Add leaf certificate details in probe_tls_certificate_info metric #943
Conversation
| } | ||
|
|
||
| func getDNSNames(state *tls.ConnectionState) string { | ||
| cert := state.PeerCertificates[0] |
There was a problem hiding this comment.
if I understand correctly, PeerCertificates[0] will return leaf certificate.
do we want to only export details of leaf certificate?
There was a problem hiding this comment.
Great question! The details of this certificate in my opinion are the most important, if we were to add others, that wil require rethink in how these values are extracted.
I reused the logic behind the "probe_ssl_last_chain_info" metric and in hindsight, that metric name is more succinct and applicable for the info the RFE requested so maybe it would be better to just add these labels there?
There was a problem hiding this comment.
yes, probe_ssl_last_chain_info makes it explicit that this is info of last (i.e leaf) certificate with the metric name.
I think we can proceed with one of the following way:
- keep the new metric, and update the PR to add details of all certificates in the chain.
- rename the new metric to include
lastin the metric name, and only add last cert. info. - skip this new metric, and add the labels into
probe_ssl_last_chain_infometric.
I am fine with any of the above solution.
@SuperQ @roidelapluie @mem what do you folks think?
There was a problem hiding this comment.
I felt option 1 would need a pretty significant rewrite of the logic to iterate through all the certificates.
Option 2 might cause confusion for end users between the metric names so I opted to try option 3 and moved these labels into the probe_ssl_last_chain_info metric.
I also expanded the subject and issuer labels to return all their respective information, not just the CN of both.
Example
$ curl -s 'http://172.17.0.2:9115/probe?target=twitter.com' | grep probe_ssl_last_chain_info
# HELP probe_ssl_last_chain_info Contains SSL leaf certificate information
# TYPE probe_ssl_last_chain_info gauge
probe_ssl_last_chain_info{fingerprint_sha256="1d0020d1d0b632e78625219e9e2fdcf3c3a0f641240c4ecc46768cd0644884e3",issuer="CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US",subject="CN=twitter.com,O=Twitter\\, Inc.,L=San Francisco,ST=California,C=US",subjectalternative="twitter.com,www.twitter.com"} 1
Signed-off-by: Daniel Jolly <[email protected]>
…info" metric Signed-off-by: Daniel Jolly <[email protected]>
Signed-off-by: Daniel Jolly <[email protected]>
|
@electron0zero @djcode Is there anything stopping this from being merged in? Would be great to see this feature get released! |
electron0zero
changed the title
electron0zero
changed the title
merged, @djcode thanks for the PR 🎉 |
I tried implementing the RFE mentioned in #892 as I also need something like this for a project.