From: Ingmar Runge Date: Sun, 20 Jul 2014 12:15:22 +0000 (+0200) Subject: write_http: expose more TLS options X-Git-Tag: collectd-5.5.0~295^2 X-Git-Url: https://git.octo.it/?p=collectd.git;a=commitdiff_plain;h=6d2bcca22dcc73bbc8461770ad8457c57d580a0c write_http: expose more TLS options * adds support for client certificate authentication * allows setting CAPath * allows forcing a specific SSL/TLS version --- diff --git a/src/write_http.c b/src/write_http.c index ed8d8342..6dc7b364 100644 --- a/src/write_http.c +++ b/src/write_http.c @@ -49,6 +49,11 @@ struct wh_callback_s _Bool verify_peer; _Bool verify_host; char *cacert; + char *capath; + char *clientkey; + char *clientcert; + char *clientkeypass; + long sslversion; _Bool store_rates; #define WH_FORMAT_COMMAND 0 @@ -150,8 +155,20 @@ static int wh_callback_init (wh_callback_t *cb) /* {{{ */ curl_easy_setopt (cb->curl, CURLOPT_SSL_VERIFYPEER, (long) cb->verify_peer); curl_easy_setopt (cb->curl, CURLOPT_SSL_VERIFYHOST, cb->verify_host ? 2L : 0L); + curl_easy_setopt (cb->curl, CURLOPT_SSLVERSION, cb->sslversion); if (cb->cacert != NULL) curl_easy_setopt (cb->curl, CURLOPT_CAINFO, cb->cacert); + if (cb->capath != NULL) + curl_easy_setopt (cb->curl, CURLOPT_CAPATH, cb->capath); + + if (cb->clientkey != NULL && cb->clientcert != NULL) + { + curl_easy_setopt (cb->curl, CURLOPT_SSLKEY, cb->clientkey); + curl_easy_setopt (cb->curl, CURLOPT_SSLCERT, cb->clientcert); + + if (cb->clientkeypass != NULL) + curl_easy_setopt (cb->curl, CURLOPT_SSLKEYPASSWD, cb->clientkeypass); + } wh_reset_buffer (cb); @@ -269,6 +286,10 @@ static void wh_callback_free (void *data) /* {{{ */ sfree (cb->pass); sfree (cb->credentials); sfree (cb->cacert); + sfree (cb->capath); + sfree (cb->clientkey); + sfree (cb->clientcert); + sfree (cb->clientkeypass); sfree (cb); } /* }}} void wh_callback_free */ @@ -474,15 +495,10 @@ static int wh_config_url (oconfig_item_t *ci) /* {{{ */ return (-1); } memset (cb, 0, sizeof (*cb)); - cb->location = NULL; - cb->user = NULL; - cb->pass = NULL; - cb->credentials = NULL; cb->verify_peer = 1; cb->verify_host = 1; - cb->cacert = NULL; cb->format = WH_FORMAT_COMMAND; - cb->curl = NULL; + cb->sslversion = CURL_SSLVERSION_DEFAULT; pthread_mutex_init (&cb->send_lock, /* attr = */ NULL); @@ -504,6 +520,42 @@ static int wh_config_url (oconfig_item_t *ci) /* {{{ */ cf_util_get_boolean (child, &cb->verify_host); else if (strcasecmp ("CACert", child->key) == 0) cf_util_get_string (child, &cb->cacert); + else if (strcasecmp ("CAPath", child->key) == 0) + cf_util_get_string (child, &cb->capath); + else if (strcasecmp ("ClientKey", child->key) == 0) + cf_util_get_string (child, &cb->clientkey); + else if (strcasecmp ("ClientCert", child->key) == 0) + cf_util_get_string (child, &cb->clientcert); + else if (strcasecmp ("ClientKeyPass", child->key) == 0) + cf_util_get_string (child, &cb->clientkeypass); + else if (strcasecmp ("SSLVersion", child->key) == 0) + { + char *value = NULL; + + cf_util_get_string (child, &value); + + if (value == NULL || strcasecmp ("default", value) == 0) + cb->sslversion = CURL_SSLVERSION_DEFAULT; + else if (strcasecmp ("SSLv2", value) == 0) + cb->sslversion = CURL_SSLVERSION_SSLv2; + else if (strcasecmp ("SSLv3", value) == 0) + cb->sslversion = CURL_SSLVERSION_SSLv3; + else if (strcasecmp ("TLSv1", value) == 0) + cb->sslversion = CURL_SSLVERSION_TLSv1; +#if (LIBCURL_VERSION_MAJOR > 7) || (LIBCURL_VERSION_MAJOR == 7 && LIBCURL_VERSION_MINOR >= 34) + else if (strcasecmp ("TLSv1_0", value) == 0) + cb->sslversion = CURL_SSLVERSION_TLSv1_0; + else if (strcasecmp ("TLSv1_1", value) == 0) + cb->sslversion = CURL_SSLVERSION_TLSv1_1; + else if (strcasecmp ("TLSv1_2", value) == 0) + cb->sslversion = CURL_SSLVERSION_TLSv1_2; +#endif + else + ERROR ("write_http plugin: Invalid SSLVersion " + "option: %s.", value); + + sfree(value); + } else if (strcasecmp ("Format", child->key) == 0) config_set_format (cb, child); else if (strcasecmp ("StoreRates", child->key) == 0)