[nagiosplug] Add support for specifying SSL protocol version
Nagios Plugin Development
nagios-plugins at users.sourceforge.net
Mon May 28 17:30:11 CEST 2012
Module: nagiosplug
Branch: master
Commit: bc3307ed6e9911ef9a9e882b00bdb2fa32158fa3
Author: Holger Weiss <holger at zedat.fu-berlin.de>
Date: Mon May 28 17:16:04 2012 +0200
URL: http://nagiosplug.git.sf.net/git/gitweb.cgi?p=nagiosplug/nagiosplug;a=commit;h=bc3307e
Add support for specifying SSL protocol version
The check_http -S/--ssl option now takes an optional argument which
specifies the desired SSL/TLS protocol version (#3285367 - Jason Lunn).
---
NEWS | 1 +
THANKS.in | 1 +
plugins/check_http.c | 23 ++++++++++++++++-------
plugins/sslutils.c | 25 ++++++++++++++++++++++++-
4 files changed, 42 insertions(+), 8 deletions(-)
diff --git a/NEWS b/NEWS
index 901eaed..fbc5c8b 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ This file documents the major additions and syntax changes between releases.
check_disk_smb now allows spaces in share names (#990948, #1370031, Debian #601699)
check_http now uses standard threshold functions (enables floating point and ranges)
check_http now checks for and prints the certificate cn (hostname) in SSL certificate checks (Stéphane Urbanovski)
+ check_http now supports an optional -S/--ssl value to choose the SSL protocol version (#3066166 - Jason Lunn)
Add perfdata to check_ssh (#3244097 - Marco Beck)
New option to check_smtp to ignore failures when sending QUIT (#3358348 - Duncan Ferguson)
New check_by_ssh -F option which allows for specifying an alternative ssh_config(5) file (#2895334 - Sven Nierlein)
diff --git a/THANKS.in b/THANKS.in
index c6775bc..0b82024 100644
--- a/THANKS.in
+++ b/THANKS.in
@@ -269,3 +269,4 @@ Ryan Kelly
Stéphane Urbanovski
Marco Beck
Sebastian Harl
+Jason Lunn
diff --git a/plugins/check_http.c b/plugins/check_http.c
index 3175f6c..ea7ddec 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -34,7 +34,7 @@
/* splint -I. -I../../plugins -I../../lib/ -I/usr/kerberos/include/ ../../plugins/check_http.c */
const char *progname = "check_http";
-const char *copyright = "1999-2008";
+const char *copyright = "1999-2011";
const char *email = "nagiosplug-devel at lists.sourceforge.net";
#include "common.h"
@@ -59,6 +59,7 @@ enum {
#ifdef HAVE_SSL
int check_cert = FALSE;
int days_till_exp;
+int ssl_version;
char *randbuff;
X509 *server_cert;
# define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
@@ -188,7 +189,7 @@ process_arguments (int argc, char **argv)
STD_LONG_OPTS,
{"link", no_argument, 0, 'L'},
{"nohtml", no_argument, 0, 'n'},
- {"ssl", no_argument, 0, 'S'},
+ {"ssl", optional_argument, 0, 'S'},
{"sni", no_argument, 0, SNI_OPTION},
{"post", required_argument, 0, 'P'},
{"method", required_argument, 0, 'j'},
@@ -234,7 +235,7 @@ process_arguments (int argc, char **argv)
}
while (1) {
- c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:e:p:s:R:r:u:f:C:nlLSm:M:N", longopts, &option);
+ c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:e:p:s:R:r:u:f:C:nlLS::m:M:N", longopts, &option);
if (c == -1 || c == EOF)
break;
@@ -294,6 +295,13 @@ process_arguments (int argc, char **argv)
usage4 (_("Invalid option - SSL is not available"));
#endif
use_ssl = TRUE;
+ if (optarg == NULL)
+ ssl_version = 0;
+ else {
+ ssl_version = atoi(optarg);
+ if (ssl_version < 1 || ssl_version > 3)
+ usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 (SSLv3)"));
+ }
if (specify_port == FALSE)
server_port = HTTPS_PORT;
break;
@@ -798,7 +806,7 @@ check_http (void)
die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n"));
#ifdef HAVE_SSL
if (use_ssl == TRUE) {
- np_net_ssl_init_with_hostname(sd, (use_sni ? host_name : NULL));
+ np_net_ssl_init_with_hostname_and_version(sd, (use_sni ? host_name : NULL), ssl_version);
if (check_cert == TRUE) {
result = np_net_ssl_check_cert(days_till_exp);
np_net_ssl_cleanup();
@@ -1323,8 +1331,9 @@ print_help (void)
printf (UT_IPv46);
#ifdef HAVE_SSL
- printf (" %s\n", "-S, --ssl");
- printf (" %s\n", _("Connect via SSL. Port defaults to 443"));
+ printf (" %s\n", "-S, --ssl=VERSION");
+ printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"));
+ printf (" %s\n", _("auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3)."));
printf (" %s\n", "--sni");
printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
printf (" %s\n", "-C, --certificate=INTEGER");
@@ -1433,6 +1442,6 @@ print_usage (void)
printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n");
printf (" [-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
printf (" [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");
- printf (" [-A string] [-k string] [-S] [--sni] [-C <age>] [-T <content-type>]\n");
+ printf (" [-A string] [-k string] [-S <version>] [--sni] [-C <age>] [-T <content-type>]\n");
printf (" [-j method]\n");
}
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 6e86dc6..2157764 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -41,6 +41,29 @@ int np_net_ssl_init (int sd) {
}
int np_net_ssl_init_with_hostname (int sd, char *host_name) {
+ return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
+}
+
+int np_net_ssl_init_with_hostname_and_version (int sd, char *host_name, int version) {
+ const SSL_METHOD *method = NULL;
+
+ switch (version) {
+ case 0: /* Deafult to auto negotiation */
+ method = SSLv23_client_method();
+ break;
+ case 1: /* TLSv1 protocol */
+ method = TLSv1_client_method();
+ break;
+ case 2: /* SSLv2 protocol */
+ method = SSLv2_client_method();
+ break;
+ case 3: /* SSLv3 protocol */
+ method = SSLv3_client_method();
+ break;
+ default: /* Unsupported */
+ printf ("%s\n", _("CRITICAL - Unsupported SSL Protocol Version."));
+ return STATE_CRITICAL;
+ }
if (!initialized) {
/* Initialize SSL context */
SSLeay_add_ssl_algorithms ();
@@ -48,7 +71,7 @@ int np_net_ssl_init_with_hostname (int sd, char *host_name) {
OpenSSL_add_all_algorithms ();
initialized = 1;
}
- if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) {
+ if ((c = SSL_CTX_new (method)) == NULL) {
printf ("%s\n", _("CRITICAL - Cannot create SSL context."));
return STATE_CRITICAL;
}
More information about the Commits
mailing list