implemented certificate pinning

We use the `assert_fingerprint` flag when creating the urllib3 connection.
The fingerprint is a hash of the pem encoded certificate of the server.

fixes #386

Author: beniwohli

docs/configuration.asciidoc

@@ -582,9 +582,23 @@ This disables most of the tracing functionality, but can be useful to debug poss
 
 By default, the agent verifies the SSL certificate if you use an HTTPS connection to the APM server.
 Verification can be disabled by changing this setting to `False`.
+This setting is ignored when <<config-server-cert,`server_cert`>> is set.
 
 NOTE: SSL certificate verification is only available in Python 2.7.9+ and Python 3.4.3+.
 
+[float]
+[[config-server-cert]]
+=== `ELASTIC_APM_SERVER_CERT`
+
+[options="header"]
+|============
+| Environment                | Django/Flask  | Default
+| `ELASTIC_APM_SERVER_CERT`  | `SERVER_CERT` | `None`
+|============
+
+If you have configured your APM Server with a self signed TLS certificate, or you
+just wish to pin the server certificate, you can specify the path to the PEM-encoded
+certificate via the `ELASTIC_APM_SERVER_CERT` configuration.
 
 [float]
 [[config-django-specific]]

elasticapm/conf/__init__.py

@@ -145,6 +145,18 @@ def __call__(self, value, field_name):
         return value
 
 
+class FileIsReadableValidator(object):
+    def __call__(self, value, field_name):
+        value = os.path.normpath(value)
+        if not os.path.exists(value):
+            raise ConfigurationError("{} does not exist".format(value), field_name)
+        elif not os.path.isfile(value):
+            raise ConfigurationError("{} is not a file".format(value), field_name)
+        elif not os.access(value):
+            raise ConfigurationError("{} is not accessible".format(value), field_name)
+        return value
+
+
 class _ConfigBase(object):
     _NO_VALUE = object()  # sentinel object
 
@@ -188,6 +200,7 @@ class Config(_ConfigBase):
     secret_token = _ConfigValue("SECRET_TOKEN")
     debug = _BoolConfigValue("DEBUG", default=False)
     server_url = _ConfigValue("SERVER_URL", default="http://localhost:8200", required=True)
+    server_cert = _ConfigValue("SERVER_CERT", default=None, required=False, validators=[FileIsReadableValidator()])
     verify_server_cert = _BoolConfigValue("VERIFY_SERVER_CERT", default=True)
     include_paths = _ListConfigValue("INCLUDE_PATHS")
     exclude_paths = _ListConfigValue("EXCLUDE_PATHS", default=compat.get_default_library_patters())

elasticapm/transport/http.py

@@ -1,4 +1,5 @@
 # -*- coding: utf-8 -*-
+import hashlib
 import logging
 import os
 import ssl
@@ -9,7 +10,7 @@
 
 from elasticapm.transport.base import TransportException
 from elasticapm.transport.http_base import AsyncHTTPTransportBase, HTTPTransportBase
-from elasticapm.utils import compat
+from elasticapm.utils import compat, read_pem_file
 
 logger = logging.getLogger("elasticapm.transport.http")
 
@@ -18,14 +19,20 @@ class Transport(HTTPTransportBase):
     def __init__(self, url, **kwargs):
         super(Transport, self).__init__(url, **kwargs)
         pool_kwargs = {"cert_reqs": "CERT_REQUIRED", "ca_certs": certifi.where(), "block": True}
-        if not self._verify_server_cert:
+        if self._server_cert:
+            pool_kwargs.update(
+                {"assert_fingerprint": self.cert_fingerprint, "assert_hostname": False, "cert_reqs": ssl.CERT_NONE}
+            )
+            del pool_kwargs["ca_certs"]
+        elif not self._verify_server_cert:
             pool_kwargs["cert_reqs"] = ssl.CERT_NONE
             pool_kwargs["assert_hostname"] = False
         proxy_url = os.environ.get("HTTPS_PROXY", os.environ.get("HTTP_PROXY"))
         if proxy_url:
             self.http = urllib3.ProxyManager(proxy_url, **pool_kwargs)
         else:
             self.http = urllib3.PoolManager(**pool_kwargs)
+        self._cert_fingerprint = None
 
     def send(self, data):
         response = None
@@ -66,6 +73,16 @@ def send(self, data):
             if response:
                 response.close()
 
