search

ribbybibby / ssl_exporter

Exports Prometheus metrics for TLS certificates
Apache License 2.0
525 stars 99 forks source link

added pop3 STARTTLS queryResponse #84

Closed teutonet closed 2 years ago

teutonet commented 2 years ago

Relating to RFC https://datatracker.ietf.org/doc/html/rfc2595#section-4, we created a pop3 starttls query. Hopefully this will be included in your ssl-exporter to implement POP3 starttls probes.

Do you need any tests to prove the function?

without patch
tb@tb ~/git/ssl_exporter $ curl 'http://127.0.0.1:9219/probe?module=starttls_pop3&target=xxxxx%3A110'
# HELP ssl_probe_success If the probe was a success
# TYPE ssl_probe_success gauge
ssl_probe_success 0
# HELP ssl_prober The prober used by the exporter to connect to the target
# TYPE ssl_prober gauge
ssl_prober{prober="tcp"} 1

level=error ts=2021-12-09T10:18:55.817Z caller=ssl_exporter.go:99 target=xxxxx:110 prober=tcp timeout=10s msg="STARTTLS is not supported for pop3"
with patch (cut off)
tb@tb ~/git/ssl_exporter $ curl 'http://127.0.0.1:9219/probe?module=starttls_pop3&target=xxxxx%3A110'
....
# HELP ssl_probe_success If the probe was a success
# TYPE ssl_probe_success gauge
ssl_probe_success 1
# HELP ssl_prober The prober used by the exporter to connect to the target
# TYPE ssl_prober gauge
ssl_prober{prober="tcp"} 1
# HELP ssl_tls_version_info The TLS version used
# TYPE ssl_tls_version_info gauge
ssl_tls_version_info{version="TLS 1.2"} 1
# HELP ssl_verified_cert_not_after NotAfter expressed as a Unix Epoch Time
# TYPE ssl_verified_cert_not_after gauge
ssl_verified_cert_not_after{chain_no="0",cn="ISRG Root X1",dnsnames="",emails="",ips="",issuer_cn="ISRG Root X1",ou="",serial_no="172886928669790476064670243504169061120"} 2.064567878e+09
ssl_verified_cert_not_after{chain_no="0",cn="R3",dnsnames="",emails="",ips="",issuer_cn="ISRG Root X1",ou="",serial_no="192961496339968674994309121183282847578"} 1.757952e+09
ssl_verified_cert_not_after{chain_no="0",cn="xxxxx",dnsnames="xxxxx",emails="",ips="",issuer_cn="R3",ou="",serial_no="3842xxxxx"} 1.642294402e+09
# HELP ssl_verified_cert_not_before NotBefore expressed as a Unix Epoch Time
# TYPE ssl_verified_cert_not_before gauge
ssl_verified_cert_not_before{chain_no="0",cn="ISRG Root X1",dnsnames="",emails="",ips="",issuer_cn="ISRG Root X1",ou="",serial_no="172886928669790476064670243504169061120"} 1.433415878e+09
ssl_verified_cert_not_before{chain_no="0",cn="R3",dnsnames="",emails="",ips="",issuer_cn="ISRG Root X1",ou="",serial_no="192961496339968674994309121183282847578"} 1.5991776e+09
ssl_verified_cert_not_before{chain_no="0",cn="xxxxx",dnsnames="xxxxx",emails="",ips="",issuer_cn="R3",ou="",serial_no="xxxxx"} 1.634518403e+09
configuration
modules:
  starttls_pop3:
    prober: tcp
    tcp:
      starttls: pop3
ribbybibby commented 2 years ago

Thanks for the contribution! It looks good but could you do the following:

teutonet commented 2 years ago

Thanks for the contribution! It looks good but could you do the following:

* Add tests (can use https://github.com/ribbybibby/ssl_exporter/blob/master/prober/tcp_test.go#L210-L247 for reference)

* Update the README: https://github.com/ribbybibby/ssl_exporter#tcp_probe

I implemented the POP3 test, hopefully this is okay now. When running "make" everything seemed to be okay.

=== RUN   TestProbeTCPStartTLSPOP3
level=debug msg="read line: +OK XPOP3 ready."
level=debug msg="regex: OK matched: +OK XPOP3 ready."
level=debug msg="sending line: STLS"
level=debug msg="read line: +OK Begin TLS negotiation now."
level=debug msg="regex: OK matched: +OK Begin TLS negotiation now."
--- PASS: TestProbeTCPStartTLSPOP3 (0.37s)