diff options
author | Holger Weiss <holger@zedat.fu-berlin.de> | 2015-10-04 23:28:35 +0200 |
---|---|---|
committer | Holger Weiss <holger@zedat.fu-berlin.de> | 2015-10-04 23:28:35 +0200 |
commit | f43083c6a9d5d9e66d42e7cd0b698b7eb1ecf822 (patch) | |
tree | 51a749e312bd74ffae30f9b2da0bc891350a7299 | |
parent | a9b02e7affe6d940e1fb4830156d06e4d816458b (diff) | |
download | monitoring-plugins-f43083c.tar.gz |
check_http: Allow for requesting TLSv1.1/TLSv1.2
check_http's -S/--ssl option now allows for requesting the TLSv1.1 and
TLSv1.2 protocols. Apart from that, a '+' suffix can be appended in
oder to also accept newer protocols than the specified version.
Closes #1338, and closes #1354, and closes #1359.
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | plugins/check_http.c | 22 | ||||
-rw-r--r-- | plugins/netutils.h | 10 | ||||
-rw-r--r-- | plugins/sslutils.c | 81 |
4 files changed, 97 insertions, 20 deletions
@@ -9,6 +9,10 @@ This file documents the major additions and syntax changes between releases. | |||
9 | Make sure check_disk won't hang on hanging (network) file systems | 9 | Make sure check_disk won't hang on hanging (network) file systems |
10 | New check_mailq -s option which tells the plugin to use sudo(8) | 10 | New check_mailq -s option which tells the plugin to use sudo(8) |
11 | New -W/-C option for check_ldap to check number of entries (Gerhard Lausser) | 11 | New -W/-C option for check_ldap to check number of entries (Gerhard Lausser) |
12 | The check_http -S/--ssl option now accepts the arguments "1.1" and "1.2" | ||
13 | to force TLSv1.1 and TLSv1.2 connections, respectively | ||
14 | The check_http -S/--ssl option now allows for specifying the desired | ||
15 | protocol with a "+" suffix to also accept newer versions | ||
12 | 16 | ||
13 | FIXES | 17 | FIXES |
14 | Let check_real terminate lines with CRLF when talking to the server, as | 18 | Let check_real terminate lines with CRLF when talking to the server, as |
diff --git a/plugins/check_http.c b/plugins/check_http.c index 51679975..b1a69e55 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c | |||
@@ -343,9 +343,20 @@ process_arguments (int argc, char **argv) | |||
343 | parameters, like -S and -C combinations */ | 343 | parameters, like -S and -C combinations */ |
344 | use_ssl = TRUE; | 344 | use_ssl = TRUE; |
345 | if (c=='S' && optarg != NULL) { | 345 | if (c=='S' && optarg != NULL) { |
346 | ssl_version = atoi(optarg); | 346 | int got_plus = strchr(optarg, '+') != NULL; |
347 | if (ssl_version < 1 || ssl_version > 3) | 347 | |
348 | usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 (SSLv3)")); | 348 | if (!strncmp (optarg, "1.2", 3)) |
349 | ssl_version = got_plus ? MP_TLSv1_2_OR_NEWER : MP_TLSv1_2; | ||
350 | else if (!strncmp (optarg, "1.1", 3)) | ||
351 | ssl_version = got_plus ? MP_TLSv1_1_OR_NEWER : MP_TLSv1_1; | ||
352 | else if (optarg[0] == '1') | ||
353 | ssl_version = got_plus ? MP_TLSv1_OR_NEWER : MP_TLSv1; | ||
354 | else if (optarg[0] == '3') | ||
355 | ssl_version = got_plus ? MP_SSLv3_OR_NEWER : MP_SSLv3; | ||
356 | else if (optarg[0] == '2') | ||
357 | ssl_version = got_plus ? MP_SSLv2_OR_NEWER : MP_SSLv2; | ||
358 | else | ||
359 | usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2 (with optional '+' suffix)")); | ||
349 | } | 360 | } |
350 | if (specify_port == FALSE) | 361 | if (specify_port == FALSE) |
