Add configurable default locations for trusted CA certificates (#6549)

* sslcertificate: Trust certificate

The netdata could not allow invalid certificate or certificate with invalid chain
this commit fixes this!

* sslcertificate: Changing name

We are binging the same names used by the OpenSSL library to simplify the understand of the parameters

* sslcertificate: Name changes and explicity directory

This commit fix the problem with Streams and rename correctly the files in the option, it also uses stat to define the existence of a file

* sslcertificate: Documentation

Fix grammar for the newest section in the documentation

* sslcertificate: Rename variables

The old variables did not represent well what they are doing, so it was renamed

2 files changed, 57 insertions, 1 deletions

diff --git a/libnetdata/socket/security.c b/libnetdata/socket/security.c
index 9eb8e60247..ab324a1691 100644
--- a/libnetdata/socket/security.c
+++ b/libnetdata/socket/security.c
@@ -164,7 +164,7 @@ void security_start_ssl(int selector) {
     switch (selector) {
         case NETDATA_SSL_CONTEXT_SERVER: {
             struct stat statbuf;
-            if (stat(security_key,&statbuf) || stat(security_cert,&statbuf)) {
+            if (stat(security_key, &statbuf) || stat(security_cert, &statbuf)) {
                 info("To use encryption it is necessary to set \"ssl certificate\" and \"ssl key\" in [web] !\n");
                 return;
             }
@@ -186,6 +186,11 @@ void security_start_ssl(int selector) {
     }
 }
 
+/**
+ * Clean Open SSL
+ *
+ * Clean all the allocated contexts from netdata.
+ */
 void security_clean_openssl() {
 	if (netdata_srv_ctx)
 	{
@@ -265,6 +270,15 @@ int security_process_accept(SSL *ssl,int msg) {
     return NETDATA_SSL_HANDSHAKE_COMPLETE;
 }
 
+/**
+ * Test Certificate
+ *
+ * Check the certificate of Netdata master
+ *
+ * @param ssl is the connection structure
+ *
+ * @return It returns 0 on success and -1 otherwise
+ */
 int security_test_certificate(SSL *ssl) {
     X509* cert = SSL_get_peer_certificate(ssl);
     int ret;
@@ -283,7 +297,48 @@ int security_test_certificate(SSL *ssl) {
     } else {
         ret = 0;
     }
+
     return ret;
 }
 
+/**
+ * Location for context
+ *
+ * Case the user give us a directory with the certificates available and
+ * the Netdata master certificate, we use this function to validate the certificate.
+ *
+ * @param ctx the context where the path will be set.
+ * @param file the file with Netdata master certificate.
+ * @param path the directory where the certificates are stored.
+ *
+ * @return It returns 0 on success and -1 otherwise.
+ */
+int security_location_for_context(SSL_CTX *ctx, char *file, char *path) {
+    struct stat statbuf;
+    if (stat(file, &statbuf)) {
+        info("Netdata does not have a SSL master certificate, so it will use the default OpenSSL configuration to validate certificates!");
+        return 0;
+    }
+
+    ERR_clear_error();
+    u_long err;
+    char buf[256];
+    if(!SSL_CTX_load_verify_locations(ctx, file, path)) {
+        goto slfc;
+    }
+
+    if(!SSL_CTX_set_default_verify_paths(ctx)) {
+        goto slfc;
+    }
+
+    return 0;
+
+slfc:
+    while ((err = ERR_get_error()) != 0) {
+        ERR_error_string_n(err, buf, sizeof(buf));
+        error("Cannot set the directory for the certificates and the master SSL certificate: %s",buf);
+    }
+    return -1;
+}
+
 #endif
diff --git a/libnetdata/socket/security.h b/libnetdata/socket/security.h
index cc870ce17b..697e0fda1f 100644
--- a/libnetdata/socket/security.h
+++ b/libnetdata/socket/security.h
@@ -34,6 +34,7 @@ extern SSL_CTX *netdata_srv_ctx;
 extern const char *security_key;
 extern const char *security_cert;
 extern int netdata_validate_server;
+extern int security_location_for_context(SSL_CTX *ctx,char *file,char *path);
 
 void security_openssl_library();
 void security_clean_openssl();