![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b58af48)
raw | patch | inline | side by side (parent: b58af48)
| author | Sebastian Harl <sh@tokkee.org> | |
| Tue, 8 Apr 2008 11:03:20 +0000 (13:03 +0200) | ||
| committer | Florian Forster <octo@huhu.verplant.org> | |
| Wed, 9 Apr 2008 17:01:01 +0000 (19:01 +0200) |
"VerifyPeer" may be used to disable peer SSL certificate verification and
"VerifyHost" may be used to disable peer host name (as provided by the SSL
certificate's CA or SAN fields) verification.
Using both options is similar to curl's "--insecure" command line
option.
As requested by Joerg Jaspert.
Signed-off-by: Sebastian Harl <sh@tokkee.org>
Signed-off-by: Florian Forster <octo@huhu.verplant.org>
"VerifyHost" may be used to disable peer host name (as provided by the SSL
certificate's CA or SAN fields) verification.
Using both options is similar to curl's "--insecure" command line
option.
As requested by Joerg Jaspert.
Signed-off-by: Sebastian Harl <sh@tokkee.org>
Signed-off-by: Florian Forster <octo@huhu.verplant.org>
| src/apache.c | patch | blob | history | |
| src/collectd.conf.pod | patch | blob | history | |
| src/nginx.c | patch | blob | history |
diff --git a/src/apache.c b/src/apache.c
index 2a7e0b80cc41ef0e0bf912dab58895bb88b8ee56..3cda565074eb0376014946386856b8fba0f05ed8 100644 (file)
--- a/src/apache.c
+++ b/src/apache.c
#include <curl/curl.h>
-static char *url = NULL;
-static char *user = NULL;
-static char *pass = NULL;
-static char *cacert = NULL;
+static char *url = NULL;
+static char *user = NULL;
+static char *pass = NULL;
+static char *verify_peer = NULL;
+static char *verify_host = NULL;
+static char *cacert = NULL;
static CURL *curl = NULL;
"URL",
"User",
"Password",
+ "VerifyPeer",
+ "VerifyHost",
"CACert"
};
static int config_keys_num = STATIC_ARRAY_SIZE (config_keys);
return (config_set (&user, value));
else if (strcasecmp (key, "password") == 0)
return (config_set (&pass, value));
+ else if (strcasecmp (key, "verifypeer") == 0)
+ return (config_set (&verify_peer, value));
+ else if (strcasecmp (key, "verifyhost") == 0)
+ return (config_set (&verify_host, value));
else if (strcasecmp (key, "cacert") == 0)
return (config_set (&cacert, value));
else
curl_easy_setopt (curl, CURLOPT_URL, url);
+ if ((verify_peer == NULL) || (strcmp (verify_peer, "true") == 0))
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 1);
+ }
+ else
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
+ }
+
+ if ((verify_host == NULL) || (strcmp (verify_host, "true") == 0))
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 2);
+ }
+ else
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
+ }
+
if (cacert != NULL)
{
curl_easy_setopt (curl, CURLOPT_CAINFO, cacert);
diff --git a/src/collectd.conf.pod b/src/collectd.conf.pod
index 614fb0faa42633c0d530f26434d4c780da2151bc..e98860b112a34095792eb1197662322ed07eed4d 100644 (file)
--- a/src/collectd.conf.pod
+++ b/src/collectd.conf.pod
Optional password needed for authentication.
+=item B<VerifyPeer> B<true|false>
+
+Enable or disable peer SSL certificate verification. See
+L<http://curl.haxx.se/docs/sslcerts.html> for details. Enabled by default.
+
+=item B<VerifyHost> B<true|false>
+
+Enable or disable peer host name verification. If enabled, the plugin checks
+if the C<Common Name> or a C<Subject Alternate Name> field of the SSL
+certificate matches the host name provided by the B<URL> option. If this
+identity check fails, the connection is aborted. Obviously, only works when
+connecting to a SSL enabled server. Enabled by default.
+
=item B<CACert> I<File>
File that holds one or more SSL certificates. If you want to use HTTPS you will
Optional password needed for authentication.
+=item B<VerifyPeer> B<true|false>
+
+Enable or disable peer SSL certificate verification. See
+L<http://curl.haxx.se/docs/sslcerts.html> for details. Enabled by default.
+
+=item B<VerifyHost> B<true|false>
+
+Enable or disable peer host name verification. If enabled, the plugin checks
+if the C<Common Name> or a C<Subject Alternate Name> field of the SSL
+certificate matches the host name provided by the B<URL> option. If this
+identity check fails, the connection is aborted. Obviously, only works when
+connecting to a SSL enabled server. Enabled by default.
+
=item B<CACert> I<File>
File that holds one or more SSL certificates. If you want to use HTTPS you will
diff --git a/src/nginx.c b/src/nginx.c
index a44e8a5778bb9de85802c599a91574745048458e..3b107fb72ad209c41d08c22ded54fe349310d305 100644 (file)
--- a/src/nginx.c
+++ b/src/nginx.c
#include <curl/curl.h>
-static char *url = NULL;
-static char *user = NULL;
-static char *pass = NULL;
-static char *cacert = NULL;
+static char *url = NULL;
+static char *user = NULL;
+static char *pass = NULL;
+static char *verify_peer = NULL;
+static char *verify_host = NULL;
+static char *cacert = NULL;
static CURL *curl = NULL;
"URL",
"User",
"Password",
+ "VerifyPeer",
+ "VerifyHost",
"CACert"
};
static int config_keys_num = STATIC_ARRAY_SIZE (config_keys);
return (config_set (&user, value));
else if (strcasecmp (key, "password") == 0)
return (config_set (&pass, value));
+ else if (strcasecmp (key, "verifypeer") == 0)
+ return (config_set (&verify_peer, value));
+ else if (strcasecmp (key, "verifyhost") == 0)
+ return (config_set (&verify_host, value));
else if (strcasecmp (key, "cacert") == 0)
return (config_set (&cacert, value));
else
curl_easy_setopt (curl, CURLOPT_URL, url);
}
+ if ((verify_peer == NULL) || (strcmp (verify_peer, "true") == 0))
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 1);
+ }
+ else
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
+ }
+
+ if ((verify_host == NULL) || (strcmp (verify_host, "true") == 0))
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 2);
+ }
+ else
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
+ }
+
if (cacert != NULL)
{
curl_easy_setopt (curl, CURLOPT_CAINFO, cacert);