summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHolger Weiss <holger@zedat.fu-berlin.de>2015-10-04 23:28:35 +0200
committerHolger Weiss <holger@zedat.fu-berlin.de>2015-10-04 23:28:35 +0200
commitf43083c6a9d5d9e66d42e7cd0b698b7eb1ecf822 (patch)
tree51a749e312bd74ffae30f9b2da0bc891350a7299
parenta9b02e7affe6d940e1fb4830156d06e4d816458b (diff)
downloadmonitoring-plugins-f43083c6a9d5d9e66d42e7cd0b698b7eb1ecf822.tar.gz
check_http: Allow for requesting TLSv1.1/TLSv1.2
check_http's -S/--ssl option now allows for requesting the TLSv1.1 and TLSv1.2 protocols. Apart from that, a '+' suffix can be appended in oder to also accept newer protocols than the specified version. Closes #1338, and closes #1354, and closes #1359.
-rw-r--r--NEWS4
-rw-r--r--plugins/check_http.c22
-rw-r--r--plugins/netutils.h10
-rw-r--r--plugins/sslutils.c81
4 files changed, 97 insertions, 20 deletions
diff --git a/NEWS b/NEWS
index 1a4aead3..4adc8f8e 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,10 @@ This file documents the major additions and syntax changes between releases.
9 Make sure check_disk won't hang on hanging (network) file systems 9 Make sure check_disk won't hang on hanging (network) file systems
10 New check_mailq -s option which tells the plugin to use sudo(8) 10 New check_mailq -s option which tells the plugin to use sudo(8)
11 New -W/-C option for check_ldap to check number of entries (Gerhard Lausser) 11 New -W/-C option for check_ldap to check number of entries (Gerhard Lausser)
12 The check_http -S/--ssl option now accepts the arguments "1.1" and "1.2"
13 to force TLSv1.1 and TLSv1.2 connections, respectively
14 The check_http -S/--ssl option now allows for specifying the desired
15 protocol with a "+" suffix to also accept newer versions
12 16
13 FIXES 17 FIXES
14 Let check_real terminate lines with CRLF when talking to the server, as 18 Let check_real terminate lines with CRLF when talking to the server, as
diff --git a/plugins/check_http.c b/plugins/check_http.c
index 51679975..b1a69e55 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -343,9 +343,20 @@ process_arguments (int argc, char **argv)
343 parameters, like -S and -C combinations */ 343 parameters, like -S and -C combinations */
344 use_ssl = TRUE; 344 use_ssl = TRUE;
345 if (c=='S' && optarg != NULL) { 345 if (c=='S' && optarg != NULL) {
346 ssl_version = atoi(optarg); 346 int got_plus = strchr(optarg, '+') != NULL;
347 if (ssl_version < 1 || ssl_version > 3) 347
348 usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 (SSLv3)")); 348 if (!strncmp (optarg, "1.2", 3))
349 ssl_version = got_plus ? MP_TLSv1_2_OR_NEWER : MP_TLSv1_2;
350 else if (!strncmp (optarg, "1.1", 3))
351 ssl_version = got_plus ? MP_TLSv1_1_OR_NEWER : MP_TLSv1_1;
352 else if (optarg[0] == '1')
353 ssl_version = got_plus ? MP_TLSv1_OR_NEWER : MP_TLSv1;
354 else if (optarg[0] == '3')
355 ssl_version = got_plus ? MP_SSLv3_OR_NEWER : MP_SSLv3;
356 else if (optarg[0] == '2')
357 ssl_version = got_plus ? MP_SSLv2_OR_NEWER : MP_SSLv2;
358 else
359 usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2 (with optional '+' suffix)"));
349 } 360 }
350 if (specify_port == FALSE) 361 if (specify_port == FALSE)
351 server_port = HTTPS_PORT; 362 server_port = HTTPS_PORT;
@@ -1467,9 +1478,10 @@ print_help (void)
1467 printf (UT_IPv46); 1478 printf (UT_IPv46);
1468 1479
1469#ifdef HAVE_SSL 1480#ifdef HAVE_SSL
1470 printf (" %s\n", "-S, --ssl=VERSION"); 1481 printf (" %s\n", "-S, --ssl=VERSION[+]");
1471 printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents")); 1482 printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"));
1472 printf (" %s\n", _("auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3).")); 1483 printf (" %s\n", _("auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,"));
1484 printf (" %s\n", _("1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted."));
1473 printf (" %s\n", "--sni"); 1485 printf (" %s\n", "--sni");
1474 printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); 1486 printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
1475 printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]"); 1487 printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
diff --git a/plugins/netutils.h b/plugins/netutils.h
index c6fce901..2766029e 100644
--- a/plugins/netutils.h
+++ b/plugins/netutils.h
@@ -91,6 +91,16 @@ RETSIGTYPE socket_timeout_alarm_handler (int) __attribute__((noreturn));
