Skip to content
This repository was archived by the owner on Oct 23, 2024. It is now read-only.

Commit f8c7817

Browse files
jeffreyc-splunkjeffreyc-splunk
committed
Revert "Fix cert validation"
This reverts commit e83faf3.
1 parent 3d84d33 commit f8c7817

File tree

1 file changed

+31
-12
lines changed

1 file changed

+31
-12
lines changed

pkg/monitors/http/http.go

Lines changed: 31 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ package http
33
import (
44
"context"
55
"crypto/tls"
6+
"crypto/x509"
67
"fmt"
78
"io"
89
"io/ioutil"
@@ -130,7 +131,7 @@ func (m *Monitor) Configure(conf *Config) (err error) {
130131
}
131132
}
132133
} else {
133-
logger.WithError(err).Error("Failed gathering all HTTP stats, ignore TLS stats and push what we've successfully collected")
134+
logger.WithError(err).Error("Failed gathering HTTP stats, ignore other stats")
134135
}
135136

136137
for i := range dps {
@@ -213,20 +214,15 @@ func (m *Monitor) getTLSStats(site *url.URL, logger *logrus.Entry) (dps []*datap
213214
serverName = host
214215
}
215216

216-
dimensions := map[string]string{
217-
"server_name": host,
218-
"sni_server_name": serverName,
219-
}
220-
221217
ipConn, err := net.Dial("tcp", host+":"+port)
222218
if err != nil {
223-
logger.WithError(err).Error("connection failed to host during TLS stat collection")
224219
return
225220
}
226221
defer ipConn.Close()
227222

228223
tlsCfg := &tls.Config{
229-
ServerName: serverName,
224+
InsecureSkipVerify: m.conf.SkipVerify,
225+
ServerName: serverName,
230226
}
231227

232228
if _, err := auth.TLSConfig(tlsCfg, m.conf.CACertPath, m.conf.ClientCertPath, m.conf.ClientKeyPath); err != nil {
@@ -241,11 +237,34 @@ func (m *Monitor) getTLSStats(site *url.URL, logger *logrus.Entry) (dps []*datap
241237

242238
err = conn.Handshake()
243239
if err != nil {
244-
logger.WithError(err).Debug("cert verification failed during handshake")
240+
logger.WithError(err).Error("failed during handshake")
245241
valid = 0
246-
} else {
247-
cert := conn.ConnectionState().PeerCertificates[0]
248-
secondsLeft = time.Until(cert.NotAfter).Seconds()
242+
}
243+
244+
certs := conn.ConnectionState().PeerCertificates
245+
for i, cert := range certs {
246+
opts := x509.VerifyOptions{
247+
Intermediates: x509.NewCertPool(),
248+
}
249+
if i == 0 {
250+
opts.DNSName = serverName
251+
for j, cert := range certs {
252+
if j != 0 {
253+
opts.Intermediates.AddCert(cert)
254+
}
255+
}
256+
secondsLeft = time.Until(cert.NotAfter).Seconds()
257+
}
258+
_, err := cert.Verify(opts)
259+
if err != nil {
260+
logger.WithError(err).Debug("failed verify certificate")
261+
valid = 0
262+
}
263+
}
264+
265+
dimensions := map[string]string{
266+
"server_name": host,
267+
"sni_server_name": serverName,
249268
}
250269

251270
dps = append(dps,

0 commit comments

Comments
 (0)