[collectd] [PATCH] apache, nginx plugins: Added "Verify{Peer, Host}" configuration options.
Sebastian Harl
sh at tokkee.org
Tue Apr 8 13:03:20 CEST 2008
"VerifyPeer" may be used to disable peer SSL certificate verification and
"VerifyHost" may be used to disable peer host name (as provided by the SSL
certificate's CA or SAN fields) verification.
Using both options is similar to curl's "--insecure" command line
option.
As requested by Joerg Jaspert.
Signed-off-by: Sebastian Harl <sh at tokkee.org>
---
src/apache.c | 34 ++++++++++++++++++++++++++++++----
src/collectd.conf.pod | 26 ++++++++++++++++++++++++++
src/nginx.c | 34 ++++++++++++++++++++++++++++++----
3 files changed, 86 insertions(+), 8 deletions(-)
diff --git a/src/apache.c b/src/apache.c
index 2a7e0b8..3cda565 100644
--- a/src/apache.c
+++ b/src/apache.c
@@ -29,10 +29,12 @@
#include <curl/curl.h>
-static char *url = NULL;
-static char *user = NULL;
-static char *pass = NULL;
-static char *cacert = NULL;
+static char *url = NULL;
+static char *user = NULL;
+static char *pass = NULL;
+static char *verify_peer = NULL;
+static char *verify_host = NULL;
+static char *cacert = NULL;
static CURL *curl = NULL;
@@ -46,6 +48,8 @@ static const char *config_keys[] =
"URL",
"User",
"Password",
+ "VerifyPeer",
+ "VerifyHost",
"CACert"
};
static int config_keys_num = STATIC_ARRAY_SIZE (config_keys);
@@ -102,6 +106,10 @@ static int config (const char *key, const char *value)
return (config_set (&user, value));
else if (strcasecmp (key, "password") == 0)
return (config_set (&pass, value));
+ else if (strcasecmp (key, "verifypeer") == 0)
+ return (config_set (&verify_peer, value));
+ else if (strcasecmp (key, "verifyhost") == 0)
+ return (config_set (&verify_host, value));
else if (strcasecmp (key, "cacert") == 0)
return (config_set (&cacert, value));
else
@@ -154,6 +162,24 @@ static int init (void)
curl_easy_setopt (curl, CURLOPT_URL, url);
+ if ((verify_peer == NULL) || (strcmp (verify_peer, "true") == 0))
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 1);
+ }
+ else
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
+ }
+
+ if ((verify_host == NULL) || (strcmp (verify_host, "true") == 0))
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 2);
+ }
+ else
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
+ }
+
if (cacert != NULL)
{
curl_easy_setopt (curl, CURLOPT_CAINFO, cacert);
diff --git a/src/collectd.conf.pod b/src/collectd.conf.pod
index d3f5195..42d6051 100644
--- a/src/collectd.conf.pod
+++ b/src/collectd.conf.pod
@@ -173,6 +173,19 @@ Optional user name needed for authentication.
Optional password needed for authentication.
+=item B<VerifyPeer> B<true|false>
+
+Enable or disable peer SSL certificate verification. See
+L<http://curl.haxx.se/docs/sslcerts.html> for details. Enabled by default.
+
+=item B<VerifyHost> B<true|false>
+
+Enable or disable peer host name verification. If enabled, the plugin checks
+if the C<Common Name> or a C<Subject Alternate Name> field of the SSL
+certificate matches the host name provided by the B<URL> option. If this
+identity check fails, the connection is aborted. Obviously, only works when
+connecting to a SSL enabled server. Enabled by default.
+
=item B<CACert> I<File>
File that holds one or more SSL certificates. If you want to use HTTPS you will
@@ -793,6 +806,19 @@ Optional user name needed for authentication.
Optional password needed for authentication.
+=item B<VerifyPeer> B<true|false>
+
+Enable or disable peer SSL certificate verification. See
+L<http://curl.haxx.se/docs/sslcerts.html> for details. Enabled by default.
+
+=item B<VerifyHost> B<true|false>
+
+Enable or disable peer host name verification. If enabled, the plugin checks
+if the C<Common Name> or a C<Subject Alternate Name> field of the SSL
+certificate matches the host name provided by the B<URL> option. If this
+identity check fails, the connection is aborted. Obviously, only works when
+connecting to a SSL enabled server. Enabled by default.
+
=item B<CACert> I<File>
File that holds one or more SSL certificates. If you want to use HTTPS you will
diff --git a/src/nginx.c b/src/nginx.c
index a44e8a5..3b107fb 100644
--- a/src/nginx.c
+++ b/src/nginx.c
@@ -27,10 +27,12 @@
#include <curl/curl.h>
-static char *url = NULL;
-static char *user = NULL;
-static char *pass = NULL;
-static char *cacert = NULL;
+static char *url = NULL;
+static char *user = NULL;
+static char *pass = NULL;
+static char *verify_peer = NULL;
+static char *verify_host = NULL;
+static char *cacert = NULL;
static CURL *curl = NULL;
@@ -44,6 +46,8 @@ static const char *config_keys[] =
"URL",
"User",
"Password",
+ "VerifyPeer",
+ "VerifyHost",
"CACert"
};
static int config_keys_num = STATIC_ARRAY_SIZE (config_keys);
@@ -89,6 +93,10 @@ static int config (const char *key, const char *value)
return (config_set (&user, value));
else if (strcasecmp (key, "password") == 0)
return (config_set (&pass, value));
+ else if (strcasecmp (key, "verifypeer") == 0)
+ return (config_set (&verify_peer, value));
+ else if (strcasecmp (key, "verifyhost") == 0)
+ return (config_set (&verify_host, value));
else if (strcasecmp (key, "cacert") == 0)
return (config_set (&cacert, value));
else
@@ -128,6 +136,24 @@ static int init (void)
curl_easy_setopt (curl, CURLOPT_URL, url);
}
+ if ((verify_peer == NULL) || (strcmp (verify_peer, "true") == 0))
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 1);
+ }
+ else
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
+ }
+
+ if ((verify_host == NULL) || (strcmp (verify_host, "true") == 0))
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 2);
+ }
+ else
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
+ }
+
if (cacert != NULL)
{
curl_easy_setopt (curl, CURLOPT_CAINFO, cacert);
--
1.5.5.rc2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.verplant.org/pipermail/collectd/attachments/20080408/f2f35200/attachment.pgp
More information about the collectd
mailing list