Confirm TLS connectivity when scanning hosts

In certain environments, Confluent may have an IP address that is fake, but then there is elsewhere with that same IP for real. To mitigate this, follow up basic connectivity with proof of having an associated certificate.
2025-02-14 17:48:26 +00:00 · 2023-01-24 08:22:00 -05:00 · 2023-01-24 08:22:00 -05:00 · d14d28caf8
commit d14d28caf8
parent 0008998680
1 changed files with 7 additions and 0 deletions
--- a/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient
+++ b/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient
@ -304,6 +304,10 @@ class HTTPSClient(client.HTTPConnection, object):
    def check_connections(self):
        foundsrv = None
        hosts = self.hosts
+        ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+        ctx.load_verify_locations('/etc/confluent/ca.pem')
+        ctx.verify_mode = ssl.CERT_REQUIRED
+        ctx.check_hostname = True
        for timeo in (0.1, 5):
            for host in hosts:
                try:
@ -311,11 +315,14 @@ class HTTPSClient(client.HTTPConnection, object):
                    psock = socket.socket(addrinf[0])
                    psock.settimeout(timeo)
                    psock.connect(addrinf[4])
+                    ctx.wrap_socket(psock, server_hostname=host)
                    foundsrv = host
                    psock.close()
                    break
                except OSError:
                    continue
+                except ssl.SSLError:
+                    continue
            else:
                continue
            break