On 27.07.21 07:51, Dominik Csapak wrote:
> Makes it easier to test https without creating a valid certificate or
> adding a ca to the ca-certificate store.
in general OK but I'd like to stream-line the property name a bit, we have
* `verify` for access domains/realms
* `verify-certificates` (weird that we used the plural) for download-url
* .. other ones?
While still often used, SSL is pretty much dead on it's own, TLS would be a
better fit
these days, but we widely use the former in the GUI.
Any how, I'd like to keep it close(r) to what we have now and avoid encoding
already
dated technologies (even if this one will be probably still understood in 30
years ^^).
Generally I'd find `verify-certificate` (the plural would just a little bit
weird, or?)
OK, and I'd also like if one can also set the fingerprint optionally here, or
in an
extra option; as that can make it secure and easy for the homelab/gapped net
with a CA
and a cert with, e.g., 10y lifetime. But not a hard requirement for the latter
from me.
So, looks ok, would rethink the property name and factor out setting the
options on $ua,
see below for the latter.
> Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
> ---
> PVE/Status/InfluxDB.pm | 23 ++++++++++++++++++++++-
> 1 file changed, 22 insertions(+), 1 deletion(-)
>
> diff --git a/PVE/Status/InfluxDB.pm b/PVE/Status/InfluxDB.pm
> index fcb28800..6f0f8da6 100644
> --- a/PVE/Status/InfluxDB.pm
> +++ b/PVE/Status/InfluxDB.pm
> @@ -55,7 +55,13 @@ sub properties {
> type => 'integer',
> minimum => 1,
> default => 25_000_000,
> - }
> + },
> + 'ssl-verify' => {
> + description => "Set to 0 to disable ssl verification for https
> endpoints.",
> + type => 'boolean',
> + optional => 1,
> + default => 1,
> + },
> };
> }
> sub options {
> @@ -71,6 +77,7 @@ sub options {
> timeout => { optional => 1},
> 'max-body-size' => { optional => 1 },
> 'api-path-prefix' => { optional => 1 },
> + 'ssl-verify' => { optional => 1 },
> };
> }
>
> @@ -141,10 +148,17 @@ sub send {
> my ($class, $connection, $data, $cfg) = @_;
>
> my $proto = $cfg->{influxdbproto} // 'udp';
> + my $ssl_verify = $cfg->{'ssl-verify'} // 1;
> if ($proto eq 'udp') {
> return $class->SUPER::send($connection, $data, $cfg);
> } elsif ($proto =~ m/^https?$/) {
> my $ua = LWP::UserAgent->new();
> + if (!$ssl_verify) {
> + $ua->ssl_opts(
> + verify_hostname => 0,
may not matter much, but why not verify the hostname?
> + SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE,
> + );
> + }
> $ua->timeout($cfg->{timeout} // 1);
> $connection->content($data);
> my $response = $ua->request($connection);
> @@ -223,11 +237,18 @@ sub test_connection {
> my ($class, $cfg, $id) = @_;
>
> my $proto = $cfg->{influxdbproto} // 'udp';
> + my $ssl_verify = $cfg->{'ssl-verify'} // 1;
> if ($proto eq 'udp') {
> return $class->SUPER::test_connection($cfg, $id);
> } elsif ($proto =~ m/^https?$/) {
> my $url = _get_v2url($cfg, "health");
> my $ua = LWP::UserAgent->new();
> + if (!$ssl_verify) {
> + $ua->ssl_opts(
> + verify_hostname => 0,
> + SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE,
> + );
> + }
I'd factor that out in a helper, especially if we'd add fingerprint
verification it
get rather big for being there twice.
> $ua->timeout($cfg->{timeout} // 1);
> # in the initial add connection test, the token may still be in $cfg
> my $token = $cfg->{token} // get_credentials($id, 1);
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
