From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <t.lamprecht@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by lists.proxmox.com (Postfix) with ESMTPS id 55DEB698B1
for <pve-devel@lists.proxmox.com>; Tue, 27 Jul 2021 16:32:11 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 41C0F1B50C
for <pve-devel@lists.proxmox.com>; Tue, 27 Jul 2021 16:31:41 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
[94.136.29.106])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by firstgate.proxmox.com (Proxmox) with ESMTPS id 9956E1B4FD
for <pve-devel@lists.proxmox.com>; Tue, 27 Jul 2021 16:31:40 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 757A3416D1
for <pve-devel@lists.proxmox.com>; Tue, 27 Jul 2021 16:31:40 +0200 (CEST)
Message-ID: <cd2d5438-32d9-f2b1-30cc-a6676449973f@proxmox.com>
Date: Tue, 27 Jul 2021 16:31:39 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.0
Content-Language: en-US
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Dominik Csapak <d.csapak@proxmox.com>
References: <20210727055105.276923-1-d.csapak@proxmox.com>
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
In-Reply-To: <20210727055105.276923-1-d.csapak@proxmox.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-SPAM-LEVEL: Spam detection results: 0
AWL 0.616 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
NICE_REPLY_A -0.438 Looks like a legit reply (A)
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
information. [influxdb.pm]
Subject: Re: [pve-devel] [PATCH manager] Status/InfluxDB: add 'ssl-verify'
option to disable ssl verification
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2021 14:32:11 -0000
On 27.07.21 07:51, Dominik Csapak wrote:
> Makes it easier to test https without creating a valid certificate or
> adding a ca to the ca-certificate store.
in general OK but I'd like to stream-line the property name a bit, we have
* `verify` for access domains/realms
* `verify-certificates` (weird that we used the plural) for download-url
* .. other ones?
While still often used, SSL is pretty much dead on it's own, TLS would be a better fit
these days, but we widely use the former in the GUI.
Any how, I'd like to keep it close(r) to what we have now and avoid encoding already
dated technologies (even if this one will be probably still understood in 30 years ^^).
Generally I'd find `verify-certificate` (the plural would just a little bit weird, or?)
OK, and I'd also like if one can also set the fingerprint optionally here, or in an
extra option; as that can make it secure and easy for the homelab/gapped net with a CA
and a cert with, e.g., 10y lifetime. But not a hard requirement for the latter from me.
So, looks ok, would rethink the property name and factor out setting the options on $ua,
see below for the latter.
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
> PVE/Status/InfluxDB.pm | 23 ++++++++++++++++++++++-
> 1 file changed, 22 insertions(+), 1 deletion(-)
>
> diff --git a/PVE/Status/InfluxDB.pm b/PVE/Status/InfluxDB.pm
> index fcb28800..6f0f8da6 100644
> --- a/PVE/Status/InfluxDB.pm
> +++ b/PVE/Status/InfluxDB.pm
> @@ -55,7 +55,13 @@ sub properties {
> type => 'integer',
> minimum => 1,
> default => 25_000_000,
> - }
> + },
> + 'ssl-verify' => {
> + description => "Set to 0 to disable ssl verification for https endpoints.",
> + type => 'boolean',
> + optional => 1,
> + default => 1,
> + },
> };
> }
> sub options {
> @@ -71,6 +77,7 @@ sub options {
> timeout => { optional => 1},
> 'max-body-size' => { optional => 1 },
> 'api-path-prefix' => { optional => 1 },
> + 'ssl-verify' => { optional => 1 },
> };
> }
>
> @@ -141,10 +148,17 @@ sub send {
> my ($class, $connection, $data, $cfg) = @_;
>
> my $proto = $cfg->{influxdbproto} // 'udp';
> + my $ssl_verify = $cfg->{'ssl-verify'} // 1;
> if ($proto eq 'udp') {
> return $class->SUPER::send($connection, $data, $cfg);
> } elsif ($proto =~ m/^https?$/) {
> my $ua = LWP::UserAgent->new();
> + if (!$ssl_verify) {
> + $ua->ssl_opts(
> + verify_hostname => 0,
may not matter much, but why not verify the hostname?
> + SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE,
> + );
> + }
> $ua->timeout($cfg->{timeout} // 1);
> $connection->content($data);
> my $response = $ua->request($connection);
> @@ -223,11 +237,18 @@ sub test_connection {
> my ($class, $cfg, $id) = @_;
>
> my $proto = $cfg->{influxdbproto} // 'udp';
> + my $ssl_verify = $cfg->{'ssl-verify'} // 1;
> if ($proto eq 'udp') {
> return $class->SUPER::test_connection($cfg, $id);
> } elsif ($proto =~ m/^https?$/) {
> my $url = _get_v2url($cfg, "health");
> my $ua = LWP::UserAgent->new();
> + if (!$ssl_verify) {
> + $ua->ssl_opts(
> + verify_hostname => 0,
> + SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE,
> + );
> + }
I'd factor that out in a helper, especially if we'd add fingerprint verification it
get rather big for being there twice.
> $ua->timeout($cfg->{timeout} // 1);
> # in the initial add connection test, the token may still be in $cfg
> my $token = $cfg->{token} // get_credentials($id, 1);
>