351 | server_port = HTTPS_PORT; | 362 | server_port = HTTPS_PORT; |
@@ -1467,9 +1478,10 @@ print_help (void) | |||
1467 | printf (UT_IPv46); | 1478 | printf (UT_IPv46); |
1468 | 1479 | ||
1469 | #ifdef HAVE_SSL | 1480 | #ifdef HAVE_SSL |
1470 | printf (" %s\n", "-S, --ssl=VERSION"); | 1481 | printf (" %s\n", "-S, --ssl=VERSION[+]"); |
1471 | printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents")); | 1482 | printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents")); |
1472 | printf (" %s\n", _("auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3).")); | 1483 | printf (" %s\n", _("auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,")); |
1484 | printf (" %s\n", _("1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted.")); | ||
1473 | printf (" %s\n", "--sni"); | 1485 | printf (" %s\n", "--sni"); |
1474 | printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); | 1486 | printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); |
1475 | printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]"); | 1487 | printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]"); |
diff --git a/plugins/netutils.h b/plugins/netutils.h index c6fce901..2766029e 100644 --- a/plugins/netutils.h +++ b/plugins/netutils.h | |||
@@ -91,6 +91,16 @@ RETSIGTYPE socket_timeout_alarm_handler (int) __attribute__((noreturn)); | |||
91 | 91 | ||
92 | /* SSL-Related functionality */ | 92 | /* SSL-Related functionality */ |
93 | #ifdef HAVE_SSL | 93 | #ifdef HAVE_SSL |
94 | # define MP_SSLv2 1 | ||
95 | # define MP_SSLv3 2 | ||
96 | # define MP_TLSv1 3 | ||
97 | # define MP_TLSv1_1 4 | ||
98 | # define MP_TLSv1_2 5 | ||
99 | # define MP_SSLv2_OR_NEWER 6 | ||
100 | # define MP_SSLv3_OR_NEWER 7 | ||
101 | # define MP_TLSv1_OR_NEWER 8 | ||
102 | # define MP_TLSv1_1_OR_NEWER 9 | ||
103 | # define MP_TLSv1_2_OR_NEWER 10 | ||
94 | /* maybe this could be merged with the above np_net_connect, via some flags */ | 104 | /* maybe this could be merged with the above np_net_connect, via some flags */ |
95 | int np_net_ssl_init(int sd); | 105 | int np_net_ssl_init(int sd); |
96 | int np_net_ssl_init_with_hostname(int sd, char *host_name); | 106 | int np_net_ssl_init_with_hostname(int sd, char *host_name); |
diff --git a/plugins/sslutils.c b/plugins/sslutils.c index d0ae4741..43b1a5a6 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
@@ -49,28 +49,78 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi | |||
49 | 49 | ||
50 | int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { | 50 | int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { |
51 | SSL_METHOD *method = NULL; | 51 | SSL_METHOD *method = NULL; |
52 | long options = 0; | ||
52 | 53 | ||
53 | switch (version) { | 54 | switch (version) { |
54 | case 0: /* Deafult to auto negotiation */ | 55 | case MP_SSLv2: /* SSLv2 protocol */ |
55 | method = SSLv23_client_method(); | ||
56 | break; | ||
57 | case 1: /* TLSv1 protocol */ | ||
58 | method = TLSv1_client_method(); | ||
59 | break; | ||
60 | case 2: /* SSLv2 protocol */ | ||
61 | #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) | 56 | #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) |
62 | printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library."))); | 57 | printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); |
