mirror of
https://github.com/drewkerrigan/nagios-http-json.git
synced 2024-11-22 18:33:49 +01:00
refine ssl insecure and client certificate options
* default TLS Protocols are now set to >= TLS1 * --cacert and --cert are no longer mandatory if option -s is used * proper error messages if parsing of cert or key files fails
This commit is contained in:
parent
df2bbdbf51
commit
8437c464e5
@ -390,12 +390,8 @@ def parseArgs():
|
|||||||
parser.add_argument('-k', '--insecure', action='store_true',
|
parser.add_argument('-k', '--insecure', action='store_true',
|
||||||
help='do not check server SSL certificate')
|
help='do not check server SSL certificate')
|
||||||
parser.add_argument('--cacert',
|
parser.add_argument('--cacert',
|
||||||
required=('-s' in sys.argv or '--ssl' in sys.argv)
|
|
||||||
and not ('-k' in sys.argv or '--insecure' in sys.argv),
|
|
||||||
dest='cacert', help='SSL CA certificate')
|
dest='cacert', help='SSL CA certificate')
|
||||||
parser.add_argument('--cert',
|
parser.add_argument('--cert',
|
||||||
required=('-s' in sys.argv or '--ssl' in sys.argv)
|
|
||||||
and not ('-k' in sys.argv or '--insecure' in sys.argv),
|
|
||||||
dest='cert', help='SSL client certificate')
|
dest='cert', help='SSL client certificate')
|
||||||
parser.add_argument('--key', dest='key',
|
parser.add_argument('--key', dest='key',
|
||||||
help='SSL client key ( if not bundled into the cert )')
|
help='SSL client key ( if not bundled into the cert )')
|
||||||
@ -680,13 +676,40 @@ if __name__ == "__main__":
|
|||||||
nagios = NagiosHelper()
|
nagios = NagiosHelper()
|
||||||
if args.ssl:
|
if args.ssl:
|
||||||
url = "https://%s" % args.host
|
url = "https://%s" % args.host
|
||||||
|
|
||||||
|
context = ssl.SSLContext(ssl.PROTOCOL_TLS)
|
||||||
|
context.options |= ssl.OP_NO_SSLv2
|
||||||
|
context.options |= ssl.OP_NO_SSLv3
|
||||||
|
|
||||||
if args.insecure:
|
if args.insecure:
|
||||||
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
|
context.verify_mode = ssl.CERT_NONE
|
||||||
else:
|
else:
|
||||||
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
|
|
||||||
context.verify_mode = ssl.CERT_OPTIONAL
|
context.verify_mode = ssl.CERT_OPTIONAL
|
||||||
|
if args.cacert:
|
||||||
|
try:
|
||||||
context.load_verify_locations(args.cacert)
|
context.load_verify_locations(args.cacert)
|
||||||
|
except ssl.SSLError:
|
||||||
|
nagios.append_unknown(
|
||||||
|
''' Error loading SSL CA cert "%s"!'''
|
||||||
|
% args.cacert)
|
||||||
|
|
||||||
|
if args.cert:
|
||||||
|
try:
|
||||||
context.load_cert_chain(args.cert,keyfile=args.key)
|
context.load_cert_chain(args.cert,keyfile=args.key)
|
||||||
|
except ssl.SSLError:
|
||||||
|
if args.key:
|
||||||
|
nagios.append_unknown(
|
||||||
|
''' Error loading SSL cert. Make sure key "%s" belongs to cert "%s"!'''
|
||||||
|
% (args.key, args.cert))
|
||||||
|
else:
|
||||||
|
nagios.append_unknown(
|
||||||
|
''' Error loading SSL cert. Make sure "%s" contains the key as well!'''
|
||||||
|
% (args.cert))
|
||||||
|
|
||||||
|
if nagios.getCode() != OK_CODE:
|
||||||
|
print(nagios.getMessage())
|
||||||
|
exit(nagios.getCode())
|
||||||
|
|
||||||
else:
|
else:
|
||||||
url = "http://%s" % args.host
|
url = "http://%s" % args.host
|
||||||
if args.port:
|
if args.port:
|
||||||
|
Loading…
Reference in New Issue
Block a user