From 3191e7d4d5996818d0ea4d0cd6cd6e6b2f4ac63a Mon Sep 17 00:00:00 2001 From: Dani Louca Date: Fri, 3 Dec 2021 15:54:15 -0500 Subject: [PATCH] Fix cert validation Signed-off-by: Dani Louca --- pkg/monitors/http/http.go | 43 +++++++++++---------------------------- 1 file changed, 12 insertions(+), 31 deletions(-) diff --git a/pkg/monitors/http/http.go b/pkg/monitors/http/http.go index e43e656731..e2768b8fb4 100644 --- a/pkg/monitors/http/http.go +++ b/pkg/monitors/http/http.go @@ -3,7 +3,6 @@ package http import ( "context" "crypto/tls" - "crypto/x509" "fmt" "io" "io/ioutil" @@ -131,7 +130,7 @@ func (m *Monitor) Configure(conf *Config) (err error) { } } } else { - logger.WithError(err).Error("Failed gathering HTTP stats, ignore other stats") + logger.WithError(err).Error("Failed gathering all HTTP stats, ignore TLS stats and push what we've successfully collected") } for i := range dps { @@ -214,15 +213,20 @@ func (m *Monitor) getTLSStats(site *url.URL, logger *logrus.Entry) (dps []*datap serverName = host } + dimensions := map[string]string{ + "server_name": host, + "sni_server_name": serverName, + } + ipConn, err := net.Dial("tcp", host+":"+port) if err != nil { + logger.WithError(err).Error("connection failed to host during TLS stat collection") return } defer ipConn.Close() tlsCfg := &tls.Config{ - InsecureSkipVerify: m.conf.SkipVerify, - ServerName: serverName, + ServerName: serverName, } if _, err := auth.TLSConfig(tlsCfg, m.conf.CACertPath, m.conf.ClientCertPath, m.conf.ClientKeyPath); err != nil { @@ -237,34 +241,11 @@ func (m *Monitor) getTLSStats(site *url.URL, logger *logrus.Entry) (dps []*datap err = conn.Handshake() if err != nil { - logger.WithError(err).Error("failed during handshake") + logger.WithError(err).Debug("cert verification failed during handshake") valid = 0 - } - - certs := conn.ConnectionState().PeerCertificates - for i, cert := range certs { - opts := x509.VerifyOptions{ - Intermediates: x509.NewCertPool(), - } - if i == 0 { - opts.DNSName = serverName - for j, cert := range certs { - if j != 0 { - opts.Intermediates.AddCert(cert) - } - } - secondsLeft = time.Until(cert.NotAfter).Seconds() - } - _, err := cert.Verify(opts) - if err != nil { - logger.WithError(err).Debug("failed verify certificate") - valid = 0 - } - } - - dimensions := map[string]string{ - "server_name": host, - "sni_server_name": serverName, + } else { + cert := conn.ConnectionState().PeerCertificates[0] + secondsLeft = time.Until(cert.NotAfter).Seconds() } dps = append(dps,