From d14d28caf83a7d5ad8655915cef3f0af6d30bbe3 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Tue, 24 Jan 2023 08:22:00 -0500
Subject: [PATCH] Confirm TLS connectivity when scanning hosts

In certain environments, Confluent may have an IP address that
is fake, but then there is elsewhere with that same IP for real.

To mitigate this, follow up basic connectivity with proof of having
an associated certificate.
---
 .../common/initramfs/opt/confluent/bin/apiclient           | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient b/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient
index d5bdbf6b..fc1aad87 100644
--- a/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient
+++ b/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient
@@ -304,6 +304,10 @@ class HTTPSClient(client.HTTPConnection, object):
     def check_connections(self):
         foundsrv = None
         hosts = self.hosts
+        ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+        ctx.load_verify_locations('/etc/confluent/ca.pem')
+        ctx.verify_mode = ssl.CERT_REQUIRED
+        ctx.check_hostname = True
         for timeo in (0.1, 5):
             for host in hosts:
                 try:
@@ -311,11 +315,14 @@ class HTTPSClient(client.HTTPConnection, object):
                     psock = socket.socket(addrinf[0])
                     psock.settimeout(timeo)
                     psock.connect(addrinf[4])
+                    ctx.wrap_socket(psock, server_hostname=host)
                     foundsrv = host
                     psock.close()
                     break
                 except OSError:
                     continue
+                except ssl.SSLError:
+                    continue
             else:
                 continue
             break