[checkmk-commits] 7387 FIX apache_status: Ignore certificates from local hosts

Module: check_mk Branch: master Commit: d895efc27f729de1e2d6621a9e96cc3c5927de71 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=d895efc27f729d… Author: Moritz Kiemer <mo(a)mathias-kettner.de> Date: Mon Apr 1 14:44:46 2019 +0200 7387 FIX apache_status: Ignore certificates from local hosts Previously not all cases of failing certificate verfication for local hosts were handled correctly, which could lead to missing data for that host. Instead of handling all cases of invalid certificates we now omit certificate verification for local addresses entirely. This only affects the addresses "127.0.0.1", "[::1]", and "localhost". Change-Id: I0ffc977ddf60b299f1e262e3c1d8fa45eb56bfc6 --- .werks/7387 | 17 +++++++++++++++++ agents/plugins/apache_status | 17 +++++++++-------- 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/.werks/7387 b/.werks/7387 new file mode 100644 index 0000000..a817abb --- /dev/null +++ b/.werks/7387 @@ -0,0 +1,17 @@ +Title: apache_status: Ignore certificates from local hosts +Level: 1 +Component: checks +Compatible: compat +Edition: cre +Version: 1.6.0i1 +Date: 1554122535 +Class: fix + +Previously not all cases of failing certificate verfication for +local hosts were handled correctly, which could lead to missing +data for that host. +Instead of handling all cases of invalid certificates we now +omit certificate verification for local addresses entirely. +This only affects the addresses "127.0.0.1", "[::1]", and +"localhost". + diff --git a/agents/plugins/apache_status b/agents/plugins/apache_status index 658b655..ce5b28f 100755 --- a/agents/plugins/apache_status +++ b/agents/plugins/apache_status @@ -126,11 +126,16 @@ def _unpack_server(server): server.get('page', 'server-status')) -def no_cert_verification(): +def urlopen_no_cert_verification(url): + """urlopen without checking the cert + + workaround if SSL port is found and localhost is using + SSL connections but certificate does not match + """ context = ssl.create_default_context() context.check_hostname = False context.verify_mode = ssl.CERT_NONE - return context + return urllib2.urlopen(url, context=context) def get_response(proto, address, portspec, page): @@ -139,6 +144,8 @@ def get_response(proto, address, portspec, page): # Try to fetch the status page for each server try: request = urllib2.Request(url, headers={"Accept": "text/plain"}) + if is_local: + return urlopen_no_cert_verification(url) return urllib2.urlopen(request) except urllib2.URLError as exc: if 'unknown protocol' in str(exc): @@ -147,12 +154,6 @@ def get_response(proto, address, portspec, page): url = 'http://%s%s/server-status?auto' % (address, portspec) return urllib2.urlopen(url) raise - except Exception as exc: - if 'doesn\'t match' in str(exc) and is_local: - # HACK: workaround if SSL port is found and localhost is using - # SSL connections but certificate does not match - return urllib2.urlopen(url, context=no_cert_verification()) - raise def main():