summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHolger Weiss <holger@zedat.fu-berlin.de>2012-05-07 10:11:48 (GMT)
committerHolger Weiss <holger@zedat.fu-berlin.de>2012-05-07 10:11:48 (GMT)
commit5a5d3d7013dbc098a5fed9831fa443af93bdd983 (patch)
tree5e989f7a3e3f77e454290613a52026de00175c35
parentefa2a32a167a0395f5430b56da437cc96cc276e8 (diff)
downloadmonitoring-plugins-5a5d3d7013dbc098a5fed9831fa443af93bdd983.tar.gz
Disable stateless SSL session resumption
Some versions of OpenSSL fail to negotiate the SSL connection with at least some versions of Tomcat if stateless SSL session resumption support (see RFC4507) is enabled: | CRITICAL - Cannot make SSL connection | 140099330348712:error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message:s3_pkt.c:1195:SSL alert number 10 The problem is reproducible with OpenSSL 1.0.0h, but not with OpenSSL 0.9.8o-4squeeze12 (as shipped with Debian 6.0.4). We work around it by disabling the RFC4507 functionality when using OpenSSL versions which support it. Thanks to Dag Bakke for reporting the issue and for giving me access to a server I could use to reproduce the problem.
-rw-r--r--NEWS1
-rw-r--r--plugins/sslutils.c3
2 files changed, 4 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index ef6548a..901eaed 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,7 @@ This file documents the major additions and syntax changes between releases.
20 Fix check_procs where regex input of '|' would get displayed in output - now replaced with ',' 20 Fix check_procs where regex input of '|' would get displayed in output - now replaced with ','
21 Fix segfault in check_host when hostname returns multiple IP addresses (Sebastian Harl) 21 Fix segfault in check_host when hostname returns multiple IP addresses (Sebastian Harl)
22 Fix check_smtp and check_tcp where duplicate messages were displayed for certificate errors 22 Fix check_smtp and check_tcp where duplicate messages were displayed for certificate errors
23 Disable RFC4507 support, to work around SSL negotiation issues with (at least) some Tomcat versions
23 24
241.4.15 27th July 2010 251.4.15 27th July 2010
25 ENHANCEMENTS 26 ENHANCEMENTS
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 0bc61ed..6e86dc6 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -52,6 +52,9 @@ int np_net_ssl_init_with_hostname (int sd, char *host_name) {
52 printf ("%s\n", _("CRITICAL - Cannot create SSL context.")); 52 printf ("%s\n", _("CRITICAL - Cannot create SSL context."));
53 return STATE_CRITICAL; 53 return STATE_CRITICAL;
54 } 54 }
55#ifdef SSL_OP_NO_TICKET
56 SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
57#endif
55 if ((s = SSL_new (c)) != NULL){ 58 if ((s = SSL_new (c)) != NULL){
56#ifdef SSL_set_tlsext_host_name 59#ifdef SSL_set_tlsext_host_name
57 if (host_name != NULL) 60 if (host_name != NULL)