From 50a798070997459d7005168d2fe2af87b8000c15 Mon Sep 17 00:00:00 2001
From: Julian Brost <julian.brost@icinga.com>
Date: Thu, 12 Aug 2021 16:43:55 +0200
Subject: [PATCH] InfluxdbCommonWriter: actually verify TLS server certificates

And add a new option ssl_insecure_noverify to explicitly disable it if desired.
---
 doc/09-object-types.md                |  2 ++
 lib/perfdata/influxdbcommonwriter.cpp | 12 ++++++++++++
 lib/perfdata/influxdbcommonwriter.ti  |  3 +++
 3 files changed, 17 insertions(+)

diff --git a/doc/09-object-types.md b/doc/09-object-types.md
index 454ecce3c..e9562b5df 100644
--- a/doc/09-object-types.md
+++ b/doc/09-object-types.md
@@ -1664,6 +1664,7 @@ Configuration Attributes:
   password                  | String                | **Optional.** InfluxDB user password.  Defaults to `none`.
   basic\_auth               | Dictionary            | **Optional.** Username and password for HTTP basic authentication.
   ssl\_enable               | Boolean               | **Optional.** Whether to use a TLS stream. Defaults to `false`.
+  ssl\_insecure\_noverify   | Boolean               | **Optional.** Disable TLS peer verification.
   ssl\_ca\_cert             | String                | **Optional.** Path to CA certificate to validate the remote host.
   ssl\_cert                 | String                | **Optional.** Path to host certificate to present to the remote host for mutual verification.
   ssl\_key                  | String                | **Optional.** Path to host key to accompany the ssl\_cert.
@@ -1726,6 +1727,7 @@ Configuration Attributes:
   bucket                    | String                | **Required.** InfluxDB bucket name.
   auth\_token               | String                | **Required.** InfluxDB authentication token.
   ssl\_enable               | Boolean               | **Optional.** Whether to use a TLS stream. Defaults to `false`.
+  ssl\_insecure\_noverify   | Boolean               | **Optional.** Disable TLS peer verification.
   ssl\_ca\_cert             | String                | **Optional.** Path to CA certificate to validate the remote host.
   ssl\_cert                 | String                | **Optional.** Path to host certificate to present to the remote host for mutual verification.
   ssl\_key                  | String                | **Optional.** Path to host key to accompany the ssl\_cert.
diff --git a/lib/perfdata/influxdbcommonwriter.cpp b/lib/perfdata/influxdbcommonwriter.cpp
index d85426f44..1aafffced 100644
--- a/lib/perfdata/influxdbcommonwriter.cpp
+++ b/lib/perfdata/influxdbcommonwriter.cpp
@@ -187,6 +187,18 @@ OptionalTlsStream InfluxdbCommonWriter::Connect()
 				<< "TLS handshake with host '" << GetHost() << "' failed.";
 			throw;
 		}
+
+		if (!GetSslInsecureNoverify()) {
+			if (!tlsStream.GetPeerCertificate()) {
+				BOOST_THROW_EXCEPTION(std::runtime_error("InfluxDB didn't present any TLS certificate."));
+			}
+
+			if (!tlsStream.IsVerifyOK()) {
+				BOOST_THROW_EXCEPTION(std::runtime_error(
+					"TLS certificate validation failed: " + std::string(tlsStream.GetVerifyError())
+				));
+			}
+		}
 	}
 
 	return std::move(stream);
diff --git a/lib/perfdata/influxdbcommonwriter.ti b/lib/perfdata/influxdbcommonwriter.ti
index 7eb26dac9..5cfe83f1a 100644
--- a/lib/perfdata/influxdbcommonwriter.ti
+++ b/lib/perfdata/influxdbcommonwriter.ti
@@ -18,6 +18,9 @@ abstract class InfluxdbCommonWriter : ConfigObject
 	[config] bool ssl_enable {
 		default {{{ return false; }}}
 	};
+	[config] bool ssl_insecure_noverify {
+		default {{{ return false; }}}
+	};
 	[config] String ssl_ca_cert {
 		default {{{ return ""; }}}
 	};