Module: check_mk
Branch: master
Commit: dcc53fc89e6e91da78e29c3b8304e63d79266022
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=dcc53fc89e6e91…
Author: Moritz Kiemer <mo(a)mathias-kettner.de>
Date: Fri Apr 12 11:58:35 2019 +0200
apache_status: fix werk 7387
The ssl.create_default_context function is only introduced
in python 2.7.
Only call it, it it absolutely necessary.
Change-Id: Ic6fe9176dffb3c9992126972903dcd8ae6aee5d8
---
.werks/7387 | 6 ++++--
agents/plugins/apache_status | 20 ++++++++------------
2 files changed, 12 insertions(+), 14 deletions(-)
diff --git a/.werks/7387 b/.werks/7387
index a817abb..cf309bb 100644
--- a/.werks/7387
+++ b/.werks/7387
@@ -12,6 +12,8 @@ local hosts were handled correctly, which could lead to missing
data for that host.
Instead of handling all cases of invalid certificates we now
omit certificate verification for local addresses entirely.
-This only affects the addresses "127.0.0.1", "[::1]", and
-"localhost".
+Note that this will fail for python versions before 2.7.
+
+This only applies if one of the addresses "127.0.0.1", "[::1]", and
+"localhost" is queried using https.
diff --git a/agents/plugins/apache_status b/agents/plugins/apache_status
index a861619..45e9361 100755
--- a/agents/plugins/apache_status
+++ b/agents/plugins/apache_status
@@ -46,7 +46,6 @@ import re
import socket
import sys
import urllib2
-import ssl
# We have to deal with socket timeouts. Python > 2.6
# supports timeout parameter for the urllib2.urlopen method
@@ -126,26 +125,23 @@ def _unpack_server(server):
server.get('page', 'server-status'))
-def get_ssl_context(address):
- """return the appropriate SSL context
-
- * for local addresses ignore the Certificate
- """
+def get_ssl_no_verify_context():
+ import ssl
context = ssl.create_default_context()
- is_local = address in ("127.0.0.1", "[::1]",
"localhost")
- if is_local:
- context.check_hostname = False
- context.verify_mode = ssl.CERT_NONE
+ context.check_hostname = False
+ context.verify_mode = ssl.CERT_NONE
return context
def get_response(proto, address, portspec, page):
url = '%s://%s%s/%s?auto' % (proto, address, portspec, page)
request = urllib2.Request(url, headers={"Accept": "text/plain"})
- ssl_context = get_ssl_context(address)
+ is_local = address in ("127.0.0.1", "[::1]",
"localhost")
# Try to fetch the status page for each server
try:
- return urllib2.urlopen(request, context=ssl_context)
+ if proto == "https" and is_local:
+ return urllib2.urlopen(request, context=get_ssl_no_verify_context())
+ return urllib2.urlopen(request)
except urllib2.URLError as exc:
if 'unknown protocol' in str(exc):
# HACK: workaround misconfigurations where port 443 is used for