diff options
author | Emmanuel Vasilakis <mrzammler@mm.st> | 2022-11-03 16:22:39 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-11-03 16:22:39 +0200 |
commit | a41ba6db5a55a879cc3f49524eca5a4f6ecf7fe0 (patch) | |
tree | 053c6a479bc02475fc592c827e113814fb0d9363 | |
parent | a19795e85fd1d026171661c7f97bde8f9f7d0b1a (diff) |
Setup default certificates path (#13941)
* setup default certificates path
* change logic
* change default in stream.conf
-rw-r--r-- | libnetdata/socket/security.c | 31 | ||||
-rw-r--r-- | streaming/rrdpush.c | 4 | ||||
-rw-r--r-- | streaming/stream.conf | 17 |
3 files changed, 22 insertions, 30 deletions
diff --git a/libnetdata/socket/security.c b/libnetdata/socket/security.c index 490d8727e2..f7b44049ba 100644 --- a/libnetdata/socket/security.c +++ b/libnetdata/socket/security.c @@ -357,31 +357,22 @@ int security_test_certificate(SSL *ssl) { * @return It returns 0 on success and -1 otherwise. */ int ssl_security_location_for_context(SSL_CTX *ctx, char *file, char *path) { - struct stat statbuf; - if (stat(file, &statbuf)) { - info("Netdata does not have the parent's SSL certificate, so it will use the default OpenSSL configuration to validate certificates!"); - return 0; - } - - ERR_clear_error(); - u_long err; - char buf[256]; - if(!SSL_CTX_load_verify_locations(ctx, file, path)) { - goto slfc; + int load_custom = 1, load_default = 1; + if (file || path) { + if(!SSL_CTX_load_verify_locations(ctx, file, path)) { + info("Netdata can not verify custom CAfile or CApath for parent's SSL certificate, so it will use the default OpenSSL configuration to validate certificates!"); + load_custom = 0; + } } if(!SSL_CTX_set_default_verify_paths(ctx)) { - goto slfc; + info("Can not verify default OpenSSL configuration to validate certificates!"); + load_default = 0; } - return 0; + if (load_custom == 0 && load_default == 0) + return -1; -slfc: - while ((err = ERR_get_error()) != 0) { - ERR_error_string_n(err, buf, sizeof(buf)); - error("Cannot set the directory for the certificates and the parent SSL certificate: %s",buf); - } - return -1; + return 0; } - #endif diff --git a/streaming/rrdpush.c b/streaming/rrdpush.c index b015985e6a..5764f64899 100644 --- a/streaming/rrdpush.c +++ b/streaming/rrdpush.c @@ -140,8 +140,8 @@ int rrdpush_init() { } } - netdata_ssl_ca_path = appconfig_get(&stream_config, CONFIG_SECTION_STREAM, "CApath", "/etc/ssl/certs/"); - netdata_ssl_ca_file = appconfig_get(&stream_config, CONFIG_SECTION_STREAM, "CAfile", "/etc/ssl/certs/certs.pem"); + netdata_ssl_ca_path = appconfig_get(&stream_config, CONFIG_SECTION_STREAM, "CApath", NULL); + netdata_ssl_ca_file = appconfig_get(&stream_config, CONFIG_SECTION_STREAM, "CAfile", NULL); #endif return default_rrdpush_enabled; diff --git a/streaming/stream.conf b/streaming/stream.conf index cfaf7ebe7b..cbaab1919e 100644 --- a/streaming/stream.conf +++ b/streaming/stream.conf @@ -40,17 +40,18 @@ #ssl skip certificate verification = yes # Certificate Authority Path - # OpenSSL has a default directory where the known certificates are stored, - # case it is necessary it is possible to change this rule using the variable - # "CApath" - #CApath = /etc/ssl/certs/ + # OpenSSL has a default directory where the known certificates are stored. + # In case it is necessary, it is possible to change this rule using the variable + # "CApath", e.g. CApath = /etc/ssl/certs/ + # + #CApath = # Certificate Authority file - # When the Netdata parent has certificate, that is not recognized as valid, - # we can add this certificate in the list of known certificates in CApath - # and give for Netdata as argument. + # When the Netdata parent has a certificate that is not recognized as valid, + # we can add it to the list of known certificates in "CApath" and give it to + # Netdata as an argument, e.g. CAfile = /etc/ssl/certs/cert.pem # - #CAfile = /etc/ssl/certs/cert.pem + #CAfile = # The API_KEY to use (as the sender) api key = |