From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 55DEB698B1 for ; Tue, 27 Jul 2021 16:32:11 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 41C0F1B50C for ; Tue, 27 Jul 2021 16:31:41 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 9956E1B4FD for ; Tue, 27 Jul 2021 16:31:40 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 757A3416D1 for ; Tue, 27 Jul 2021 16:31:40 +0200 (CEST) Message-ID: Date: Tue, 27 Jul 2021 16:31:39 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.0 Content-Language: en-US To: Proxmox VE development discussion , Dominik Csapak References: <20210727055105.276923-1-d.csapak@proxmox.com> From: Thomas Lamprecht In-Reply-To: <20210727055105.276923-1-d.csapak@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.616 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.438 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [influxdb.pm] Subject: Re: [pve-devel] [PATCH manager] Status/InfluxDB: add 'ssl-verify' option to disable ssl verification X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jul 2021 14:32:11 -0000 On 27.07.21 07:51, Dominik Csapak wrote: > Makes it easier to test https without creating a valid certificate or > adding a ca to the ca-certificate store. in general OK but I'd like to stream-line the property name a bit, we have * `verify` for access domains/realms * `verify-certificates` (weird that we used the plural) for download-url * .. other ones? While still often used, SSL is pretty much dead on it's own, TLS would be a better fit these days, but we widely use the former in the GUI. Any how, I'd like to keep it close(r) to what we have now and avoid encoding already dated technologies (even if this one will be probably still understood in 30 years ^^). Generally I'd find `verify-certificate` (the plural would just a little bit weird, or?) OK, and I'd also like if one can also set the fingerprint optionally here, or in an extra option; as that can make it secure and easy for the homelab/gapped net with a CA and a cert with, e.g., 10y lifetime. But not a hard requirement for the latter from me. So, looks ok, would rethink the property name and factor out setting the options on $ua, see below for the latter. > Signed-off-by: Dominik Csapak > --- > PVE/Status/InfluxDB.pm | 23 ++++++++++++++++++++++- > 1 file changed, 22 insertions(+), 1 deletion(-) > > diff --git a/PVE/Status/InfluxDB.pm b/PVE/Status/InfluxDB.pm > index fcb28800..6f0f8da6 100644 > --- a/PVE/Status/InfluxDB.pm > +++ b/PVE/Status/InfluxDB.pm > @@ -55,7 +55,13 @@ sub properties { > type => 'integer', > minimum => 1, > default => 25_000_000, > - } > + }, > + 'ssl-verify' => { > + description => "Set to 0 to disable ssl verification for https endpoints.", > + type => 'boolean', > + optional => 1, > + default => 1, > + }, > }; > } > sub options { > @@ -71,6 +77,7 @@ sub options { > timeout => { optional => 1}, > 'max-body-size' => { optional => 1 }, > 'api-path-prefix' => { optional => 1 }, > + 'ssl-verify' => { optional => 1 }, > }; > } > > @@ -141,10 +148,17 @@ sub send { > my ($class, $connection, $data, $cfg) = @_; > > my $proto = $cfg->{influxdbproto} // 'udp'; > + my $ssl_verify = $cfg->{'ssl-verify'} // 1; > if ($proto eq 'udp') { > return $class->SUPER::send($connection, $data, $cfg); > } elsif ($proto =~ m/^https?$/) { > my $ua = LWP::UserAgent->new(); > + if (!$ssl_verify) { > + $ua->ssl_opts( > + verify_hostname => 0, may not matter much, but why not verify the hostname? > + SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE, > + ); > + } > $ua->timeout($cfg->{timeout} // 1); > $connection->content($data); > my $response = $ua->request($connection); > @@ -223,11 +237,18 @@ sub test_connection { > my ($class, $cfg, $id) = @_; > > my $proto = $cfg->{influxdbproto} // 'udp'; > + my $ssl_verify = $cfg->{'ssl-verify'} // 1; > if ($proto eq 'udp') { > return $class->SUPER::test_connection($cfg, $id); > } elsif ($proto =~ m/^https?$/) { > my $url = _get_v2url($cfg, "health"); > my $ua = LWP::UserAgent->new(); > + if (!$ssl_verify) { > + $ua->ssl_opts( > + verify_hostname => 0, > + SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE, > + ); > + } I'd factor that out in a helper, especially if we'd add fingerprint verification it get rather big for being there twice. > $ua->timeout($cfg->{timeout} // 1); > # in the initial add connection test, the token may still be in $cfg > my $token = $cfg->{token} // get_credentials($id, 1); >