hex_to_bytes, windows_set_allowed_thumbprints); guards for missing CERT_FIND_SHA256_HASH.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant User as Config
  participant Out as flb_output_instance
  participant Core as flb_output.c
  participant TLS as flb_tls
  participant BE as tls_openssl (Windows)
  participant Store as Windows CertStore

  rect rgb(245,248,255)
  note right of User: Configure tls.windows.client_thumbprints
  User->>Core: set property "tls.windows.client_thumbprints"
  Core->>Out: store ins.tls_win_thumbprints
  end

  rect rgb(245,255,245)
  note over Core,TLS: TLS initialization for output
  Core->>TLS: flb_tls_set_client_thumbprints(tls, thumbprints)
  TLS-->>BE: backend.set_client_thumbprints(...)
  BE->>BE: parse hex thumbprints -> CRYPT_HASH_BLOB[]
  BE->>Store: open cert store
  BE->>Store: filter/load certs by thumbprints
  Store-->>BE: matching certs (if any)
  BE-->>TLS: status (0/-1)
  TLS-->>Core: status
  alt failure
    Core->>Core: abort output init
  else success
    Core->>Core: continue TLS setup
  end
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

In burrows of bytes where thumbprints gleam,
I sniff through CertStores, chasing a dream.
Hex crumbs gathered, a secure little feast,
Keys match the whiskers—my worries decreased.
With TLS tunnels snug and tight,
This rabbit ships logs through the Windows night. 🐇🔐

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Linked Issues Check	⚠️ Warning	Although the pull request adds configuration for Windows certificate thumbprints and implements API hooks to load certificates into the OpenSSL trust store, it does not actually select a client certificate and its associated private key for TLS client authentication as required by issue #11004. The code only populates the certificate store and omits calls to configure and present the client certificate (e.g., SSL_CTX_use_certificate and SSL_CTX_use_PrivateKey). As a result, it fails to meet the linked issue’s core requirement of choosing a client certificate by thumbprint for authentication.	Implement logic to locate the certificate and private key matching the specified thumbprint and configure the SSL context to use them for client authentication, then add tests to verify the client certificate is correctly selected and presented.
Docstring Coverage	⚠️ Warning	Docstring coverage is 17.65% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly summarizes the primary feature by indicating that certificate thumbprint handling has been added to the TLS OpenSSL output plugin, using concise and relevant keywords without extraneous detail. It clearly reflects the main change in the pull request and avoids vague or generic phrasing. This makes it easy for a reviewer or teammate to understand the core purpose at a glance.
Out of Scope Changes Check	✅ Passed	All modifications are focused on adding Windows certificate thumbprint support, including interface declarations, configuration parsing, backend hooks, and helper utilities under Windows guards, with no unrelated or extraneous changes to other components. Every file change aligns with the goal of handling thumbprints for TLS on Windows. No out-of-scope alterations have been introduced.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cosmo0920-handle-certificates-thumbprints

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[patrick-stephens]

@cosmo0920 is this for #11004 or some other issue?

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

include/fluent-bit/tls/flb_tls.h (1)

100-101: Windows TLS hook and public API look correct; clarify semantics

Hook and API are properly guarded and wired. Please confirm/document that “client_thumbprints” are used to add trusted certificates from the Windows CertStore (not to select a client identity cert/private key). If that’s the intent, consider a brief comment to avoid confusion with client-auth selection wording.

Also applies to: 139-140

src/tls/openssl.c (2)

956-1024: Thumbprint parsing is robust; remove unused variable and minor nits

compact_hex + hex_to_bytes handle formats well. token_ctx is unused; drop it.

Apply this diff:

-static int windows_set_allowed_thumbprints(struct tls_context *ctx, const char *thumbprints) 
+static int windows_set_allowed_thumbprints(struct tls_context *ctx, const char *thumbprints)
 {
-    char *token_ctx = NULL, *tok = NULL;
+    char *tok = NULL;
     size_t cap = 4, count = 0;

---

956-1040: Scope check: this adds trust anchors, not client-cert selection

This path adds matching certificates to the OpenSSL X509 store (verification trust). It does not select a client certificate/private key for mutual TLS. Please confirm that this is the intended scope for this PR; if the goal is client-auth selection (per linked issue), additional work is needed to bind a client cert + key from the Windows store.

Happy to help outline the client-auth flow on Windows if that’s in scope.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2af2017 and fe10be5.

📒 Files selected for processing (5)

• include/fluent-bit/flb_output.h (1 hunks)
• include/fluent-bit/tls/flb_tls.h (2 hunks)
• src/flb_output.c (5 hunks)
• src/tls/flb_tls.c (1 hunks)
• src/tls/openssl.c (7 hunks)

🧰 Additional context used

🧬 Code graph analysis (3)

include/fluent-bit/tls/flb_tls.h (1)

src/tls/flb_tls.c (1)

• flb_tls_set_client_thumbprints (318-323)

src/tls/openssl.c (2)

include/fluent-bit/flb_mem.h (2)

• flb_free (126-128)
• flb_calloc (84-96)

lib/cfl/src/cfl_utils.c (2)

• cfl_utils_split (260-263)
• cfl_utils_split_free (273-285)

src/flb_output.c (4)

src/flb_sds.c (1)

• flb_sds_destroy (389-399)

src/flb_config.c (1)

• prop_key_check (624-633)

src/flb_utils.c (1)

• flb_utils_set_plugin_string_property (2200-2224)

src/tls/flb_tls.c (1)

• flb_tls_set_client_thumbprints (318-323)

🔇 Additional comments (13)

include/fluent-bit/flb_output.h (1)

375-379: LGTM: adds Windows thumbprints field with proper guarding

Field name and placement align with existing Windows TLS options.

src/tls/flb_tls.c (1)

318-324: Delegation is fine; return contract differs from other setters

Function correctly delegates to backend. Note it returns -1 when the hook is unavailable, whereas other Windows setters here return 0 when unset; intentional?

src/flb_output.c (4)

101-106: Config key addition reads well

Property name and description are clear and consistent with other Windows TLS properties.

---

201-203: LGTM: free thumbprints on cleanup

Properly frees tls_win_thumbprints alongside other TLS fields.

---

785-786: LGTM: initialize field to NULL

Matches pattern for other TLS Windows fields.

---

1019-1021: LGTM: property wiring via helper

Uses flb_utils_set_plugin_string_property; consistent with peers.

src/tls/openssl.c (7)

43-48: Good defensive define for CERT_FIND_SHA256_HASH

Ensures compatibility with older SDKs.

---

67-69: LGTM: context fields for Windows thumbprints

Fields are appropriate and sized; count tracked separately for safety.

---

169-178: LGTM: frees per-thumbprint buffers and array

Memory ownership handled correctly on destroy.

---

675-679: LGTM: initialize new Windows fields

Safe defaults for certstore name, enterprise flag, and thumbprint array.

---

344-399: Verify certificate context lifetime with CertFindCertificateInStore loop

Current pattern doesn’t explicitly CertFreeCertificateContext() cert contexts returned by CertFindCertificateInStore(). Please confirm this enumeration style doesn’t leak contexts; if needed, free the previous context on each iteration and the last one after the loop.

If adjustment is required, a safer pattern is:

• Maintain a separate prev pointer, free it after each successful next find.
• Free the last one after the loop.

I can provide a concrete patch if we confirm this is needed.

---

1026-1039: LGTM: thread-safe setter with single-apply guard

Mutex usage and idempotency check look good.

---

1470-1473: LGTM: backend hook wired

set_client_thumbprints exported in tls_openssl for Windows.