Add TLS encryption support for TSD connections #186
Conversation
|
By the way, we have been using this in production, since I submitted the PR. |
|
@tsuna I have tested pull req, it works fine. Please, check command line names, I know you are serious about naming, and I will do the rest. Thanks. |
- Enable TLS encryption on TSD connections with command line toggle --tls or --ssl. Since OpenTSDB does not support SSL, this requires a SSL proxy in front of OpenTSDB, such as stunnel or similar - Prefers TLS v1.2 if available (since python 2.7.9), uses TLS v1 otherwise - Add _valid_certificate_name method to SenderThread, for verifying certificate name against hostname. Allows use of wildcard (*) in subdomains, but not in TLD or HOST parts. I.e. *.example.tld allowed - Add command line option --ca-certs for specifying the path to the system ca-certificates file. Checks existence on start up. Defaults to /etc/ssl/certs/ca-certificates.crt - Add EXTRA_ARGS option to init scripts, for specifying extra options like --tls and --ca-certs
|
I just fixed a few spelling errors and incorrect details in the commit message (and PR description). The implementation is still as vasiliyk tested (thanks, btw). |
|
It's been almost a year since @vasiliyk tested the PR. Anything needed on the PR for a merge? |
|
I'm sorry, let me pull this down and rebase it. I'll give it a test off the recent additions we've made in that area. Hopefully we'll be a little more active in our support of the project! Thank you for your contribution!! |
|
Yep, and now it's been 2 years, sorry @broeng totally not fair. I pulled the PR down and rebased it, I have to make a few tweaks to make sure the linting is still good and that it works in 2.7 through 3.6 but looks like it will be pretty good. edit: 4 years.... |
|
I pulled it down and the reason it wasn't merged is that it conflicted with the other TLS work done at the same time. I don't think they are replacements of each other though so I'll need to spend some time sorting it out. The other support was added to allow it to submit data to OVH's metrics platform. https://www.ovh.com/fr/data-platforms/metrics/ |
|
Sorry this never got merged :-/ It's still on my list of things I should test out and validate! It's only been 6 years... |
|
Simon, first of all, thank you! |
toggle --tls or --ssl. Since OpenTSDB does not support SSL,
this requires a SSL proxy in front of OpenTSDB, such as
stunnel or similar
TLS v1 otherwise
verifying certificate name against hostname. Allows use of
wildcard (*) in subdomains, but not in TLD or HOST parts.
I.e. *.example.tld allowed
to the system ca-certificates file. Checks existence on
start up. Defaults to /etc/ssl/certs/ca-certificates.crt
options like --tls and --ca-certs