63 | return STATE_CRITICAL; | 58 | return STATE_UNKNOWN; |
64 | #else | 59 | #else |
65 | method = SSLv2_client_method(); | 60 | method = SSLv2_client_method(); |
66 | #endif | ||
67 | break; | 61 | break; |
68 | case 3: /* SSLv3 protocol */ | 62 | #endif |
63 | case MP_SSLv3: /* SSLv3 protocol */ | ||
64 | #if defined(OPENSSL_NO_SSL3) | ||
65 | printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); | ||
66 | return STATE_UNKNOWN; | ||
67 | #else | ||
69 | method = SSLv3_client_method(); | 68 | method = SSLv3_client_method(); |
70 | break; | 69 | break; |
71 | default: /* Unsupported */ | 70 | #endif |
72 | printf("%s\n", _("CRITICAL - Unsupported SSL protocol version.")); | 71 | case MP_TLSv1: /* TLSv1 protocol */ |
73 | return STATE_CRITICAL; | 72 | #if defined(OPENSSL_NO_TLS1) |
73 | printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); | ||
74 | return STATE_UNKNOWN; | ||
75 | #else | ||
76 | method = TLSv1_client_method(); | ||
77 | break; | ||
78 | #endif | ||
79 | case MP_TLSv1_1: /* TLSv1.1 protocol */ | ||
80 | #if !defined(SSL_OP_NO_TLSv1_1) | ||
81 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); | ||
82 | return STATE_UNKNOWN; | ||
83 | #else | ||
84 | method = TLSv1_1_client_method(); | ||
85 | break; | ||
86 | #endif | ||
87 | case MP_TLSv1_2: /* TLSv1.2 protocol */ | ||
88 | #if !defined(SSL_OP_NO_TLSv1_2) | ||
89 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); | ||
90 | return STATE_UNKNOWN; | ||
91 | #else | ||
92 | method = TLSv1_2_client_method(); | ||
93 | break; | ||
94 | #endif | ||
95 | case MP_TLSv1_2_OR_NEWER: | ||
96 | #if !defined(SSL_OP_NO_TLSv1_1) | ||
97 | printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); | ||
98 | return STATE_UNKNOWN; | ||
99 | #else | ||
100 | options |= SSL_OP_NO_TLSv1_1; | ||
101 | #endif | ||
102 | /* FALLTHROUGH */ | ||
103 | case MP_TLSv1_1_OR_NEWER: | ||
104 | #if !defined(SSL_OP_NO_TLSv1) | ||
105 | printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); | ||
106 | return STATE_UNKNOWN; | ||
107 | #else | ||
108 | options |= SSL_OP_NO_TLSv1; | ||
109 | #endif | ||
110 | /* FALLTHROUGH */ | ||
111 | case MP_TLSv1_OR_NEWER: | ||
112 | #if defined(SSL_OP_NO_SSLv3) | ||
113 | options |= SSL_OP_NO_SSLv3; | ||
114 | #endif | ||
115 | /* FALLTHROUGH */ | ||
116 | case MP_SSLv3_OR_NEWER: | ||
117 | #if defined(SSL_OP_NO_SSLv2) | ||
118 | options |= SSL_OP_NO_SSLv2; | ||
119 | #endif | ||
120 | case MP_SSLv2_OR_NEWER: | ||
121 | /* FALLTHROUGH */ | ||
122 | default: /* Default to auto negotiation */ | ||
123 | method = SSLv23_client_method(); | ||
74 | } | 124 | } |
75 | if (!initialized) { | 125 | if (!initialized) { |
76 | /* Initialize SSL context */ | 126 | /* Initialize SSL context */ |
@@ -94,8 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
94 | #endif | 144 | #endif |
95 | } | 145 | } |
96 | #ifdef SSL_OP_NO_TICKET | 146 | #ifdef SSL_OP_NO_TICKET |
97 | SSL_CTX_set_options(c, SSL_OP_NO_TICKET); | 147 | options |= SSL_OP_NO_TICKET; |
98 | #endif | 148 | #endif |
149 | SSL_CTX_set_options(c, options); | ||
99 | SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); | 150 | SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); |
100 | if ((s = SSL_new(c)) != NULL) { | 151 | if ((s = SSL_new(c)) != NULL) { |
101 | #ifdef SSL_set_tlsext_host_name | 152 | #ifdef SSL_set_tlsext_host_name |