tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-07-24 22:24:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

GelfWriter: actually verify TLS server certificates

Browse Source 
And add a new option insecure_noverify to explicitly disable it if desired.
This commit is contained in:
Julian Brost 2021-08-12 16:43:29 +02:00
parent 5cada85e54
commit 29e9df938c
3 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
doc/09-object-types.md
View File

@ -1326,6 +1326,7 @@ Configuration Attributes:
enable\_send\_perfdata | Boolean | **Optional.** Enable performance data for 'CHECK RESULT' events. enable\_send\_perfdata | Boolean | **Optional.** Enable performance data for 'CHECK RESULT' events.
enable\_ha | Boolean | **Optional.** Enable the high availability functionality. Only valid in a [cluster setup](06-distributed-monitoring.md#distributed-monitoring-high-availability-features). Defaults to `false`. enable\_ha | Boolean | **Optional.** Enable the high availability functionality. Only valid in a [cluster setup](06-distributed-monitoring.md#distributed-monitoring-high-availability-features). Defaults to `false`.
enable\_tls | Boolean | **Optional.** Whether to use a TLS stream. Defaults to `false`. enable\_tls | Boolean | **Optional.** Whether to use a TLS stream. Defaults to `false`.
insecure\_noverify | Boolean | **Optional.** Disable TLS peer verification.
ca\_path | String | **Optional.** Path to CA certificate to validate the remote host. Requires `enable_tls` set to `true`. ca\_path | String | **Optional.** Path to CA certificate to validate the remote host. Requires `enable_tls` set to `true`.
cert\_path | String | **Optional.** Path to host certificate to present to the remote host for mutual verification. Requires `enable_tls` set to `true`. cert\_path | String | **Optional.** Path to host certificate to present to the remote host for mutual verification. Requires `enable_tls` set to `true`.
key\_path | String | **Optional.** Path to host key to accompany the cert\_path. Requires `enable_tls` set to `true`. key\_path | String | **Optional.** Path to host key to accompany the cert\_path. Requires `enable_tls` set to `true`.

12
lib/perfdata/gelfwriter.cpp
View File

@ -206,6 +206,18 @@ void GelfWriter::ReconnectInternal()
<< "TLS handshake with host '" << GetHost() << " failed.'"; << "TLS handshake with host '" << GetHost() << " failed.'";
throw; throw;
} }
if (!GetInsecureNoverify()) {
if (!tlsStream.GetPeerCertificate()) {
BOOST_THROW_EXCEPTION(std::runtime_error("Graylog Gelf didn't present any TLS certificate."));
}
if (!tlsStream.IsVerifyOK()) {
BOOST_THROW_EXCEPTION(std::runtime_error(
"TLS certificate validation failed: " + std::string(tlsStream.GetVerifyError())
));
}
}
} }
SetConnected(true); SetConnected(true);

3
lib/perfdata/gelfwriter.ti
View File

@ -34,6 +34,9 @@ class GelfWriter : ConfigObject
[config] bool enable_tls { [config] bool enable_tls {
default {{{ return false; }}} default {{{ return false; }}}
}; };
[config] bool insecure_noverify {
default {{{ return false; }}}
};
[config] String ca_path; [config] String ca_path;
[config] String cert_path; [config] String cert_path;
[config] String key_path; [config] String key_path;