From: Sebastian Harl Date: Tue, 8 Apr 2008 11:03:20 +0000 (+0200) Subject: apache, nginx plugins: Added "Verify{Peer,Host}" configuration options. X-Git-Tag: collectd-4.4.0~40 X-Git-Url: https://git.octo.it/?a=commitdiff_plain;h=3b2e978335a17629147a516cc03cf1a0c5814a73;p=collectd.git apache, nginx plugins: Added "Verify{Peer,Host}" configuration options. "VerifyPeer" may be used to disable peer SSL certificate verification and "VerifyHost" may be used to disable peer host name (as provided by the SSL certificate's CA or SAN fields) verification. Using both options is similar to curl's "--insecure" command line option. As requested by Joerg Jaspert. Signed-off-by: Sebastian Harl Signed-off-by: Florian Forster --- diff --git a/src/apache.c b/src/apache.c index 2a7e0b80..3cda5650 100644 --- a/src/apache.c +++ b/src/apache.c @@ -29,10 +29,12 @@ #include -static char *url = NULL; -static char *user = NULL; -static char *pass = NULL; -static char *cacert = NULL; +static char *url = NULL; +static char *user = NULL; +static char *pass = NULL; +static char *verify_peer = NULL; +static char *verify_host = NULL; +static char *cacert = NULL; static CURL *curl = NULL; @@ -46,6 +48,8 @@ static const char *config_keys[] = "URL", "User", "Password", + "VerifyPeer", + "VerifyHost", "CACert" }; static int config_keys_num = STATIC_ARRAY_SIZE (config_keys); @@ -102,6 +106,10 @@ static int config (const char *key, const char *value) return (config_set (&user, value)); else if (strcasecmp (key, "password") == 0) return (config_set (&pass, value)); + else if (strcasecmp (key, "verifypeer") == 0) + return (config_set (&verify_peer, value)); + else if (strcasecmp (key, "verifyhost") == 0) + return (config_set (&verify_host, value)); else if (strcasecmp (key, "cacert") == 0) return (config_set (&cacert, value)); else @@ -154,6 +162,24 @@ static int init (void) curl_easy_setopt (curl, CURLOPT_URL, url); + if ((verify_peer == NULL) || (strcmp (verify_peer, "true") == 0)) + { + curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 1); + } + else + { + curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0); + } + + if ((verify_host == NULL) || (strcmp (verify_host, "true") == 0)) + { + curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 2); + } + else + { + curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0); + } + if (cacert != NULL) { curl_easy_setopt (curl, CURLOPT_CAINFO, cacert); diff --git a/src/collectd.conf.pod b/src/collectd.conf.pod index 614fb0fa..e98860b1 100644 --- a/src/collectd.conf.pod +++ b/src/collectd.conf.pod @@ -173,6 +173,19 @@ Optional user name needed for authentication. Optional password needed for authentication. +=item B B + +Enable or disable peer SSL certificate verification. See +L for details. Enabled by default. + +=item B B + +Enable or disable peer host name verification. If enabled, the plugin checks +if the C or a C field of the SSL +certificate matches the host name provided by the B option. If this +identity check fails, the connection is aborted. Obviously, only works when +connecting to a SSL enabled server. Enabled by default. + =item B I File that holds one or more SSL certificates. If you want to use HTTPS you will @@ -823,6 +836,19 @@ Optional user name needed for authentication. Optional password needed for authentication. +=item B B + +Enable or disable peer SSL certificate verification. See +L for details. Enabled by default. + +=item B B + +Enable or disable peer host name verification. If enabled, the plugin checks +if the C or a C field of the SSL +certificate matches the host name provided by the B option. If this +identity check fails, the connection is aborted. Obviously, only works when +connecting to a SSL enabled server. Enabled by default. + =item B I File that holds one or more SSL certificates. If you want to use HTTPS you will diff --git a/src/nginx.c b/src/nginx.c index a44e8a57..3b107fb7 100644 --- a/src/nginx.c +++ b/src/nginx.c @@ -27,10 +27,12 @@ #include -static char *url = NULL; -static char *user = NULL; -static char *pass = NULL; -static char *cacert = NULL; +static char *url = NULL; +static char *user = NULL; +static char *pass = NULL; +static char *verify_peer = NULL; +static char *verify_host = NULL; +static char *cacert = NULL; static CURL *curl = NULL; @@ -44,6 +46,8 @@ static const char *config_keys[] = "URL", "User", "Password", + "VerifyPeer", + "VerifyHost", "CACert" }; static int config_keys_num = STATIC_ARRAY_SIZE (config_keys); @@ -89,6 +93,10 @@ static int config (const char *key, const char *value) return (config_set (&user, value)); else if (strcasecmp (key, "password") == 0) return (config_set (&pass, value)); + else if (strcasecmp (key, "verifypeer") == 0) + return (config_set (&verify_peer, value)); + else if (strcasecmp (key, "verifyhost") == 0) + return (config_set (&verify_host, value)); else if (strcasecmp (key, "cacert") == 0) return (config_set (&cacert, value)); else @@ -128,6 +136,24 @@ static int init (void) curl_easy_setopt (curl, CURLOPT_URL, url); } + if ((verify_peer == NULL) || (strcmp (verify_peer, "true") == 0)) + { + curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 1); + } + else + { + curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0); + } + + if ((verify_host == NULL) || (strcmp (verify_host, "true") == 0)) + { + curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 2); + } + else + { + curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0); + } + if (cacert != NULL) { curl_easy_setopt (curl, CURLOPT_CAINFO, cacert);