Open
Description
The tls_auth_handler supports setting up a mTLS connection with the Prometheus push gateway, but I want only to verify the certificate of the server. In other words, I wish to skip setting certfile and keyfile in the tls_auth_handler method when the protocol is not ssl.PROTOCOL_TLS_SERVER.
The authentication on the server side I will handle differently.
I'd be willing to contribute. Should I add it as a conditional to the current tls_auth_handler method (think this will ), or should I create a new tls_handler method?
Add to current tls_auth_handler:
def tls_auth_handler(
url: str,
method: str,
timeout: Optional[float],
headers: List[Tuple[str, str]],
data: bytes,
certfile: str,
keyfile: str,
cafile: Optional[str] = None,
protocol: int = ssl.PROTOCOL_TLS_CLIENT,
insecure_skip_verify: bool = False,
) -> Callable[[], None]:
"""Handler that implements an HTTPS connection with TLS Auth.
The default protocol (ssl.PROTOCOL_TLS_CLIENT) will also enable
ssl.CERT_REQUIRED and SSLContext.check_hostname by default. This can be
disabled by setting insecure_skip_verify to True.
Both this handler and the TLS feature on pushgateay are experimental."""
context = ssl.SSLContext(protocol=protocol)
if cafile is not None:
context.load_verify_locations(cafile)
else:
context.load_default_certs()
if insecure_skip_verify:
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
if protocol == ssl.PROTOCOL_TLS_SERVER:
context.load_cert_chain(certfile=certfile, keyfile=keyfile)
handler = HTTPSHandler(context=context)
return _make_handler(url, method, timeout, headers, data, handler)Metadata
Metadata
Assignees
Labels
No labels