Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add certificate verification status to x509_cert input #6143

Merged
merged 3 commits into from Jul 22, 2019
Merged

Conversation

@glinton
Copy link
Member

glinton commented Jul 20, 2019

Resolves #4877

This always sets insecure_skip_verify as it verifies the cert once it's been collected/parsed.

To verify a self-signed cert (remote endpoint or file), set the tls_ca to the self-signing ca, or the self-signed cert itself for validation to be successful.

Alternate to #6139

@glinton glinton added the enhancement label Jul 20, 2019
}

func (c *X509Cert) getCert(u *url.URL, timeout time.Duration) ([]*x509.Certificate, *tls.Config, error) {
tlsCfg, err := c.ClientConfig.TLSConfig()

This comment has been minimized.

Copy link
@danielnelson

danielnelson Jul 22, 2019

Contributor

It would make sense to set this up once in an Init function. Since it is used in the parent function, I would have this function take the tls.Config instead of returning it.

fields := getFields(cert, now)
tags := getTags(cert.Subject, location)

opts := x509.VerifyOptions{}
if i == 0 {

This comment has been minimized.

Copy link
@danielnelson

danielnelson Jul 22, 2019

Contributor

Here would be a great place for a comment:

// The first certificate is the leaf/end-entity certificate which needs DNS
// name validation against the URL hostname.
_, err = cert.Verify(opts)
if err == nil {
tags["validation"] = "success"
fields["validation"] = 0

This comment has been minimized.

Copy link
@danielnelson

danielnelson Jul 22, 2019

Contributor

Don't name the tag and field with the same key since it is a bit tricky to query, instead use validation and validation_code.

I'm not totally on board with the validation key, the validation is always a success, its just that sometimes the cert is invalid. What do you think about verification=valid, verification=invalid. Sending the error is a bit of a new pattern, but I think it will work.

This comment has been minimized.

Copy link
@glinton

glinton Jul 22, 2019

Author Member

I do like verification and verification_code

@danielnelson danielnelson added this to the 1.12.0 milestone Jul 22, 2019
@glinton glinton requested a review from danielnelson Jul 22, 2019
} else {
tags["verification"] = "invalid"
fields["verification"] = 1
fields["validation_error"] = err.Error()

This comment has been minimized.

Copy link
@danielnelson

danielnelson Jul 22, 2019

Contributor

verification_error

- fields:
- validation (int)
- validation_error (string)

This comment has been minimized.

Copy link
@danielnelson

danielnelson Jul 22, 2019

Contributor

Needs updated

@danielnelson danielnelson merged commit 3e50db9 into master Jul 22, 2019
6 of 8 checks passed
6 of 8 checks passed
continuous-integration/appveyor/branch Waiting for AppVeyor build to complete
Details
continuous-integration/appveyor/pr Waiting for AppVeyor build to complete
Details
ci/circleci: deps Your tests passed on CircleCI!
Details
ci/circleci: package Your tests passed on CircleCI!
Details
ci/circleci: test-go-1.10 Your tests passed on CircleCI!
Details
ci/circleci: test-go-1.11 Your tests passed on CircleCI!
Details
ci/circleci: test-go-1.12 Your tests passed on CircleCI!
Details
ci/circleci: test-go-1.12-386 Your tests passed on CircleCI!
Details
@danielnelson danielnelson deleted the feat/4877 branch Jul 22, 2019
bitcharmer added a commit to bitcharmer/telegraf that referenced this pull request Oct 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.