tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-07-29 16:44:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

InfluxdbCommonWriter: actually verify TLS server certificates

Browse Source 
And add a new option ssl_insecure_noverify to explicitly disable it if desired.
This commit is contained in:
Julian Brost 2021-08-12 16:43:55 +02:00
parent 29e9df938c
commit 8f3f692ecf
3 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/09-object-types.md
View File

@ -1674,6 +1674,7 @@ Configuration Attributes:
password | String | **Optional.** InfluxDB user password. Defaults to `none`. password | String | **Optional.** InfluxDB user password. Defaults to `none`.
basic\_auth | Dictionary | **Optional.** Username and password for HTTP basic authentication. basic\_auth | Dictionary | **Optional.** Username and password for HTTP basic authentication.
ssl\_enable | Boolean | **Optional.** Whether to use a TLS stream. Defaults to `false`. ssl\_enable | Boolean | **Optional.** Whether to use a TLS stream. Defaults to `false`.
ssl\_insecure\_noverify | Boolean | **Optional.** Disable TLS peer verification.
ssl\_ca\_cert | String | **Optional.** Path to CA certificate to validate the remote host. ssl\_ca\_cert | String | **Optional.** Path to CA certificate to validate the remote host.
ssl\_cert | String | **Optional.** Path to host certificate to present to the remote host for mutual verification. ssl\_cert | String | **Optional.** Path to host certificate to present to the remote host for mutual verification.
ssl\_key | String | **Optional.** Path to host key to accompany the ssl\_cert. ssl\_key | String | **Optional.** Path to host key to accompany the ssl\_cert.
@ -1736,6 +1737,7 @@ Configuration Attributes:
bucket | String | **Required.** InfluxDB bucket name. bucket | String | **Required.** InfluxDB bucket name.
auth\_token | String | **Required.** InfluxDB authentication token. auth\_token | String | **Required.** InfluxDB authentication token.
ssl\_enable | Boolean | **Optional.** Whether to use a TLS stream. Defaults to `false`. ssl\_enable | Boolean | **Optional.** Whether to use a TLS stream. Defaults to `false`.
ssl\_insecure\_noverify | Boolean | **Optional.** Disable TLS peer verification.
ssl\_ca\_cert | String | **Optional.** Path to CA certificate to validate the remote host. ssl\_ca\_cert | String | **Optional.** Path to CA certificate to validate the remote host.
ssl\_cert | String | **Optional.** Path to host certificate to present to the remote host for mutual verification. ssl\_cert | String | **Optional.** Path to host certificate to present to the remote host for mutual verification.
ssl\_key | String | **Optional.** Path to host key to accompany the ssl\_cert. ssl\_key | String | **Optional.** Path to host key to accompany the ssl\_cert.

12
lib/perfdata/influxdbcommonwriter.cpp
View File

@ -187,6 +187,18 @@ OptionalTlsStream InfluxdbCommonWriter::Connect()
<< "TLS handshake with host '" << GetHost() << "' failed."; << "TLS handshake with host '" << GetHost() << "' failed.";
throw; throw;
} }
if (!GetSslInsecureNoverify()) {
if (!tlsStream.GetPeerCertificate()) {
BOOST_THROW_EXCEPTION(std::runtime_error("InfluxDB didn't present any TLS certificate."));
}
if (!tlsStream.IsVerifyOK()) {
BOOST_THROW_EXCEPTION(std::runtime_error(
"TLS certificate validation failed: " + std::string(tlsStream.GetVerifyError())
));
}
}
} }
return std::move(stream); return std::move(stream);

3
lib/perfdata/influxdbcommonwriter.ti
View File

@ -18,6 +18,9 @@ abstract class InfluxdbCommonWriter : ConfigObject
[config] bool ssl_enable { [config] bool ssl_enable {
default {{{ return false; }}} default {{{ return false; }}}
}; };
[config] bool ssl_insecure_noverify {
default {{{ return false; }}}
};
[config] String ssl_ca_cert { [config] String ssl_ca_cert {
default {{{ return ""; }}} default {{{ return ""; }}}
}; };