From: Florian Forster Date: Tue, 5 Dec 2017 11:15:00 +0000 (+0100) Subject: grpc plugin: Implement the VerifyPeer option for servers. X-Git-Url: https://git.verplant.org/?a=commitdiff_plain;h=9efc026712b693670bbde6ebd5e015778ae1afdf;p=collectd.git grpc plugin: Implement the VerifyPeer option for servers. --- diff --git a/src/collectd.conf.in b/src/collectd.conf.in index 4efa29e4..2b54a6e2 100644 --- a/src/collectd.conf.in +++ b/src/collectd.conf.in @@ -643,6 +643,7 @@ # SSLCACertificateFile "/path/to/root.pem" # SSLCertificateFile "/path/to/client.pem" # SSLCertificateKeyFile "/path/to/client.key" +# VerifyPeer true # # diff --git a/src/collectd.conf.pod b/src/collectd.conf.pod index 0e7a6046..c8cd7e51 100644 --- a/src/collectd.conf.pod +++ b/src/collectd.conf.pod @@ -3094,6 +3094,13 @@ Whether to enable SSL for incoming connections. Default: false. Filenames specifying SSL certificate and key material to be used with SSL connections. +=item B B|B + +When enabled, a valid client certificate is required to connect to the server. +When disabled, a client certifiacte is not requested and any unsolicited client +certificate is accepted. +Enabled by default. + =back =back diff --git a/src/grpc.cc b/src/grpc.cc index 0f5cfec0..87ef754a 100644 --- a/src/grpc.cc +++ b/src/grpc.cc @@ -626,7 +626,8 @@ static int c_grpc_config_listen(oconfig_item_t *ci) { listener.port = grpc::string(ci->values[1].value.string); listener.ssl = nullptr; - auto ssl_opts = new (grpc::SslServerCredentialsOptions); + auto ssl_opts = new grpc::SslServerCredentialsOptions( + GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY); grpc::SslServerCredentialsOptions::PemKeyCertPair pkcp = {}; bool use_ssl = false; @@ -659,6 +660,14 @@ static int c_grpc_config_listen(oconfig_item_t *ci) { return -1; } pkcp.cert_chain = read_file(cert); + } else if (!strcasecmp("VerifyPeer", child->key)) { + _Bool verify = 0; + if (cf_util_get_boolean(child, &verify)) { + return -1; + } + ssl_opts->client_certificate_request = + verify ? GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY + : GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE; } else { WARNING("grpc: Option `%s` not allowed in <%s> block.", child->key, ci->key);