Changeset 3483
- Timestamp:
- 04/13/10 02:00:09 (2 years ago)
- Files:
-
- trunk/common/lib/Munin/Common/Config.pm (modified) (1 diff)
- trunk/common/lib/Munin/Common/TLS.pm (modified) (12 diffs)
- trunk/master/doc/munin.conf.pod.in (modified) (1 diff)
- trunk/master/lib/Munin/Master/Node.pm (modified) (2 diffs)
- trunk/node/doc/munin-node.conf.pod (modified) (1 diff)
- trunk/node/lib/Munin/Node/Config.pm (modified) (1 diff)
- trunk/node/lib/Munin/Node/Server.pm (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
trunk/common/lib/Munin/Common/Config.pm
r3413 r3483 32 32 "service_order", "category_order", "version", 33 33 "tls_certificate", "tls_private_key", "tls_pem", 34 "tls_verify_certificate", "tls_verify_depth", 34 "tls_verify_certificate", "tls_verify_depth", "tls_match", 35 35 "tls_ca_certificate", "graph_data_size", "colour", 36 36 "graph_printf", "ok", "unknown", "palette", "realservname", trunk/common/lib/Munin/Common/TLS.pm
r2431 r3483 33 33 tls_vdepth => $args->{tls_vdepth} || 0, 34 34 tls_verify => $args->{tls_verify} || 0, 35 tls_match => $args->{tls_match} || '', 35 36 }; 36 37 … … 210 211 my $err = &Net::SSLeay::print_errs(""); 211 212 if (defined $err and length $err) { 212 213 $self->{logger}("[WARNING] in set_verify_depth: $err"); 213 214 } 214 215 Net::SSLeay::CTX_set_verify ($self->{tls_context}, … … 217 218 $err = &Net::SSLeay::print_errs(""); 218 219 if (defined $err and length $err) { 219 220 $self->{logger}("[WARNING] in set_verify: $err"); 220 221 } 221 222 … … 230 231 my ($ok, $subj_cert, $issuer_cert, $depth, 231 232 $errorcode, $arg, $chain) = @_; 232 # $self->{logger}("ok is ${ok}");233 233 234 234 $tls_verified->{"level"}++; … … 271 271 } while $p; 272 272 $cipher_list .= '\n'; 273 $self->{logger}("[TLS] Available cipher list: $cipher_list.") ;273 $self->{logger}("[TLS] Available cipher list: $cipher_list.") if $self->{DEBUG}; 274 274 } 275 275 … … 281 281 my $err = &Net::SSLeay::print_errs(""); 282 282 if (defined $err and length $err) { 283 $self->{logger}(" TLSWarning in set_rfd: $err");283 $self->{logger}("[TLS] Warning in set_rfd: $err"); 284 284 } 285 285 Net::SSLeay::set_wfd($self->{tls_session}, $self->{write_fd}); 286 286 $err = &Net::SSLeay::print_errs(""); 287 287 if (defined $err and length $err) { 288 $self->{logger}(" TLSWarning in set_wfd: $err");288 $self->{logger}("[TLS] Warning in set_wfd: $err"); 289 289 } 290 290 } … … 294 294 my ($self, $tls_verified) = @_; 295 295 296 $self->{logger}(" Accept/Connect: $self->{private_key_loaded}, " . $self->_use_key_if_present()) if $self->{DEBUG};296 $self->{logger}("[TLS] Accept/Connect: $self->{private_key_loaded}, " . $self->_use_key_if_present()) if $self->{DEBUG}; 297 297 my $res; 298 298 if ($self->_use_key_if_present()) { … … 302 302 $res = Net::SSLeay::connect($self->{tls_session}); 303 303 } 304 $self->{logger}(" Done Accept/Connect") if $self->{DEBUG};304 $self->{logger}("[TLS] Done Accept/Connect") if $self->{DEBUG}; 305 305 306 306 my $err = &Net::SSLeay::print_errs(""); … … 320 320 $self->{tls_session} = undef; 321 321 } 322 elsif ($self->{"tls_match"} and 323 Net::SSLeay::dump_peer_certificate($self->{tls_session}) !~ /$self->{tls_match}/) 324 { 325 $self->{logger}("[ERROR] Could not match pattern \"" . $self->{tls_match} . 