sensu-plugins / sensu-plugins-http

This plugin provides native HTTP instrumentation for monitoring and metrics collection, including: response code, JSON response, HTTP last modified, SSL expiry, and metrics via `curl`.
http://sensu-plugins.io
MIT License
30 stars 97 forks source link

[Security Bug] Insecure crypto usage #191

Open nageshservicenow opened 5 months ago

nageshservicenow commented 5 months ago

Description

Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks.

Used verify_mode as VERIFY_NONE as below in various source code file in this repo. .. http.verify_mode = OpenSSL::SSL::VERIFY_NONE ..

Effected files: metrics-apache-graphite.rb : https://github.com/sensu-plugins/sensu-plugins-http/blob/115bc8d2d0708f5f89338bf499770abdb1864157/bin/check-http-json.rb#L164 https://github.com/sensu-plugins/sensu-plugins-http/blob/115bc8d2d0708f5f89338bf499770abdb1864157/bin/check-http.rb#L330 https://github.com/sensu-plugins/sensu-plugins-http/blob/115bc8d2d0708f5f89338bf499770abdb1864157/bin/check-https-cert.rb#L90 https://github.com/sensu-plugins/sensu-plugins-http/blob/115bc8d2d0708f5f89338bf499770abdb1864157/bin/metrics-http-json-deep.rb#L112

Remediation

  1. Use 'OpenSSL::SSL::VERIFY_PEER' instead.