From: Florian Forster Date: Tue, 5 Dec 2017 11:15:00 +0000 (+0100) Subject: grpc plugin: Implement the VerifyPeer option for servers. X-Git-Tag: collectd-5.9.0~332^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9efc026712b693670bbde6ebd5e015778ae1afdf;p=thirdparty%2Fcollectd.git grpc plugin: Implement the VerifyPeer option for servers. --- diff --git a/src/collectd.conf.in b/src/collectd.conf.in index 4efa29e45..2b54a6e2f 100644 --- a/src/collectd.conf.in +++ b/src/collectd.conf.in @@ -643,6 +643,7 @@ # SSLCACertificateFile "/path/to/root.pem" # SSLCertificateFile "/path/to/client.pem" # SSLCertificateKeyFile "/path/to/client.key" +# VerifyPeer true # # diff --git a/src/collectd.conf.pod b/src/collectd.conf.pod index 0e7a60464..c8cd7e51e 100644 --- a/src/collectd.conf.pod +++ b/src/collectd.conf.pod @@ -3094,6 +3094,13 @@ Whether to enable SSL for incoming connections. Default: false. Filenames specifying SSL certificate and key material to be used with SSL connections. +=item B B|B + +When enabled, a valid client certificate is required to connect to the server. +When disabled, a client certifiacte is not requested and any unsolicited client +certificate is accepted. +Enabled by default. + =back =back diff --git a/src/grpc.cc b/src/grpc.cc index 0f5cfec04..87ef754a3 100644 --- a/src/grpc.cc +++ b/src/grpc.cc @@ -626,7 +626,8 @@ static int c_grpc_config_listen(oconfig_item_t *ci) { listener.port = grpc::string(ci->values[1].value.string); listener.ssl = nullptr; - auto ssl_opts = new (grpc::SslServerCredentialsOptions); + auto ssl_opts = new grpc::SslServerCredentialsOptions( + GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY); grpc::SslServerCredentialsOptions::PemKeyCertPair pkcp = {}; bool use_ssl = false; @@ -659,6 +660,14 @@ static int c_grpc_config_listen(oconfig_item_t *ci) { return -1; } pkcp.cert_chain = read_file(cert); + } else if (!strcasecmp("VerifyPeer", child->key)) { + _Bool verify = 0; + if (cf_util_get_boolean(child, &verify)) { + return -1; + } + ssl_opts->client_certificate_request = + verify ? GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY + : GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE; } else { WARNING("grpc: Option `%s` not allowed in <%s> block.", child->key, ci->key);