From 037944a51b910144e8fc99b69f27e100616e0d68 Mon Sep 17 00:00:00 2001
From: Julian Brost <julian.brost@icinga.com>
Date: Thu, 12 Aug 2021 16:43:29 +0200
Subject: [PATCH] GelfWriter: actually verify TLS server certificates

And add a new option insecure_noverify to explicitly disable it if desired.
---
 doc/09-object-types.md      |  1 +
 lib/perfdata/gelfwriter.cpp | 12 ++++++++++++
 lib/perfdata/gelfwriter.ti  |  3 +++
 3 files changed, 16 insertions(+)

diff --git a/doc/09-object-types.md b/doc/09-object-types.md
index a00d010e2..13a273afa 100644
--- a/doc/09-object-types.md
+++ b/doc/09-object-types.md
@@ -1317,6 +1317,7 @@ Configuration Attributes:
   enable\_send\_perfdata    | Boolean               | **Optional.** Enable performance data for 'CHECK RESULT' events.
   enable\_ha                | Boolean               | **Optional.** Enable the high availability functionality. Only valid in a [cluster setup](06-distributed-monitoring.md#distributed-monitoring-high-availability-features). Defaults to `false`.
   enable\_tls               | Boolean               | **Optional.** Whether to use a TLS stream. Defaults to `false`.
+  insecure\_noverify        | Boolean               | **Optional.** Disable TLS peer verification.
   ca\_path                  | String                | **Optional.** Path to CA certificate to validate the remote host. Requires `enable_tls` set to `true`.
   cert\_path                | String                | **Optional.** Path to host certificate to present to the remote host for mutual verification. Requires `enable_tls` set to `true`.
   key\_path                 | String                | **Optional.** Path to host key to accompany the cert\_path. Requires `enable_tls` set to `true`.
diff --git a/lib/perfdata/gelfwriter.cpp b/lib/perfdata/gelfwriter.cpp
index 3f5fc4403..73f4457bc 100644
--- a/lib/perfdata/gelfwriter.cpp
+++ b/lib/perfdata/gelfwriter.cpp
@@ -196,6 +196,18 @@ void GelfWriter::ReconnectInternal()
 				<< "TLS handshake with host '" << GetHost() << " failed.'";
 			throw;
 		}
+
+		if (!GetInsecureNoverify()) {
+			if (!tlsStream.GetPeerCertificate()) {
+				BOOST_THROW_EXCEPTION(std::runtime_error("Graylog Gelf didn't present any TLS certificate."));
+			}
+
+			if (!tlsStream.IsVerifyOK()) {
+				BOOST_THROW_EXCEPTION(std::runtime_error(
+					"TLS certificate validation failed: " + std::string(tlsStream.GetVerifyError())
+				));
+			}
+		}
 	}
 
 	SetConnected(true);
diff --git a/lib/perfdata/gelfwriter.ti b/lib/perfdata/gelfwriter.ti
index 2176fd877..387ee1487 100644
--- a/lib/perfdata/gelfwriter.ti
+++ b/lib/perfdata/gelfwriter.ti
@@ -34,6 +34,9 @@ class GelfWriter : ConfigObject
     [config] bool enable_tls {
         default {{{ return false; }}}
     };
+    [config] bool insecure_noverify {
+        default {{{ return false; }}}
+    };
     [config] String ca_path;
     [config] String cert_path;
     [config] String key_path;