326 "\" in dump of certificate."); 327 $self->_on_unmatched_cert(); 328 Net::SSLeay::free ($self->{tls_session}); 329 Net::SSLeay::CTX_free ($self->{tls_context}); 330 $self->{tls_session} = undef; 331 } 322 332 else 323 333 { 324 $self->{logger}("[TLS] TLS enabled.") ;325 $self->{logger}("[TLS] Cipher `" . Net::SSLeay::get_cipher($self->{tls_session}) . "'.") ;326 $self->{logger}("[TLS] client cert: " . Net::SSLeay::dump_peer_certificate($self->{tls_session})) ;334 $self->{logger}("[TLS] TLS enabled.") if $self->{DEBUG}; 335 $self->{logger}("[TLS] Cipher `" . Net::SSLeay::get_cipher($self->{tls_session}) . "'.") if $self->{DEBUG}; 336 $self->{logger}("[TLS] client cert: " . Net::SSLeay::dump_peer_certificate($self->{tls_session})) if $self->{DEBUG}; 327 337 } 328 338 } … … 350 360 sub _on_unverified_cert {} 351 361 362 # Redefine in sub class if needed 363 sub _on_unmatched_cert {} 352 364 353 365 sub read { … … 362 374 my $err = &Net::SSLeay::print_errs(""); 363 375 if (defined $err and length $err) { 364 $self->{logger}(" TLSWarning in read: $err");376 $self->{logger}("[TLS] Warning in read: $err"); 365 377 return; 366 378 } 379 $self->{logger}("DEBUG: < $_") if $self->{DEBUG}; 380 367 381 if($_ eq '') { undef $_; } #returning '' signals EOF 368 382 369 $self->{logger}("DEBUG: < $_") if $self->{DEBUG};370 383 371 384 return $_; … … 384 397 my $err = &Net::SSLeay::print_errs(""); 385 398 if (defined $err and length $err) { 386 $self->{logger}(" TLSWarning in write: $err");399 $self->{logger}("[TLS] Warning in write: $err"); 387 400 return 0; 388 401 } trunk/master/doc/munin.conf.pod.in
r3394 r3483 174 174 willing to go to reach a known, trusted CA when verifying a 175 175 certificate. Default is C<5>. Affects: munin-update. 176 177 =item B<tls_match> <value> 178 179 This directive, if defined, searches a dump of the certificate provided by the 180 remote host for the given regex. The dump of the certificate is two lines of 181 the form: 182 183 Subject Name: /C=c/ST=st/L=l/O=o/OU=ou/CN=cn/emailAddress=email 184 Issuer Name: /C=c/ST=st/O=o/OU=ou/CN=cn/emailAddress=email 185 186 So, for example, one could match the subject distinguished name by the directive: 187 188 tls_match Subject Name: /C=c/ST=st/L=l/O=o/OU=ou/CN=cn/emailAddress=email 189 190 Note that the fields are dumped in the order they appear in the certificate. 191 It's best to view the dump of the certificate by running munin-update in debug 192 mode and reviewing the logs. 193 194 Unfortunately, due to the limited functionality of the SSL module in use, it is 195 not possible to provide finer-grained filtering. By default this value is not 196 defined. Affects: munin-update. 176 197 177 198 =item FIXME: This section MAY be complete, it may be missing a directive or two. trunk/master/lib/Munin/Master/Node.pm
r3480 r3483 122 122 # value is therefore "disabled" (and not "auto" as before). 123 123 my $tls_requirement = $config->{tls}; 124 INFO"TLS set to \"$tls_requirement\".";124 DEBUG "TLS set to \"$tls_requirement\"."; 125 125 return if $tls_requirement eq 'disabled'; 126 my $logger = Log::Log4perl->get_logger("Munin::Master"); 126 127 $self->{tls} = Munin::Common::TLSClient->new({ 127 128 DEBUG => $config->{debug}, 128 logger => \&logger,129 logger => sub { $logger->warn(@_) }, 129 130 read_fd => fileno($self->{reader}), 130 131 read_func => sub { _node_read_single($self) }, … … 135 136 tls_vdepth => $config->{tls_verify_depth}, 136 137 tls_verify => $config->{tls_verify_certificate}, 138 tls_match => $config->{tls_match}, 137 139 write_fd => fileno($self->{writer}), 138 write_func => sub { _ write_socket_single($self, @_) },140 write_func => sub { _node_write_single($self, @_) }, 139 141 }); 140 142 trunk/node/doc/munin-node.conf.pod
