Merge pull request #11 from newrelic-experimental/tlsconnectoptions

server certificate verification options

Author: jsbnr

copy-paste-example.js

@@ -26,17 +26,22 @@ The targets to test are provided by calling the function getTargets(). You can p
             "555.666.777.888",
         ]
     },
+    {
+        "domain":"self-signed-cert.com",
+        "allowUnauthorized": true
+    },
     {...}
 ]
 ```
 
-* `name`: Optional
-* `domain`: Required
-* `hosts`: Optional
-* `timeout`: Optional
+* `name`: Optional - Friendly Name of the site being tested
+* `domain`: Required - The domain name to test
+* `hosts`: Optional - An array of IP addresses to test, skipping DNS
+* `timeout`: Optional - miiliseconds timeout (default 5000)
+* `allowUnauthorized`: Optional - if `true` then cert will not be validated against CA (useful for self-signed)
 
 
-## Getting started (terraform)
+## Getting started (Terraform)
 
 1. Checkout the repo
 2. Copy `runtf.sh.sample` to `runtf.sh` and add your API keys
@@ -49,11 +54,13 @@ The targets to test are provided by calling the function getTargets(). You can p
 * Target Data Sources - `./terraform/main.tf`
 * Thresholds and timeouts - `./terraform/modules/sslchecker/modules/sslminion/src/synthetic.js` (built)
 
+The boilerplate example references [static_small.js](./terraform/targetdata/static_small.js) from `main.tf` which is a small java script funciton that defines the SSL (TLS) domains to test. There are some other exmaples here of how to specify these. You can event query an API to drive the configuration as demonstrated in [api-driven.js](./terraform/targetdata/api-driven.js).
+
 ### Dashboard
 
 The application comes with a built in dashboard. Set up alerts as you require.
 
 ![dashboard-example](dashboard.png)
 
 ## Getting started (Copy and Paste)
-Simply copy and paste the [`copy-paste-example.js`](./copy-paste-example.js) into a Scripted API synthetic monitor. You will need to provide an ingest API key (prefereably via a secure credential) and define your getTargets() function.
+Simply copy and paste the [`copy-paste-example.js`](./copy-paste-example.js) into a Scripted API synthetic monitor. You will need to provide an ingest API key (prefereably via a secure credential) and define your getTargets() function. Refer to the [example scripts](./terraform/targetdata/) for configuration ideas.

readme.md

@@ -4,13 +4,10 @@
 const tls = require('tls');
 
 const starttime= Date.now()
-console.log(`Start time:`,starttime)
-
+let socketErrorTriggered=false;
 const getSSLExpiration = function(connectionConfig,success,fail) {
     return new Promise((resolve, reject) => {
-        const sd = tls.connect(connectionConfig.port,connectionConfig.host, {
-            servername: connectionConfig.domain,
-        }, () => {
+        const sd = tls.connect(connectionConfig.port,connectionConfig.host, {servername: connectionConfig.domain, rejectUnauthorized: connectionConfig.rejectUnauthorized,}, () => {
             const certDetails = sd.getPeerCertificate(true);
 
             sd.end();
@@ -35,8 +32,8 @@ const getSSLExpiration = function(connectionConfig,success,fail) {
           reject(fail(`Error timeout to ${connectionConfig.host}:${connectionConfig.domain}`));
         });
         sd.on('error', function (err) {
-          console.log("Socket error",err);
-          reject(fail(`Error with connect to ${connectionConfig.host}:${connectionConfig.domain}`));
+          socketErrorTriggered=true;
+          reject(fail(`Socket error ${connectionConfig.host}:${connectionConfig.domain} ${err.code? '['+err.code+']' : ''}`));
         });
     })
 }
@@ -56,6 +53,7 @@ async function run() {
                 host: y,
                 url: `https://${y}`,
                 timeout: x.timeout ? x.timeout : DEFAULT_TIMEOUT,
+                allowUnauthorized: x.allowUnauthorized
             }))
         } else {
             return {
@@ -64,6 +62,7 @@ async function run() {
                 host: x.domain,
                 url: `https://${x.domain}`,
                 timeout: x.timeout ? x.timeout : DEFAULT_TIMEOUT,
+                allowUnauthorized: x.allowUnauthorized
             }
         }
     }));
@@ -81,7 +80,8 @@ async function run() {
                 host: target.host,
                 port: 443,
                 domain: target.domain,
-                timeout: target.timeout
+                timeout: target.timeout,
+                rejectUnauthorized: target.allowUnauthorized === undefined ? true : target.allowUnauthorized === true ? false : true // allow domain's to be self cert: the server certificate is verified against the list of supplied CAs. An 'error' event is emitted if verification fails; err.code contains the OpenSSL error code. Default: false, will be checked). https://nodejs.org/docs/latest/api/tls.html#tlssocketrenegotiateoptions-callback 
             }
             promises.push(getSSLExpiration(connectionConfig,
                 (certData)=>{
@@ -110,7 +110,7 @@ async function run() {
                 (error)=>{
                     target.error=error
                     target.state="ERROR"
-                    scriptErrors.push(`Target '${target.name}' (${target.url} failed cert info lookup)`)
+                    scriptErrors.push(`Target '${target.name}' failed cert info lookup: ${target.error}`)
                 }
             ))
         })
@@ -187,14 +187,16 @@ async function run() {
     console.log(`Warnings: ${warningErrors.length}`)
     console.log(`Critical: ${criticalErrors.length}`)
     console.log("-----------------------")
-    console.log(`End time:`,Date.now())
     console.log(`Duration:`,Date.now()-starttime)
 
     let assertMessage=[]
     setAttribute("scriptErrors",scriptErrors.length)
     if(scriptErrors.length > 0){
         setAttribute("scriptErrorMsg",scriptErrors.join('|'))
         console.log("Script errors:",JSON.stringify(scriptErrors))
+        if(socketErrorTriggered) {
+            console.log("TIP: Some domains caused a socket error. You may need to consider ignoring authorization, e.g. for self signed certs. This can be configured by providing 'allowUnauthorized:true' option for the target.")
+        }
         assertMessage.push("SSL checker script error or some targets are in ERROR state")
     }
     setAttribute("criticalErrors",criticalErrors.length)