mirror of
https://github.com/Icinga/icinga2.git
synced 2025-07-23 13:45:04 +02:00
GelfWriter: actually verify TLS server certificates
And add a new option insecure_noverify to explicitly disable it if desired.
This commit is contained in:
parent
5cada85e54
commit
29e9df938c
@ -1326,6 +1326,7 @@ Configuration Attributes:
|
|||||||
enable\_send\_perfdata | Boolean | **Optional.** Enable performance data for 'CHECK RESULT' events.
|
enable\_send\_perfdata | Boolean | **Optional.** Enable performance data for 'CHECK RESULT' events.
|
||||||
enable\_ha | Boolean | **Optional.** Enable the high availability functionality. Only valid in a [cluster setup](06-distributed-monitoring.md#distributed-monitoring-high-availability-features). Defaults to `false`.
|
enable\_ha | Boolean | **Optional.** Enable the high availability functionality. Only valid in a [cluster setup](06-distributed-monitoring.md#distributed-monitoring-high-availability-features). Defaults to `false`.
|
||||||
enable\_tls | Boolean | **Optional.** Whether to use a TLS stream. Defaults to `false`.
|
enable\_tls | Boolean | **Optional.** Whether to use a TLS stream. Defaults to `false`.
|
||||||
|
insecure\_noverify | Boolean | **Optional.** Disable TLS peer verification.
|
||||||
ca\_path | String | **Optional.** Path to CA certificate to validate the remote host. Requires `enable_tls` set to `true`.
|
ca\_path | String | **Optional.** Path to CA certificate to validate the remote host. Requires `enable_tls` set to `true`.
|
||||||
cert\_path | String | **Optional.** Path to host certificate to present to the remote host for mutual verification. Requires `enable_tls` set to `true`.
|
cert\_path | String | **Optional.** Path to host certificate to present to the remote host for mutual verification. Requires `enable_tls` set to `true`.
|
||||||
key\_path | String | **Optional.** Path to host key to accompany the cert\_path. Requires `enable_tls` set to `true`.
|
key\_path | String | **Optional.** Path to host key to accompany the cert\_path. Requires `enable_tls` set to `true`.
|
||||||
|
@ -206,6 +206,18 @@ void GelfWriter::ReconnectInternal()
|
|||||||
<< "TLS handshake with host '" << GetHost() << " failed.'";
|
<< "TLS handshake with host '" << GetHost() << " failed.'";
|
||||||
throw;
|
throw;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!GetInsecureNoverify()) {
|
||||||
|
if (!tlsStream.GetPeerCertificate()) {
|
||||||
|
BOOST_THROW_EXCEPTION(std::runtime_error("Graylog Gelf didn't present any TLS certificate."));
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!tlsStream.IsVerifyOK()) {
|
||||||
|
BOOST_THROW_EXCEPTION(std::runtime_error(
|
||||||
|
"TLS certificate validation failed: " + std::string(tlsStream.GetVerifyError())
|
||||||
|
));
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
SetConnected(true);
|
SetConnected(true);
|
||||||
|
@ -34,6 +34,9 @@ class GelfWriter : ConfigObject
|
|||||||
[config] bool enable_tls {
|
[config] bool enable_tls {
|
||||||
default {{{ return false; }}}
|
default {{{ return false; }}}
|
||||||
};
|
};
|
||||||
|
[config] bool insecure_noverify {
|
||||||
|
default {{{ return false; }}}
|
||||||
|
};
|
||||||
[config] String ca_path;
|
[config] String ca_path;
|
||||||
[config] String cert_path;
|
[config] String cert_path;
|
||||||
[config] String key_path;
|
[config] String key_path;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user