tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-07-23 05:34:48 +02:00
Code Issues Packages Projects Releases Wiki Activity

ElasticsearchWriter: actually verify TLS server certificates

Browse Source 
And add a new option insecure_noverify to explicitly disable it if desired.
This commit is contained in:
Julian Brost 2021-08-12 16:42:23 +02:00
parent 396f003c69
commit 5cada85e54
3 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
doc/09-object-types.md
View File

@ -1238,6 +1238,7 @@ Configuration Attributes:
username | String | **Optional.** Basic auth username if Elasticsearch is hidden behind an HTTP proxy. username | String | **Optional.** Basic auth username if Elasticsearch is hidden behind an HTTP proxy.
password | String | **Optional.** Basic auth password if Elasticsearch is hidden behind an HTTP proxy. password | String | **Optional.** Basic auth password if Elasticsearch is hidden behind an HTTP proxy.
enable\_tls | Boolean | **Optional.** Whether to use a TLS stream. Defaults to `false`. Requires an HTTP proxy. enable\_tls | Boolean | **Optional.** Whether to use a TLS stream. Defaults to `false`. Requires an HTTP proxy.
insecure\_noverify | Boolean | **Optional.** Disable TLS peer verification.
ca\_path | String | **Optional.** Path to CA certificate to validate the remote host. Requires `enable_tls` set to `true`. ca\_path | String | **Optional.** Path to CA certificate to validate the remote host. Requires `enable_tls` set to `true`.
cert\_path | String | **Optional.** Path to host certificate to present to the remote host for mutual verification. Requires `enable_tls` set to `true`. cert\_path | String | **Optional.** Path to host certificate to present to the remote host for mutual verification. Requires `enable_tls` set to `true`.
key\_path | String | **Optional.** Path to host key to accompany the cert\_path. Requires `enable_tls` set to `true`. key\_path | String | **Optional.** Path to host key to accompany the cert\_path. Requires `enable_tls` set to `true`.

12
lib/perfdata/elasticsearchwriter.cpp
View File

@ -632,6 +632,18 @@ OptionalTlsStream ElasticsearchWriter::Connect()
<< "TLS handshake with host '" << GetHost() << "' on port " << GetPort() << " failed."; << "TLS handshake with host '" << GetHost() << "' on port " << GetPort() << " failed.";
throw; throw;
} }
if (!GetInsecureNoverify()) {
if (!tlsStream.GetPeerCertificate()) {
BOOST_THROW_EXCEPTION(std::runtime_error("Elasticsearch didn't present any TLS certificate."));
}
if (!tlsStream.IsVerifyOK()) {
BOOST_THROW_EXCEPTION(std::runtime_error(
"TLS certificate validation failed: " + std::string(tlsStream.GetVerifyError())
));
}
}
} }
return std::move(stream); return std::move(stream);

3
lib/perfdata/elasticsearchwriter.ti
View File

@ -29,6 +29,9 @@ class ElasticsearchWriter : ConfigObject
[config] bool enable_tls { [config] bool enable_tls {
default {{{ return false; }}} default {{{ return false; }}}
}; };
[config] bool insecure_noverify {
default {{{ return false; }}}
};
[config] String ca_path; [config] String ca_path;
[config] String cert_path; [config] String cert_path;
[config] String key_path; [config] String key_path;