91 91
92/* SSL-Related functionality */ 92/* SSL-Related functionality */
93#ifdef HAVE_SSL 93#ifdef HAVE_SSL
94# define MP_SSLv2 1
95# define MP_SSLv3 2
96# define MP_TLSv1 3
97# define MP_TLSv1_1 4
98# define MP_TLSv1_2 5
99# define MP_SSLv2_OR_NEWER 6
100# define MP_SSLv3_OR_NEWER 7
101# define MP_TLSv1_OR_NEWER 8
102# define MP_TLSv1_1_OR_NEWER 9
103# define MP_TLSv1_2_OR_NEWER 10
94/* maybe this could be merged with the above np_net_connect, via some flags */ 104/* maybe this could be merged with the above np_net_connect, via some flags */
95int np_net_ssl_init(int sd); 105int np_net_ssl_init(int sd);
96int np_net_ssl_init_with_hostname(int sd, char *host_name); 106int np_net_ssl_init_with_hostname(int sd, char *host_name);
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index d0ae4741..43b1a5a6 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -49,28 +49,78 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
49 49
50int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { 50int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) {
51 SSL_METHOD *method = NULL; 51 SSL_METHOD *method = NULL;
52 long options = 0;
52 53
53 switch (version) { 54 switch (version) {
54 case 0: /* Deafult to auto negotiation */ 55 case MP_SSLv2: /* SSLv2 protocol */
55 method = SSLv23_client_method();
56 break;
57 case 1: /* TLSv1 protocol */
58 method = TLSv1_client_method();
59 break;
60 case 2: /* SSLv2 protocol */
61#if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) 56#if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2)
62 printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library."))); 57 printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
63 return STATE_CRITICAL; 58 return STATE_UNKNOWN;
64#else 59#else
65 method = SSLv2_client_method(); 60 method = SSLv2_client_method();
66#endif
67 break; 61 break;
68 case 3: /* SSLv3 protocol */ 62#endif
63 case MP_SSLv3: /* SSLv3 protocol */
64#if defined(OPENSSL_NO_SSL3)
65 printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
66 return STATE_UNKNOWN;
67#else
69 method = SSLv3_client_method(); 68 method = SSLv3_client_method();
70 break; 69 break;
71 default: /* Unsupported */ 70#endif
72 printf("%s\n", _("CRITICAL - Unsupported SSL protocol version.")); 71 case MP_TLSv1: /* TLSv1 protocol */
73 return STATE_CRITICAL; 72#if defined(OPENSSL_NO_TLS1)
73 printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
74 return STATE_UNKNOWN;
75#else
76 method = TLSv1_client_method();
77 break;
78#endif
79 case MP_TLSv1_1: /* TLSv1.1 protocol */
80#if !defined(SSL_OP_NO_TLSv1_1)
81 printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
82 return STATE_UNKNOWN;
83#else
84 method = TLSv1_1_client_method();
85 break;
86#endif
87 case MP_TLSv1_2: /* TLSv1.2 protocol */
88#if !defined(SSL_OP_NO_TLSv1_2)
89 printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
90 return STATE_UNKNOWN;
91#else
92 method = TLSv1_2_client_method();
93 break;
94#endif
95 case MP_TLSv1_2_OR_NEWER:
96#if !defined(SSL_OP_NO_TLSv1_1)
97 printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
98 return STATE_UNKNOWN;
99#else
100 options |= SSL_OP_NO_TLSv1_1;
101#endif
102 /* FALLTHROUGH */
103 case MP_TLSv1_1_OR_NEWER:
104#if !defined(SSL_OP_NO_TLSv1)
105 printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
106 return STATE_UNKNOWN;
107#else
108 options |= SSL_OP_NO_TLSv1;
109#endif
110 /* FALLTHROUGH */
111 case MP_TLSv1_OR_NEWER:
112#if defined(SSL_OP_NO_SSLv3)
113 options |= SSL_OP_NO_SSLv3;
114#endif
115 /* FALLTHROUGH */
116 case MP_SSLv3_OR_NEWER:
117#if defined(SSL_OP_NO_SSLv2)
118 options |= SSL_OP_NO_SSLv2;
119#endif
120 case MP_SSLv2_OR_NEWER:
121 /* FALLTHROUGH */
122 default: /* Default to auto negotiation */
123 method = SSLv23_client_method();
74 } 124 }
75 if (!initialized) { 125 if (!initialized) {
76 /* Initialize SSL context */ 126 /* Initialize SSL context */
@@ -94,8 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
94#endif 144#endif
95 } 145 }
96#ifdef SSL_OP_NO_TICKET 146#ifdef SSL_OP_NO_TICKET
97 SSL_CTX_set_options(c, SSL_OP_NO_TICKET); 147 options |= SSL_OP_NO_TICKET;
98#endif 148#endif
149 SSL_CTX_set_options(c, options);
99 SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); 150 SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY);
100 if ((s = SSL_new(c)) != NULL) { 151 if ((s = SSL_new(c)) != NULL) {
101#ifdef SSL_set_tlsext_host_name 152#ifdef SSL_set_tlsext_host_name