apache, nginx plugins: Added "Verify{Peer,Host}" configuration options.

"VerifyPeer" may be used to disable peer SSL certificate verification and
"VerifyHost" may be used to disable peer host name (as provided by the SSL
certificate's CA or SAN fields) verification.

Using both options is similar to curl's "--insecure" command line
option.

As requested by Joerg Jaspert.

Signed-off-by: Sebastian Harl <sh@tokkee.org>
Signed-off-by: Florian Forster <octo@huhu.verplant.org>

diff --git a/src/apache.c b/src/apache.c
index 2a7e0b8..3cda565 100644 (file)
--- a/src/apache.c
+++ b/src/apache.c
@@ -29,10 +29,12 @@
 
 #include <curl/curl.h>
 
-static char *url    = NULL;
-static char *user   = NULL;
-static char *pass   = NULL;
-static char *cacert = NULL;
+static char *url         = NULL;
+static char *user        = NULL;
+static char *pass        = NULL;
+static char *verify_peer = NULL;
+static char *verify_host = NULL;
+static char *cacert      = NULL;
 
 static CURL *curl = NULL;
 
@@ -46,6 +48,8 @@ static const char *config_keys[] =
        "URL",
        "User",
        "Password",
+       "VerifyPeer",
+       "VerifyHost",
        "CACert"
 };
 static int config_keys_num = STATIC_ARRAY_SIZE (config_keys);
@@ -102,6 +106,10 @@ static int config (const char *key, const char *value)
                return (config_set (&user, value));
        else if (strcasecmp (key, "password") == 0)
                return (config_set (&pass, value));
+       else if (strcasecmp (key, "verifypeer") == 0)
+               return (config_set (&verify_peer, value));
+       else if (strcasecmp (key, "verifyhost") == 0)
+               return (config_set (&verify_host, value));
        else if (strcasecmp (key, "cacert") == 0)
                return (config_set (&cacert, value));
        else
@@ -154,6 +162,24 @@ static int init (void)
 
        curl_easy_setopt (curl, CURLOPT_URL, url);
 
+       if ((verify_peer == NULL) || (strcmp (verify_peer, "true") == 0))
+       {
+               curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 1);
+       }
+       else
+       {
+               curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
+       }
+
+       if ((verify_host == NULL) || (strcmp (verify_host, "true") == 0))
+       {
+               curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 2);
+       }
+       else
+       {
+               curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
+       }
+
        if (cacert != NULL)
        {
                curl_easy_setopt (curl, CURLOPT_CAINFO, cacert);

diff --git a/src/collectd.conf.pod b/src/collectd.conf.pod
index 614fb0f..e98860b 100644 (file)
--- a/src/collectd.conf.pod
+++ b/src/collectd.conf.pod
@@ -173,6 +173,19 @@ Optional user name needed for authentication.
 
 Optional password needed for authentication.
 
+=item B<VerifyPeer> B<true|false>
+
+Enable or disable peer SSL certificate verification. See
+L<http://curl.haxx.se/docs/sslcerts.html> for details. Enabled by default.
+
+=item B<VerifyHost> B<true|false>
+
+Enable or disable peer host name verification. If enabled, the plugin checks
+if the C<Common Name> or a C<Subject Alternate Name> field of the SSL
+certificate matches the host name provided by the B<URL> option. If this
+identity check fails, the connection is aborted. Obviously, only works when
+connecting to a SSL enabled server. Enabled by default.
+
 =item B<CACert> I<File>
 
 File that holds one or more SSL certificates. If you want to use HTTPS you will
@@ -823,6 +836,19 @@ Optional user name needed for authentication.
 
 Optional password needed for authentication.
 
+=item B<VerifyPeer> B<true|false>
+
+Enable or disable peer SSL certificate verification. See
+L<http://curl.haxx.se/docs/sslcerts.html> for details. Enabled by default.
+
+=item B<VerifyHost> B<true|false>
+
+Enable or disable peer host name verification. If enabled, the plugin checks
+if the C<Common Name> or a C<Subject Alternate Name> field of the SSL
+certificate matches the host name provided by the B<URL> option. If this
+identity check fails, the connection is aborted. Obviously, only works when
+connecting to a SSL enabled server. Enabled by default.
+
 =item B<CACert> I<File>
 
 File that holds one or more SSL certificates. If you want to use HTTPS you will

diff --git a/src/nginx.c b/src/nginx.c
index a44e8a5..3b107fb 100644 (file)
--- a/src/nginx.c
+++ b/src/nginx.c
@@ -27,10 +27,12 @@
 
 #include <curl/curl.h>
 
-static char *url    = NULL;
-static char *user   = NULL;
-static char *pass   = NULL;
-static char *cacert = NULL;
+static char *url         = NULL;
+static char *user        = NULL;
+static char *pass        = NULL;
+static char *verify_peer = NULL;
+static char *verify_host = NULL;
+static char *cacert      = NULL;
 
 static CURL *curl = NULL;
 
@@ -44,6 +46,8 @@ static const char *config_keys[] =
   "URL",
   "User",
   "Password",
+  "VerifyPeer",
+  "VerifyHost",
   "CACert"
 };
 static int config_keys_num = STATIC_ARRAY_SIZE (config_keys);
@@ -89,6 +93,10 @@ static int config (const char *key, const char *value)
     return (config_set (&user, value));
   else if (strcasecmp (key, "password") == 0)
     return (config_set (&pass, value));
+  else if (strcasecmp (key, "verifypeer") == 0)
+    return (config_set (&verify_peer, value));
+  else if (strcasecmp (key, "verifyhost") == 0)
+    return (config_set (&verify_host, value));
   else if (strcasecmp (key, "cacert") == 0)
     return (config_set (&cacert, value));
   else
@@ -128,6 +136,24 @@ static int init (void)
     curl_easy_setopt (curl, CURLOPT_URL, url);
   }
 
+  if ((verify_peer == NULL) || (strcmp (verify_peer, "true") == 0))
+  {
+    curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 1);
+  }
+  else
+  {
+    curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
+  }
+
+  if ((verify_host == NULL) || (strcmp (verify_host, "true") == 0))
+  {
+    curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 2);
+  }
+  else
+  {
+    curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
+  }
+
   if (cacert != NULL)
   {
     curl_easy_setopt (curl, CURLOPT_CAINFO, cacert);