Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow tls_auth_handler to support client side verification only #982

Open
Roymprog opened this issue Nov 24, 2023 · 0 comments · May be fixed by #994
Open

Allow tls_auth_handler to support client side verification only #982

Roymprog opened this issue Nov 24, 2023 · 0 comments · May be fixed by #994

Comments

@Roymprog
Copy link

Roymprog commented Nov 24, 2023
edited
Loading

The tls_auth_handler supports setting up a mTLS connection with the Prometheus push gateway, but I want only to verify the certificate of the server. In other words, I wish to skip setting certfile and keyfile in the tls_auth_handler method when the protocol is not ssl.PROTOCOL_TLS_SERVER.

The authentication on the server side I will handle differently.

I'd be willing to contribute. Should I add it as a conditional to the current tls_auth_handler method (think this will ), or should I create a new tls_handler method?

Add to current tls_auth_handler:

def tls_auth_handler(
        url: str,
        method: str,
        timeout: Optional[float],
        headers: List[Tuple[str, str]],
        data: bytes,
        certfile: str,
        keyfile: str,
        cafile: Optional[str] = None,
        protocol: int = ssl.PROTOCOL_TLS_CLIENT,
        insecure_skip_verify: bool = False,
) -> Callable[[], None]:
    """Handler that implements an HTTPS connection with TLS Auth.

    The default protocol (ssl.PROTOCOL_TLS_CLIENT) will also enable
    ssl.CERT_REQUIRED and SSLContext.check_hostname by default. This can be
    disabled by setting insecure_skip_verify to True.

    Both this handler and the TLS feature on pushgateay are experimental."""
    context = ssl.SSLContext(protocol=protocol)
    if cafile is not None:
        context.load_verify_locations(cafile)
    else:
        context.load_default_certs()

    if insecure_skip_verify:
        context.check_hostname = False
        context.verify_mode = ssl.CERT_NONE
    
    if protocol == ssl.PROTOCOL_TLS_SERVER:
        context.load_cert_chain(certfile=certfile, keyfile=keyfile)
    
    handler = HTTPSHandler(context=context)
    return _make_handler(url, method, timeout, headers, data, handler)
@Roymprog Roymprog linked a pull request Jan 15, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add function to use TLS when pushing to gateway Roymprog/client_python
1 participant
@Roymprog