Merge pull request #465 from elastic/feature/verify-server-cert

Add support for Server certificate verification

Author: gregkalapos

docs/configuration.asciidoc

@@ -393,6 +393,26 @@ This string is used to ensure that only your agents can send data to your APM se
 Both the agents and the APM server have to be configured with the same secret token.
 Use this setting in case the APM Server requires a token (e.g. APM Server in Elastic Cloud).
 
+[float]
+[[config-verify-server-cert]]
+==== `VerifyServerCert` (added[1.3])
+
+[options="header"]
+|============
+| Environment variable name        | IConfiguration or Web.config key
+| `ELASTIC_APM_VERIFY_SERVER_CERT` | `ElasticApm:VerifyServerCert`
+|============
+
+[options="header"]
+|============
+| Default                 | Type
+| `true`                  | Boolean
+|============
+
+By default, the agent verifies the SSL certificate if you use an HTTPS connection to the APM server.
+
+Verification can be disabled by changing this setting to false.
+
 [float]
 [[config-flush-interval]]
 ==== `FlushInterval` (added[1.1])

src/Elastic.Apm/BackendComm/BackendCommUtils.cs

@@ -3,7 +3,9 @@
 using System.Net;
 using System.Net.Http;
 using System.Net.Http.Headers;
+using System.Net.Security;
 using System.Reflection;
+using System.Security.Cryptography.X509Certificates;
 using System.Text;
 using System.Text.RegularExpressions;
 using Elastic.Apm.Api;
@@ -105,6 +107,18 @@ private static void ConfigServicePoint(Uri serverUrlBase, IApmLogger logger) =>
 				servicePoint.ConnectionLimit = 20;
 			});
 
+		private static HttpClientHandler CreateHttpClientHandler(bool verifyServerCert, IApmLogger logger)
+		{
+			bool ServerCertificateCustomValidationCallback(HttpRequestMessage message, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors policyError)
+			{
+				if (policyError == SslPolicyErrors.None) return true;
+
+				logger.Trace()?.Log("Certificate validation failed. Policy error {PolicyError}", policyError);
+				return !verifyServerCert;
+			}
+
+			return new HttpClientHandler { ServerCertificateCustomValidationCallback = ServerCertificateCustomValidationCallback };
+		}
 
 		internal static HttpClient BuildHttpClient(IApmLogger loggerArg, IConfigSnapshot config, Service service, string dbgCallerDesc
 			, HttpMessageHandler httpMessageHandler = null
@@ -118,7 +132,8 @@ internal static HttpClient BuildHttpClient(IApmLogger loggerArg, IConfigSnapshot
 			logger.Debug()
 				?.Log("Building HTTP client with BaseAddress: {ApmServerUrl} for {dbgCallerDesc}..."
 					, serverUrlBase, dbgCallerDesc);
-			var httpClient = new HttpClient(httpMessageHandler ?? new HttpClientHandler()) { BaseAddress = serverUrlBase };
+			var httpClient =
+				new HttpClient(httpMessageHandler ?? CreateHttpClientHandler(config.VerifyServerCert, loggerArg)) { BaseAddress = serverUrlBase };
 			httpClient.DefaultRequestHeaders.UserAgent.Add(
 				new ProductInfoHeaderValue($"elasticapm-{Consts.AgentName}", AdaptUserAgentValue(service.Agent.Version)));
 			httpClient.DefaultRequestHeaders.UserAgent.Add(new ProductInfoHeaderValue("System.Net.Http",

src/Elastic.Apm/BackendComm/CentralConfigFetcher.cs

@@ -475,7 +475,10 @@ internal WrappingConfigSnapshot(IConfigSnapshot wrapped, ConfigDelta configDelta
 			public int TransactionMaxSpans => _configDelta.TransactionMaxSpans ?? _wrapped.TransactionMaxSpans;
 
 			public double TransactionSampleRate => _configDelta.TransactionSampleRate ?? _wrapped.TransactionSampleRate;
+
 			public bool UseElasticTraceparentHeader => _wrapped.UseElasticTraceparentHeader;
+
+			public bool VerifyServerCert => _wrapped.VerifyServerCert;
 		}
 	}
 }

src/Elastic.Apm/Config/AbstractConfigurationReader.cs

@@ -120,6 +120,13 @@ protected string ParseSecretToken(ConfigurationKeyValue kv)
 			return kv.Value;
 		}
 
+		protected bool ParseVerifyServerCert(ConfigurationKeyValue kv)
+		{
+			if (kv == null || string.IsNullOrEmpty(kv.Value)) return DefaultValues.VerifyServerCert;
+			// ReSharper disable once SimplifyConditionalTernaryExpression
+			return bool.TryParse(kv.Value, out var value) ? value : DefaultValues.VerifyServerCert;
+		}
+
 		protected bool ParseCaptureHeaders(ConfigurationKeyValue kv) => ParseBoolOption(kv, DefaultValues.CaptureHeaders, "CaptureHeaders");
 
 		protected LogLevel ParseLogLevel(ConfigurationKeyValue kv)

src/Elastic.Apm/Config/AbstractConfigurationWithEnvFallbackReader.cs

@@ -87,5 +87,8 @@ internal AbstractConfigurationWithEnvFallbackReader(IApmLogger logger, string de
 
