New Network Verifier plugin type

[Craig-Robb-GGL]

Added the ability to allow for more custom TLS verification by creating a new network_verifier plugin, with the ability to define the OpenSSL callback for the SSL_CTX_set_verify function. If a plugin is configured to use TLS, and has an assigned network_verifier, during the creation of the TLS connection the assigned network_verifier callback function will be set to the OpenSSL's SSL_CTX.

During the TLS connection handshake, OpenSSL will call on the callback function, allowing Fluent Bit to have more custom control for verification with access to this callback. The network_verifier callback will only be called if tls.verify is on

This allows for external network_verifier plugins to be loaded in the plugins section of a yaml conf following the existing format for external plugins, for a network_verifier it it expected to be in the file name format flb-network_verifier_.so

Added the ability to inform a Network Verifier plugin of connection issues when attempting to connect to an Endpoint. This will allow custom external handling of these error conditions.

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change

service:
  log_level: trace

plugins:
 - path/to/external/plugin/file/flb-network_verifier_serverhash.so

network_verifiers:
 - name: serverhash
   hash: <SHA hash to verifiy against>
   alias: serverhash
   
pipeline:
  inputs:
    - name: dummy
      dummy: '{"message": "Hello from Fluent Bit!"}'

  outputs:
    - name: opentelemetry
      host: 192.168.1.95
      port: 8909
      match: '*'
      retry_limit: no_retries
      tls: on
      tls.verify: on
      tls.crt_file: path/to/cert/file/MyCertificate.crt
      tls.key_file: path/to/key/file/MyKey.key
      network_verifier: serverhash

• Debug log output from testing the change

• log output for calling into external network_verifier plugin which SHA256 hashes the provided CA certificate in the TLS connection and compares to the hash in the configuration - proving custom TLS verification

Fluent Bit v4.2.0
* Copyright (C) 2015-2025 The Fluent Bit Authors
* Fluent Bit is a CNCF graduated project under the Fluent organization
* https://fluentbit.io

______ _                  _    ______ _ _             ___   _____ 
|  ___| |                | |   | ___ (_) |           /   | / __  \
| |_  | |_   _  ___ _ __ | |_  | |_/ /_| |_  __   __/ /| | `' / /'
|  _| | | | | |/ _ \ '_ \| __| | ___ \ | __| \ \ / / /_| |   / /  
| |   | | |_| |  __/ | | | |_  | |_/ / | |_   \ V /\___  |_./ /___
\_|   |_|\__,_|\___|_| |_|\__| \____/|_|\__|   \_/     |_(_)_____/

             Fluent Bit v4.2 ΓÇô Direct Routes Ahead
         Celebrating 10 Years of Open, Fluent Innovation!

[2025/11/12 12:44:14.913716600] [ info] [fluent bit] version=4.2.0, commit=9ae74919a6, pid=26408
[2025/11/12 12:44:14.915908400] [trace] [network_verifier:serverhash:serverhash] setting hash: 8F60B0E34865DF8E302CC0D7880887E6222D2EE0647E9AA3148665C052A6393D
[2025/11/12 12:44:14.916414200] [ info] [storage] ver=1.5.4, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2025/11/12 12:44:14.916482700] [ info] [simd    ] disabled
[2025/11/12 12:44:14.916513900] [ info] [cmetrics] version=1.0.5
[2025/11/12 12:44:14.916557700] [ info] [ctraces ] version=0.6.6
[2025/11/12 12:44:14.917502700] [ info] [input:dummy:dummy.0] initializing
[2025/11/12 12:44:14.917555000] [ info] [input:dummy:dummy.0] storage_strategy='memory' (memory only)
[2025/11/12 12:44:14.949128900] [ info] [sp] stream processor started
[2025/11/12 12:44:14.950421000] [ info] [engine] Shutdown Grace Period=5, Shutdown Input Grace Period=2
[2025/11/12 12:44:19.2142700] [trace] [network_verifier:serverhash:serverhash] cb_serverhash_verify: depth=0, preverify_ok=0, error=18, message=self-signed certificate
[2025/11/12 12:44:19.2831300] [error] [network_verifier:serverhash:serverhash] cb_serverhash_verify: failed to verify cert. Thumbprint: AD616E0A6290ECEE5726D7FB6147BF21548DDE9A,C=NZ,ST=Waikato,L=Hamilton,O=Gallagher,OU=Security,CN=Diagnostics Service
[2025/11/12 12:44:19.3119400] [error] [tls] certificate verification failed, reason: self-signed certificate (X509 code: 18)
[2025/11/12 12:44:19.3360900] [error] [output:opentelemetry:opentelemetry.0] no upstream connections available to 192.168.1.95:8909

