Re: [pve-devel] [PATCH manager] Status/InfluxDB: add 'ssl-verify' option to disable ssl verification

[Thomas Lamprecht <t.lamprecht@proxmox.com>]

On 27.07.21 07:51, Dominik Csapak wrote:
> Makes it easier to test https without creating a valid certificate or
> adding a ca to the ca-certificate store.


in general OK but I'd like to stream-line the property name a bit, we have

* `verify` for access domains/realms
* `verify-certificates` (weird that we used the plural) for download-url
* .. other ones?

While still often used, SSL is pretty much dead on it's own, TLS would be a better fit
these days, but we widely use the former in the GUI.
Any how, I'd like to keep it close(r) to what we have now and avoid encoding already
dated technologies (even if this one will be probably still understood in 30 years ^^).

Generally I'd find `verify-certificate` (the plural would just a little bit weird, or?)
OK, and I'd also like if one can also set the fingerprint optionally here, or in an
extra option; as that can make it secure and easy for the homelab/gapped net with a CA
and a cert with, e.g., 10y lifetime. But not a hard requirement for the latter from me.

So, looks ok, would rethink the property name and factor out setting the options on $ua,
see below for the latter.

> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
>  PVE/Status/InfluxDB.pm | 23 ++++++++++++++++++++++-
>  1 file changed, 22 insertions(+), 1 deletion(-)
> 
> diff --git a/PVE/Status/InfluxDB.pm b/PVE/Status/InfluxDB.pm
> index fcb28800..6f0f8da6 100644
> --- a/PVE/Status/InfluxDB.pm
> +++ b/PVE/Status/InfluxDB.pm
> @@ -55,7 +55,13 @@ sub properties {
>  	    type => 'integer',
>  	    minimum => 1,
>  	    default => 25_000_000,
> -	}
> +	},
> +	'ssl-verify' => {
> +	    description => "Set to 0 to disable ssl verification for https endpoints.",
> +	    type => 'boolean',
> +	    optional => 1,
> +	    default => 1,
> +	},
>      };
>  }
>  sub options {
> @@ -71,6 +77,7 @@ sub options {
>  	timeout => { optional => 1},
>  	'max-body-size' => { optional => 1 },
>  	'api-path-prefix' => { optional => 1 },
> +	'ssl-verify' => { optional => 1 },
>     };
>  }
>  
> @@ -141,10 +148,17 @@ sub send {
>      my ($class, $connection, $data, $cfg) = @_;
>  
>      my $proto = $cfg->{influxdbproto} // 'udp';
> +    my $ssl_verify = $cfg->{'ssl-verify'} // 1;
>      if ($proto eq 'udp') {
>  	return $class->SUPER::send($connection, $data, $cfg);
>      } elsif ($proto =~ m/^https?$/) {
>  	my $ua = LWP::UserAgent->new();
> +	if (!$ssl_verify) {
> +	    $ua->ssl_opts(
> +		verify_hostname => 0,

may not matter much, but why not verify the hostname?

> +		SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE,
> +	    );
> +	}
>  	$ua->timeout($cfg->{timeout} // 1);
>  	$connection->content($data);
>  	my $response = $ua->request($connection);
> @@ -223,11 +237,18 @@ sub test_connection {
>      my ($class, $cfg, $id) = @_;
>  
>      my $proto = $cfg->{influxdbproto} // 'udp';
> +    my $ssl_verify = $cfg->{'ssl-verify'} // 1;
>      if ($proto eq 'udp') {
>  	return $class->SUPER::test_connection($cfg, $id);
>      } elsif ($proto =~ m/^https?$/) {
>  	my $url = _get_v2url($cfg, "health");
>  	my $ua = LWP::UserAgent->new();
> +	if (!$ssl_verify) {
> +	    $ua->ssl_opts(
> +		verify_hostname => 0,
> +		SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE,
> +	    );
> +	}

I'd factor that out in a helper, especially if we'd add fingerprint verification it
get rather big for being there twice.

>  	$ua->timeout($cfg->{timeout} // 1);
>  	# in the initial add connection test, the token may still be in $cfg
>  	my $token = $cfg->{token} // get_credentials($id, 1);
>