CL-Softwares
/
telegraf
8
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(tls): allow setting renegotiation method (#12302)

This commit is contained in:
Joshua Powers 2022-12-06 20:09:58 -07:00 committed by GitHub
parent eea9021771
commit da0c186a71
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 31 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
plugins/common/tls/config.go
View File

@ -21,6 +21,7 @@ type ClientConfig struct {
TLSMinVersion string `toml:"tls_min_version"`
InsecureSkipVerify bool `toml:"insecure_skip_verify"`
ServerName string `toml:"tls_server_name"`
RenegotiationMethod string `toml:"tls_renegotiation_method"`
SSLCA string `toml:"ssl_ca" deprecated:"1.7.0;use 'tls_ca' instead"`
SSLCert string `toml:"ssl_cert" deprecated:"1.7.0;use 'tls_cert' instead"`
@ -58,15 +59,30 @@ func (c *ClientConfig) TLSConfig() (*tls.Config, error) {
// a TLS connection. That is, any of:
// * client certificate settings,
// * peer certificate authorities,
// * disabled security, or
// * an SNI server name.
if c.TLSCA == "" && c.TLSKey == "" && c.TLSCert == "" && !c.InsecureSkipVerify && c.ServerName == "" {
// * disabled security,
// * an SNI server name, or
// * empty/never renegotiation method
if c.TLSCA == "" && c.TLSKey == "" && c.TLSCert == "" &&
!c.InsecureSkipVerify && c.ServerName == "" &&
(c.RenegotiationMethod == "" || c.RenegotiationMethod == "never") {
return nil, nil
}
var renegotiationMethod tls.RenegotiationSupport
switch c.RenegotiationMethod {
case "", "never":
renegotiationMethod = tls.RenegotiateNever
case "once":
renegotiationMethod = tls.RenegotiateOnceAsClient
case "freely":
renegotiationMethod = tls.RenegotiateFreelyAsClient
default:
return nil, fmt.Errorf("unrecognized renegotation method '%s', choose from: 'never', 'once', 'freely'", c.RenegotiationMethod)
}
tlsConfig := &tls.Config{
InsecureSkipVerify: c.InsecureSkipVerify,
Renegotiation: tls.RenegotiateNever,
Renegotiation: renegotiationMethod,
}
if c.TLSCA != "" {

2
plugins/inputs/http_response/README.md
View File

@ -76,6 +76,8 @@ See the [CONFIGURATION.md][CONFIGURATION.md] for more details.
# insecure_skip_verify = false
## Use the given name as the SNI server name on each URL
# tls_server_name = ""
## TLS renegotiation method, choose from "never", "once", "freely"
# tls_renegotiation_method = "never"
## HTTP Request Headers (all values must be strings)
# [inputs.http_response.headers]

2
plugins/inputs/http_response/sample.conf
View File

@ -60,6 +60,8 @@
# insecure_skip_verify = false
## Use the given name as the SNI server name on each URL
# tls_server_name = ""
## TLS renegotiation method, choose from "never", "once", "freely"
# tls_renegotiation_method = "never"
## HTTP Request Headers (all values must be strings)
# [inputs.http_response.headers]