+    @property
+    def cert_fingerprint(self):
+        if self._server_cert:
+            with open(self._server_cert, "rb") as f:
+                cert_data = read_pem_file(f)
+            digest = hashlib.sha256()
+            digest.update(cert_data)
+            return digest.hexdigest()
+        return None
+
 
 class AsyncTransport(AsyncHTTPTransportBase, Transport):
     async_mode = True

elasticapm/transport/http_base.py

@@ -5,10 +5,19 @@
 
 class HTTPTransportBase(Transport):
     def __init__(
-        self, url, verify_server_cert=True, compress_level=5, metadata=None, headers=None, timeout=None, **kwargs
+        self,
+        url,
+        verify_server_cert=True,
+        compress_level=5,
+        metadata=None,
+        headers=None,
+        timeout=None,
+        server_cert=None,
+        **kwargs
     ):
         self._url = url
         self._verify_server_cert = verify_server_cert
+        self._server_cert = server_cert
         self._timeout = timeout
         self._headers = {
             k.encode("ascii")

elasticapm/utils/__init__.py

@@ -8,6 +8,7 @@
 :copyright: (c) 2010 by the Sentry Team, see AUTHORS for more details.
 :license: BSD, see LICENSE for more details.
 """
+import base64
 import os
 from functools import partial
 
@@ -95,3 +96,14 @@ def get_url_dict(url):
     if query:
         url_dict["search"] = encoding.keyword_field("?" + query)
     return url_dict
+
+
+def read_pem_file(file_obj):
+    cert = b""
+    for line in file_obj:
+        if line.startswith(b"-----BEGIN CERTIFICATE-----"):
+            break
+    for line in file_obj:
+        if not line.startswith(b"-----END CERTIFICATE-----"):
+            cert += line.strip()
+    return base64.b64decode(cert)

tests/transports/test_urllib3.py

@@ -1,6 +1,9 @@
+import os
+
 import mock
 import pytest
 import urllib3.poolmanager
+from pytest_localserver.https import DEFAULT_CERTIFICATE
 from urllib3.exceptions import MaxRetryError, TimeoutError
 from urllib3_mock import Responses
 
@@ -106,3 +109,23 @@ def test_ssl_verify_disable(waiting_httpsserver):
     transport = Transport(waiting_httpsserver.url, verify_server_cert=False)
     url = transport.send(compat.b("x"))
     assert url == "https://example.com/foo"
+
+
+def test_ssl_cert_pinning(waiting_httpsserver):
+    waiting_httpsserver.serve_content(code=202, content="", headers={"Location": "https://example.com/foo"})
+    transport = Transport(waiting_httpsserver.url, server_cert=DEFAULT_CERTIFICATE, verify_server_cert=True)
+    url = transport.send(compat.b("x"))
+    assert url == "https://example.com/foo"
+
+
+def test_ssl_cert_pinning_fails(waiting_httpsserver):
+    waiting_httpsserver.serve_content(code=202, content="", headers={"Location": "https://example.com/foo"})
+    transport = Transport(
+        waiting_httpsserver.url,
+        server_cert=os.path.join(os.path.dirname(__file__), "wrong_cert.pem"),
+        verify_server_cert=True,
+    )
+    with pytest.raises(TransportException) as exc_info:
+        transport.send(compat.b("x"))
+
+    assert "Fingerprints did not match" in exc_info.value.args[0]

tests/transports/wrong_cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9DCCAdygAwIBAgIRAPrpYLvUsk2GY0O0HrSy1tMwDQYJKoZIhvcNAQELBQAw
+EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0xODExMjIwNjQyNDNaFw0xOTExMjIwNjQy
+NDNaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDzcGv/FzFuZTFZ882wWJwYhkah+LiVwXfcN3ZkkzXGI5emz2ghBhkx
+RXymZVXj7nX8KktXgPjIF+JUSuDexlp20dcy4Xq9Kfn/zZ025S3l+JqmByboGdU0
+cCl7t6nUvySPvVRVWxHuByVCHEWKU+ELR4zlVmREgdHlYj6UGeYsou4pUmYrQkrF
+Iw1o+LqTtQ70nUtr82u7qG6i76h0gUYI0bRxmkAwW2kSAsNSM2Hgqou+I+zX0T9v
+X6HGsh4pTU6XVJ/r+klBOZM0wXNh9lRQx2+3J8mTxKadXVrBCry333OIRIO9Vv56
+9pEGNHsUqvWMZhpKs7f323MNkMdIu+olAgMBAAGjRTBDMA4GA1UdDwEB/wQEAwIF
+oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA4GA1UdEQQHMAWC
+A2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAb9hSwjlOzSRWJ4BdJfuSBUjqRUTpulGX
+gGzNKH9PZM8wlpRh/Xiv09jN08XpW4pmnDFOMGZnYk4OR3et4pRmlJ2v8yPRsydD
+pr4BrKMykY+jsngmsp7tzZBt+vHACyqplD8K8SivIuxsXrbUu9ekkMemv0G82TmO
+ZUCerakCm8sojmQOTfb7ZqAfZifnGwTRi+6y3TCkwIupTL3l/S8E42L7l8gg+xGU
+5nYYHVgyZroEuoJtGVmvakJJpGLcEzD2ai4X212qKC1dp9cjzfWgWxImn9jivYqy
+cxsI6aaSYdZaM2JkmtnDLV0auBs0r8SN2nluFxxEStpK/zxn8SH5Sw==
+-----END CERTIFICATE-----