ascent plugin: Added "Verify{Peer,Host}" configuration options.

Those options may be used to disable peer SSL certificate or peer host name
verification respectively. The apache and nginx plugins already support those
options, so this makes configuration of plugins using libcurl more consistent.

Signed-off-by: Sebastian Harl <sh@tokkee.org>
Signed-off-by: Florian Forster <octo@huhu.verplant.org>

diff --git a/src/ascent.c b/src/ascent.c
index 6b4f21fc6b887b37b6ddfc70a8cdd5bfdd7e9018..c443d387c5a91d0604327a475abb2bd5bd957477 100644 (file)
--- a/src/ascent.c
+++ b/src/ascent.c
@@ -91,10 +91,12 @@ struct player_info_s
 typedef struct player_info_s player_info_t;
 #define PLAYER_INFO_STATIC_INIT { -1, -1, -1, -1, -1 }
 
-static char *url    = NULL;
-static char *user   = NULL;
-static char *pass   = NULL;
-static char *cacert = NULL;
+static char *url         = NULL;
+static char *user        = NULL;
+static char *pass        = NULL;
+static char *verify_peer = NULL;
+static char *verify_host = NULL;
+static char *cacert      = NULL;
 
 static CURL *curl = NULL;
 
@@ -108,6 +110,8 @@ static const char *config_keys[] =
   "URL",
   "User",
   "Password",
+  "VerifyPeer",
+  "VerifyHost",
   "CACert"
 };
 static int config_keys_num = STATIC_ARRAY_SIZE (config_keys);
@@ -500,6 +504,10 @@ static int ascent_config (const char *key, const char *value) /* {{{ */
     return (config_set (&user, value));
   else if (strcasecmp (key, "Password") == 0)
     return (config_set (&pass, value));
+  else if (strcasecmp (key, "VerifyPeer") == 0)
+    return (config_set (&verify_peer, value));
+  else if (strcasecmp (key, "VerifyHost") == 0)
+    return (config_set (&verify_host, value));
   else if (strcasecmp (key, "CACert") == 0)
     return (config_set (&cacert, value));
   else
@@ -550,6 +558,16 @@ static int ascent_init (void) /* {{{ */
 
   curl_easy_setopt (curl, CURLOPT_URL, url);
 
+  if ((verify_peer == NULL) || (strcmp (verify_peer, "true") == 0))
+    curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 1);
+  else
+    curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
+
+  if ((verify_host == NULL) || (strcmp (verify_host, "true") == 0))
+    curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 2);
+  else
+    curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
+
   if (cacert != NULL)
     curl_easy_setopt (curl, CURLOPT_CAINFO, cacert);
 

diff --git a/src/collectd.conf.pod b/src/collectd.conf.pod
index 2c4ff462db161aa410a9e167a335bcabe041ac4a..2b3dedf726296c47927ae77772c3e6bf11822c55 100644 (file)
--- a/src/collectd.conf.pod
+++ b/src/collectd.conf.pod
@@ -232,6 +232,19 @@ Optional user name needed for authentication.
 
 Optional password needed for authentication.
 
+=item B<VerifyPeer> B<true|false>
+
+Enable or disable peer SSL certificate verification. See
+L<http://curl.haxx.se/docs/sslcerts.html> for details. Enabled by default.
+
+=item B<VerifyHost> B<true|false>
+
+Enable or disable peer host name verification. If enabled, the plugin checks
+if the C<Common Name> or a C<Subject Alternate Name> field of the SSL
+certificate matches the host name provided by the B<URL> option. If this
+identity check fails, the connection is aborted. Obviously, only works when
+connecting to a SSL enabled server. Enabled by default.
+
 =item B<CACert> I<File>
 
 File that holds one or more SSL certificates. If you want to use HTTPS you will