Fix cert validation (#2020)

Signed-off-by: Dani Louca <dlouca@splunk.com>
signalfx · Dec 13, 2021 · 5b271a8 · 5b271a8
1 parent aadc81c
commit 5b271a8
Showing 1 changed file with 12 additions and 31 deletions.
diff --git a/pkg/monitors/http/http.go b/pkg/monitors/http/http.go
@@ -3,7 +3,6 @@ package http
 import (
 	"context"
 	"crypto/tls"
-	"crypto/x509"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -131,7 +130,7 @@ func (m *Monitor) Configure(conf *Config) (err error) {
 					}
 				}
 			} else {
-				logger.WithError(err).Error("Failed gathering HTTP stats, ignore other stats")
+				logger.WithError(err).Error("Failed gathering all HTTP stats, ignore TLS stats and push what we've successfully collected")
 			}
 
 			for i := range dps {
@@ -214,15 +213,20 @@ func (m *Monitor) getTLSStats(site *url.URL, logger *logrus.Entry) (dps []*datap
 		serverName = host
 	}
 
+	dimensions := map[string]string{
+		"server_name":     host,
+		"sni_server_name": serverName,
+	}
+
 	ipConn, err := net.Dial("tcp", host+":"+port)
 	if err != nil {
+		logger.WithError(err).Error("connection failed to host during TLS stat collection")
 		return
 	}
 	defer ipConn.Close()
 
 	tlsCfg := &tls.Config{
-		InsecureSkipVerify: m.conf.SkipVerify,
-		ServerName:         serverName,
+		ServerName: serverName,
 	}
 
 	if _, err := auth.TLSConfig(tlsCfg, m.conf.CACertPath, m.conf.ClientCertPath, m.conf.ClientKeyPath); err != nil {
@@ -237,34 +241,11 @@ func (m *Monitor) getTLSStats(site *url.URL, logger *logrus.Entry) (dps []*datap
 
 	err = conn.Handshake()
 	if err != nil {
-		logger.WithError(err).Error("failed during handshake")
+		logger.WithError(err).Debug("cert verification failed during handshake")
 		valid = 0
-	}
-
-	certs := conn.ConnectionState().PeerCertificates
-	for i, cert := range certs {
-		opts := x509.VerifyOptions{
-			Intermediates: x509.NewCertPool(),
-		}
-		if i == 0 {
-			opts.DNSName = serverName
-			for j, cert := range certs {
-				if j != 0 {
-					opts.Intermediates.AddCert(cert)
-				}
-			}
-			secondsLeft = time.Until(cert.NotAfter).Seconds()
-		}
-		_, err := cert.Verify(opts)
-		if err != nil {
-			logger.WithError(err).Debug("failed verify certificate")
-			valid = 0
-		}
-	}
-
-	dimensions := map[string]string{
-		"server_name":     host,
-		"sni_server_name": serverName,
+	} else {
+		cert := conn.ConnectionState().PeerCertificates[0]
+		secondsLeft = time.Until(cert.NotAfter).Seconds()
 	}
 
 	dps = append(dps,