From 3b2e978335a17629147a516cc03cf1a0c5814a73 Mon Sep 17 00:00:00 2001 From: Sebastian Harl Date: Tue, 8 Apr 2008 13:03:20 +0200 Subject: [PATCH] apache, nginx plugins: Added "Verify{Peer,Host}" configuration options. "VerifyPeer" may be used to disable peer SSL certificate verification and "VerifyHost" may be used to disable peer host name (as provided by the SSL certificate's CA or SAN fields) verification. Using both options is similar to curl's "--insecure" command line option. As requested by Joerg Jaspert. Signed-off-by: Sebastian Harl Signed-off-by: Florian Forster --- src/apache.c | 34 ++++++++++++++++++++++++++++++---- src/collectd.conf.pod | 26 ++++++++++++++++++++++++++ src/nginx.c | 34 ++++++++++++++++++++++++++++++---- 3 files changed, 86 insertions(+), 8 deletions(-) diff --git a/src/apache.c b/src/apache.c index 2a7e0b80..3cda5650 100644 --- a/src/apache.c +++ b/src/apache.c @@ -29,10 +29,12 @@ #include -static char *url = NULL; -static char *user = NULL; -static char *pass = NULL; -static char *cacert = NULL; +static char *url = NULL; +static char *user = NULL; +static char *pass = NULL; +static char *verify_peer = NULL; +static char *verify_host = NULL; +static char *cacert = NULL; static CURL *curl = NULL; @@ -46,6 +48,8 @@ static const char *config_keys[] = "URL", "User", "Password", + "VerifyPeer", + "VerifyHost", "CACert" }; static int config_keys_num = STATIC_ARRAY_SIZE (config_keys); @@ -102,6 +106,10 @@ static int config (const char *key, const char *value) return (config_set (&user, value)); else if (strcasecmp (key, "password") == 0) return (config_set (&pass, value)); + else if (strcasecmp (key, "verifypeer") == 0) + return (config_set (&verify_peer, value)); + else if (strcasecmp (key, "verifyhost") == 0) + return (config_set (&verify_host, value)); else if (strcasecmp (key, "cacert") == 0) return (config_set (&cacert, value)); else @@ -154,6 +162,24 @@ static int init (void) curl_easy_setopt (curl, CURLOPT_URL, url); + if ((verify_peer == NULL) || (strcmp (verify_peer, "true") == 0)) + { + curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 1); + } + else + { + curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0); + } + + if ((verify_host == NULL) || (strcmp (verify_host, "true") == 0)) + { + curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 2); + } + else + { + curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0); + } + if (cacert != NULL) { curl_easy_setopt (curl, CURLOPT_CAINFO, cacert); diff --git a/src/collectd.conf.pod b/src/collectd.conf.pod index 614fb0fa..e98860b1 100644 --- a/src/collectd.conf.pod +++ b/src/collectd.conf.pod @@ -173,6 +173,19 @@ Optional user name needed for authentication. Optional password needed for authentication. +=item B B + +Enable or disable peer SSL certificate verification. See +L for details. Enabled by default. + +=item B B + +Enable or disable peer host name verification. If enabled, the plugin checks +if the C or a C field of the SSL +certificate matches the host name provided by the B option. If this +identity check fails, the connection is aborted. Obviously, only works when +connecting to a SSL enabled server. Enabled by default. + =item B I File that holds one or more SSL certificates. If you want to use HTTPS you will @@ -823,6 +836,19 @@ Optional user name needed for authentication. Optional password needed for authentication. +=item B B + +Enable or disable peer SSL certificate verification. See +L for details. Enabled by default. + +=item B B + +Enable or disable peer host name verification. If enabled, the plugin checks +if the C or a C field of the SSL +certificate matches the host name provided by the B option. If this +identity check fails, the connection is aborted. Obviously, only works when +connecting to a SSL enabled server. Enabled by default. + =item B I File that holds one or more SSL certificates. If you want to use HTTPS you will diff --git a/src/nginx.c b/src/nginx.c index a44e8a57..3b107fb7 100644 --- a/src/nginx.c +++ b/src/nginx.c @@ -27,10 +27,12 @@ #include -static char *url = NULL; -static char *user = NULL; -static char *pass = NULL; -static char *cacert = NULL; +static char *url = NULL; +static char *user = NULL; +static char *pass = NULL; +static char *verify_peer = NULL; +static char *verify_host = NULL; +static char *cacert = NULL; static CURL *curl = NULL; @@ -44,6 +46,8 @@ static const char *config_keys[] = "URL", "User", "Password", + "VerifyPeer", + "VerifyHost", "CACert" }; static int config_keys_num = STATIC_ARRAY_SIZE (config_keys); @@ -89,6 +93,10 @@ static int config (const char *key, const char *value) return (config_set (&user, value)); else if (strcasecmp (key, "password") == 0) return (config_set (&pass, value)); + else if (strcasecmp (key, "verifypeer") == 0) + return (config_set (&verify_peer, value)); + else if (strcasecmp (key, "verifyhost") == 0) + return (config_set (&verify_host, value)); else if (strcasecmp (key, "cacert") == 0) return (config_set (&cacert, value)); else @@ -128,6 +136,24 @@ static int init (void) curl_easy_setopt (curl, CURLOPT_URL, url); } + if ((verify_peer == NULL) || (strcmp (verify_peer, "true") == 0)) + { + curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 1); + } + else + { + curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0); + } + + if ((verify_host == NULL) || (strcmp (verify_host, "true") == 0)) + { + curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 2); + } + else + { + curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0); + } + if (cacert != NULL) { curl_easy_setopt (curl, CURLOPT_CAINFO, cacert); -- 2.30.2