r2492 r3483 61 61 directories will be overlooked. 62 62 63 =item B<tls> <value> 64 65 Can have four values. C<paranoid>, C<enabled>, C<auto>, and 66 C<disabled>. C<Paranoid> and C<enabled> require a TLS connection, 67 while C<disabled> will not attempt one at all. 68 69 The current default is C<disabled> because C<auto> is broken. C<Auto> 70 causes bad interaction between munin-update and munin-node if the node 71 is unprepared to go to TLS. 72 73 If you see data dropouts (gaps in graphs) please try to disable TLS. 74 75 =item B<tls_verify_certificate> <value> 76 77 This directive can be C<yes> or C<no>. It determines if the remote 78 certificate needs to be signed by a CA that is known locally. Default 79 is C<no>. 80 81 =item B<tls_private_key> <value> 82 83 This directive sets the location of the private key to be used for 84 TLS. Default is @@CONFDIR@@/munin-node.pem. The private key and 85 certificate can be stored in the same file. 86 87 =item B<tls_certificate> <value> 88 89 This directive sets the location of the TLS certificate to be used for 90 TLS. Default is @@CONFDIR@@/munin-node.pem. The private key and 91 certificate can be stored in the same file. 92 93 =item B<tls_ca_certificate> <value> 94 95 This directive sets the CA certificate to be used to verify the node's 96 certificate, if tls_verify_certificate is set to C<yes>. Default is 97 @@CONFDIR@@/cacert.pem. 98 99 =item B<tls_verify_depth> <value> 100 101 This directive sets how many signings up a chain of signatures TLS is 102 willing to go to reach a known, trusted CA when verifying a 103 certificate. Default is C<5>. 104 105 =item B<tls_match> <value> 106 107 This directive, if defined, searches a dump of the certificate provided by the 108 remote host for the given regex. The dump of the certificate is two lines of 109 the form: 110 111 Subject Name: /C=c/ST=st/L=l/O=o/OU=ou/CN=cn/emailAddress=email 112 Issuer Name: /C=c/ST=st/O=o/OU=ou/CN=cn/emailAddress=email 113 114 So, for example, one could match the subject distinguished name by the directive: 115 116 tls_match Subject Name: /C=c/ST=st/L=l/O=o/OU=ou/CN=cn/emailAddress=email 117 118 Note that the fields are dumped in the order they appear in the certificate. 119 It's best to view the dump of the certificate by running munin-update in debug 120 mode and reviewing the logs. 121 122 Unfortunately, due to the limited functionality of the SSL module in use, it is 123 not possible to provide finer-grained filtering. By default this value is not 124 defined. 125 63 126 =back 64 127 trunk/node/lib/Munin/Node/Config.pm
r3298 r3483 88 88 tls_verify_certificate 89 89 tls_verify_depth 90 tls_match 90 91 ); 91 92 trunk/node/lib/Munin/Node/Server.pm
r3406 r3483 249 249 my $tls_verify = $config->{tls_verify_certificate} 250 250 || 'no'; 251 my $tls_match = $config->{tls_match}; 251 252 252 253 my $depth = $config->{tls_verify_depth}; … … 264 265 tls_vdepth => $depth, 265 266 tls_verify => $tls_verify, 267 tls_match => $tls_match, 266 268 write_fd => fileno(STDOUT), 267 269 write_func => sub { print @_ },
