[Nagiosplug-help] check_http -C : send an HTTP request when checking the certificate

[Jim Cheetham]

I have a strange HTTPS server here, that really doesn't like to see a connection that doesn't end up requesting some URL (it's an internal server-to-server API, so to be fair it isn't expecting to have many browsers/humans as clients).

Unfortunately, when I do an SSL certificate age check with check_http -C, no URL request is sent. This server logs an error, and also (I think) memory leaks and eventually dies.

I'd like to propose an extra option to check_http, that forces an URL to be sent during a certificate check (no need to change the current behaviour, that's normally just fine). The result of setting this option will be to suppress the early connection shutdown & return in check_http() when check_cert is TRUE, and to instead simply return the current value of result after the query has been sent, and the connection closed normally.

I haven't looked at writing the code for the option, but instead just verified that the functionality change was valid for my poor server.

Diffs for check_http.c :-

@@ -824,9 +824,12 @@
       return result;
     if (check_cert == TRUE) {
       result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
+      // PROPOSED:
+      // if (check_cert_sendrequest == TRUE) {
       np_net_ssl_cleanup();
       if (sd) close(sd);
       return result;
+      // }
     }
   }
 #endif /* HAVE_SSL */

@@ -939,6 +942,11 @@
 #endif
   if (sd) close(sd);
 
+  /* PROPOSED: If we were checking only the certificate, return now */
+  // if (check_cert == TRUE) {
+  //   return result;
+  // }
+
   /* Save check time */
   microsec = deltime (tv);
   elapsed_time = (double)microsec / 1.0e6;

What is the preferred method of submitting a fuller patch?
---
Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z.
✉ jim.cheetham at otago.ac.nz ☏ +64 3 470 4670 ☏ m +64 21 227 0015
⚷ OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605