TLS support for HTTP handler

[keeprocking]

As pointed out in #1 (comment), HTTPS support should be added

[keeprocking]

Unfortunately, no success with testing locally with self-signed certificates.

What I've tried:

• generate a key-cert pair for CA
• generate a server key and sign its cert with CA key
• set up a HTTP input with TLS enabled and specify server key-cert pair
• use CA cert when doing a HTTP request from client

Any help is appreciated.

[chilledornaments]

Hey @keeprocking are you still looking for help on this?

[keeprocking]

Yep.

If you are willing to help, that would be great.

[chilledornaments]

#45 adds a new GelfHttpsHandler class. I've put some details in the PR.

I did not add any tests. I can give that a go this week.

[keeprocking]

Thanks a lot for this!

Unfortunately, I caught a cold or something but will try to look into this as soon as possible - please give me some time. 🙂

As for the tests: that would be great. A new Graylog handler should be added to the bootstrap script (https://github.com/keeprocking/pygelf/blob/master/tests/config/bootstrap) and then just extend existing tests with a new logging handler.

[chilledornaments]

No rush - hope you feel better soon!

I added tests for the new handler. They all pass locally. However, I'm not able to get tests to pass with certificate verification. Still working on that

[chilledornaments]

Ah, ok, I'm able to run tests with certificate verification now.

There are two issues with the TLS tests currently:

1. The certificate in tests/config/ is expired
2. Graylog throws File does not contain valid private key when the private key is protected by a passphrase. There was a post in the Graylog community about this.

I can include a new unencrypted keypair in the PR if you'd like, along with a change to the bootstrap script to not supply tls_key_password when creating TLS-enabled inputs.

[keeprocking]

Smee again, alive and well. 😉

I can include a new unencrypted keypair in the PR if you'd like

Yes, please do - that'd be awesome.

[chilledornaments]

Done! I uncommented tests for GelfTlsHandler as well, they pass locally.

I included a slightly modified version of the /etc/pki/tls/certs/make-dummy-cert script that OpenSSL installs on RHEL so that one can easily create new keys. I've been testing with a keypair made by this script that's signed for localhost, which explains why some of the tests use localhost instead of 127.0.0.1.

I also added a step in the bootstrap script to fix ownership and permissions on tests/config/key.pem.

[keeprocking]

You did a truly amazing job here, thank you so much!

The PR is merged into master.

[chilledornaments]

Happy to help!