[collectd] [PATCH] ascent plugin: Added "Verify{Peer, Host}" configuration options.

Sebastian Harl sh at tokkee.org
Sun Jun 1 15:44:10 CEST 2008 

Those options may be used to disable peer SSL certificate or peer host name
verification respectively. The apache and nginx plugins already support those
options, so this makes configuration of plugins using libcurl more consistent.

Signed-off-by: Sebastian Harl <sh at tokkee.org>
---
 src/ascent.c          |   26 ++++++++++++++++++++++----
 src/collectd.conf.pod |   13 +++++++++++++
 2 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/src/ascent.c b/src/ascent.c
index 6b4f21f..c443d38 100644
--- a/src/ascent.c
+++ b/src/ascent.c
@@ -91,10 +91,12 @@ struct player_info_s
 typedef struct player_info_s player_info_t;
 #define PLAYER_INFO_STATIC_INIT { -1, -1, -1, -1, -1 }
 
-static char *url    = NULL;
-static char *user   = NULL;
-static char *pass   = NULL;
-static char *cacert = NULL;
+static char *url         = NULL;
+static char *user        = NULL;
+static char *pass        = NULL;
+static char *verify_peer = NULL;
+static char *verify_host = NULL;
+static char *cacert      = NULL;
 
 static CURL *curl = NULL;
 
@@ -108,6 +110,8 @@ static const char *config_keys[] =
   "URL",
   "User",
   "Password",
+  "VerifyPeer",
+  "VerifyHost",
   "CACert"
 };
 static int config_keys_num = STATIC_ARRAY_SIZE (config_keys);
@@ -500,6 +504,10 @@ static int ascent_config (const char *key, const char *value) /* {{{ */
     return (config_set (&user, value));
   else if (strcasecmp (key, "Password") == 0)
     return (config_set (&pass, value));
+  else if (strcasecmp (key, "VerifyPeer") == 0)
+    return (config_set (&verify_peer, value));
+  else if (strcasecmp (key, "VerifyHost") == 0)
+    return (config_set (&verify_host, value));
   else if (strcasecmp (key, "CACert") == 0)
     return (config_set (&cacert, value));
   else
@@ -550,6 +558,16 @@ static int ascent_init (void) /* {{{ */
 
   curl_easy_setopt (curl, CURLOPT_URL, url);
 
+  if ((verify_peer == NULL) || (strcmp (verify_peer, "true") == 0))
+    curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 1);
+  else
+    curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
+
+  if ((verify_host == NULL) || (strcmp (verify_host, "true") == 0))
+    curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 2);
+  else
+    curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
+
   if (cacert != NULL)
     curl_easy_setopt (curl, CURLOPT_CAINFO, cacert);
 
diff --git a/src/collectd.conf.pod b/src/collectd.conf.pod
index 2c4ff46..2b3dedf 100644
--- a/src/collectd.conf.pod
+++ b/src/collectd.conf.pod
@@ -232,6 +232,19 @@ Optional user name needed for authentication.
 
 Optional password needed for authentication.
 
+=item B<VerifyPeer> B<true|false>
+
+Enable or disable peer SSL certificate verification. See
+L<http://curl.haxx.se/docs/sslcerts.html> for details. Enabled by default.
+
+=item B<VerifyHost> B<true|false>
+
+Enable or disable peer host name verification. If enabled, the plugin checks
+if the C<Common Name> or a C<Subject Alternate Name> field of the SSL
+certificate matches the host name provided by the B<URL> option. If this
+identity check fails, the connection is aborted. Obviously, only works when
+connecting to a SSL enabled server. Enabled by default.
+
 =item B<CACert> I<File>
 
 File that holds one or more SSL certificates. If you want to use HTTPS you will
-- 
1.5.5.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.verplant.org/pipermail/collectd/attachments/20080601/d78af5ca/attachment.pgp

More information about the collectd mailing list