[checkmk-commits] apache_status: fix werk 7387

Module: check_mk Branch: master Commit: dcc53fc89e6e91da78e29c3b8304e63d79266022 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=dcc53fc89e6e91… Author: Moritz Kiemer <mo(a)mathias-kettner.de> Date: Fri Apr 12 11:58:35 2019 +0200 apache_status: fix werk 7387 The ssl.create_default_context function is only introduced in python 2.7. Only call it, it it absolutely necessary. Change-Id: Ic6fe9176dffb3c9992126972903dcd8ae6aee5d8 --- .werks/7387 | 6 ++++-- agents/plugins/apache_status | 20 ++++++++------------ 2 files changed, 12 insertions(+), 14 deletions(-) diff --git a/.werks/7387 b/.werks/7387 index a817abb..cf309bb 100644 --- a/.werks/7387 +++ b/.werks/7387 @@ -12,6 +12,8 @@ local hosts were handled correctly, which could lead to missing data for that host. Instead of handling all cases of invalid certificates we now omit certificate verification for local addresses entirely. -This only affects the addresses "127.0.0.1", "[::1]", and -"localhost". +Note that this will fail for python versions before 2.7. + +This only applies if one of the addresses "127.0.0.1", "[::1]", and +"localhost" is queried using https. diff --git a/agents/plugins/apache_status b/agents/plugins/apache_status index a861619..45e9361 100755 --- a/agents/plugins/apache_status +++ b/agents/plugins/apache_status @@ -46,7 +46,6 @@ import re import socket import sys import urllib2 -import ssl # We have to deal with socket timeouts. Python > 2.6 # supports timeout parameter for the urllib2.urlopen method @@ -126,26 +125,23 @@ def _unpack_server(server): server.get('page', 'server-status')) -def get_ssl_context(address): - """return the appropriate SSL context - - * for local addresses ignore the Certificate - """ +def get_ssl_no_verify_context(): + import ssl context = ssl.create_default_context() - is_local = address in ("127.0.0.1", "[::1]", "localhost") - if is_local: - context.check_hostname = False - context.verify_mode = ssl.CERT_NONE + context.check_hostname = False + context.verify_mode = ssl.CERT_NONE return context def get_response(proto, address, portspec, page): url = '%s://%s%s/%s?auto' % (proto, address, portspec, page) request = urllib2.Request(url, headers={"Accept": "text/plain"}) - ssl_context = get_ssl_context(address) + is_local = address in ("127.0.0.1", "[::1]", "localhost") # Try to fetch the status page for each server try: - return urllib2.urlopen(request, context=ssl_context) + if proto == "https" and is_local: + return urllib2.urlopen(request, context=get_ssl_no_verify_context()) + return urllib2.urlopen(request) except urllib2.URLError as exc: if 'unknown protocol' in str(exc): # HACK: workaround misconfigurations where port 443 is used for