 		public bool UseElasticTraceparentHeader => ParseUseElasticTraceparentHeader(Read(ConfigConsts.KeyNames.UseElasticTraceparentheader,
 			ConfigConsts.EnvVarNames.UseElasticTraceparentHeader));
+
+		public virtual bool VerifyServerCert =>
+			ParseVerifyServerCert(Read(ConfigConsts.KeyNames.VerifyServerCert, ConfigConsts.EnvVarNames.VerifyServerCert));
 	}
 }

src/Elastic.Apm/Config/ConfigConsts.cs

@@ -30,6 +30,7 @@ public static class DefaultValues
 			public const double TransactionSampleRate = 1.0;
 			public const string UnknownServiceName = "unknown";
 			public const bool UseElasticTraceparentHeader = true;
+			public const bool VerifyServerCert = true;
 
 			public static List<WildcardMatcher> DisableMetrics = new List<WildcardMatcher>();
 
@@ -84,6 +85,7 @@ public static class EnvVarNames
 			public const string TransactionMaxSpans = Prefix + "TRANSACTION_MAX_SPANS";
 			public const string TransactionSampleRate = Prefix + "TRANSACTION_SAMPLE_RATE";
 			public const string UseElasticTraceparentHeader = Prefix + "USE_ELASTIC_TRACEPARENT_HEADER";
+			public const string VerifyServerCert = Prefix + "VERIFY_SERVER_CERT";
 		}
 
 		public static class KeyNames
@@ -111,6 +113,7 @@ public static class KeyNames
 			public const string TransactionMaxSpans = "ElasticApm:TransactionMaxSpans";
 			public const string TransactionSampleRate = "ElasticApm:TransactionSampleRate";
 			public const string UseElasticTraceparentheader = "ElasticApm:UseElasticTraceparentHeder";
+			public const string VerifyServerCert = "ElasticApm:VerifyServerCert";
 		}
 
 		public static class SupportedValues

src/Elastic.Apm/Config/ConfigSnapshotFromReader.cs

@@ -40,5 +40,6 @@ internal ConfigSnapshotFromReader(IConfigurationReader content, string dbgDescri
 		public int TransactionMaxSpans => _content.TransactionMaxSpans;
 		public double TransactionSampleRate => _content.TransactionSampleRate;
 		public bool UseElasticTraceparentHeader => _content.UseElasticTraceparentHeader;
+		public bool VerifyServerCert => _content.VerifyServerCert;
 	}
 }

src/Elastic.Apm/Config/EnvironmentConfigurationReader.cs

@@ -70,6 +70,8 @@ public EnvironmentConfigurationReader(IApmLogger logger = null) : base(logger, T
 
 		public bool UseElasticTraceparentHeader => ParseUseElasticTraceparentHeader(Read(ConfigConsts.EnvVarNames.UseElasticTraceparentHeader));
 
+		public bool VerifyServerCert => ParseVerifyServerCert(Read(ConfigConsts.EnvVarNames.VerifyServerCert));
+
 		private ConfigurationKeyValue Read(string key) =>
 			new ConfigurationKeyValue(key, ReadEnvVarValue(key), Origin);
 	}

src/Elastic.Apm/Config/IConfigurationReader.cs

@@ -142,5 +142,11 @@ public interface IConfigurationReader
 		/// otherwise it'll use the official header name from w3c, which is "traceparewnt".
 		/// </summary>
 		bool UseElasticTraceparentHeader { get; }
+
+		/// <summary>
+		/// The agent verifies the server's certificate if an HTTPS connection to the APM server is used.
+		/// Verification can be disabled by setting to <c>false</c>.
+		/// </summary>
+		bool VerifyServerCert { get; }
 	}
 }

test/Elastic.Apm.Tests/ConfigTests.cs

@@ -753,6 +753,8 @@ public void GlobalLabels_invalid_input_tests(string optionValue)
 				);
 		}
 
+
+
 		/// <summary>
 		/// Disables CPU metrics and makes sure that remaining metrics are still captured
 		/// </summary>
@@ -779,6 +781,23 @@ public void DisableMetrics_DisableCpuMetrics()
 				.Contain(n => n.KeyValue.Key.Equals("system.process.memory.rss.bytes", StringComparison.InvariantCultureIgnoreCase));
 		}
 
+		[Fact]
+		public void DefaultVerifyServerCertIsTrue()
+		{
+			var agent = new ApmAgent(new TestAgentComponents());
+			agent.ConfigurationReader.VerifyServerCert.Should().BeTrue();
+		}
+
+		[Theory]
+		[InlineData("false", false)]
+		[InlineData("true", true)]
+		[InlineData("nonsense value", true)]
+		public void SetVerifyServerCert(string verifyServerCert, bool expected)
+		{
+			var agent = new ApmAgent(new TestAgentComponents(config: new MockConfigSnapshot(verifyServerCert: verifyServerCert)));
+			agent.ConfigurationReader.VerifyServerCert.Should().Be(expected);
+		}
+
 		private static double MetricsIntervalTestCommon(string configValue)
 		{
 			Environment.SetEnvironmentVariable(EnvVarNames.MetricsInterval, configValue);