• log output for calling into external network_verifier plugin when the endpoint is not available

Fluent Bit v4.2.0
* Copyright (C) 2015-2025 The Fluent Bit Authors
* Fluent Bit is a CNCF graduated project under the Fluent organization
* https://fluentbit.io

______ _                  _    ______ _ _             ___   _____ 
|  ___| |                | |   | ___ (_) |           /   | / __  \
| |_  | |_   _  ___ _ __ | |_  | |_/ /_| |_  __   __/ /| | `' / /'
|  _| | | | | |/ _ \ '_ \| __| | ___ \ | __| \ \ / / /_| |   / /  
| |   | | |_| |  __/ | | | |_  | |_/ / | |_   \ V /\___  |_./ /___
\_|   |_|\__,_|\___|_| |_|\__| \____/|_|\__|   \_/     |_(_)_____/

             Fluent Bit v4.2 ΓÇô Direct Routes Ahead
         Celebrating 10 Years of Open, Fluent Innovation!

[2025/11/12 12:51:03.291357000] [ info] [fluent bit] version=4.2.0, commit=9ae74919a6, pid=3324
[2025/11/12 12:51:03.293612100] [trace] [network_verifier:serverhash:serverhash] setting hash: 8F60B0E34865DF8E302CC0D7880887E6222D2EE0647E9AA3148665C052A6393D
[2025/11/12 12:51:03.294168100] [ info] [storage] ver=1.5.4, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2025/11/12 12:51:03.294246700] [ info] [simd    ] disabled
[2025/11/12 12:51:03.294280400] [ info] [cmetrics] version=1.0.5
[2025/11/12 12:51:03.294328000] [ info] [ctraces ] version=0.6.6
[2025/11/12 12:51:03.295265300] [ info] [input:dummy:dummy.0] initializing
[2025/11/12 12:51:03.295316900] [ info] [input:dummy:dummy.0] storage_strategy='memory' (memory only)
[2025/11/12 12:51:03.325332000] [ info] [sp] stream processor started
[2025/11/12 12:51:03.326588400] [ info] [engine] Shutdown Grace Period=5, Shutdown Input Grace Period=2
[2025/11/12 12:51:04.723580500] [ warn] [net] getaddrinfo(host='TEST_HOST', err=11): Could not contact DNS servers
[2025/11/12 12:51:04.723687000] [trace] [network_verifier:serverhash:serverhash] cb_connection_failure called TEST_HOST:8909 - 11 : Could not contact DNS servers
[2025/11/12 12:51:04.724117700] [trace] [network_verifier:serverhash:serverhash] cb_connection_failure: message=TEST_HOST:8909 - Could not contact DNS servers (11)
[2025/11/12 12:51:04.724315400] [error] [output:opentelemetry:opentelemetry.0] no upstream connections available to TEST_HOST:8909
[2025/11/12 12:51:04.724558700] [ info] [engine] chunk '3324-1762905063.528532300.flb' is not retried (no retry config): task_id=0, input=dummy.0 > output=opentelemetry.0 (out_id=0)

• Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.