diff options
author | Holger Weiss <holger@zedat.fu-berlin.de> | 2015-10-04 23:28:35 +0200 |
---|---|---|
committer | Holger Weiss <holger@zedat.fu-berlin.de> | 2015-10-04 23:28:35 +0200 |
commit | f43083c6a9d5d9e66d42e7cd0b698b7eb1ecf822 (patch) | |
tree | 51a749e312bd74ffae30f9b2da0bc891350a7299 /plugins/sslutils.c | |
parent | a9b02e7affe6d940e1fb4830156d06e4d816458b (diff) | |
download | monitoring-plugins-f43083c6a9d5d9e66d42e7cd0b698b7eb1ecf822.tar.gz |
check_http: Allow for requesting TLSv1.1/TLSv1.2
check_http's -S/--ssl option now allows for requesting the TLSv1.1 and
TLSv1.2 protocols. Apart from that, a '+' suffix can be appended in
oder to also accept newer protocols than the specified version.
Closes #1338, and closes #1354, and closes #1359.
Diffstat (limited to 'plugins/sslutils.c')
-rw-r--r-- | plugins/sslutils.c | 81 |
1 files changed, 66 insertions, 15 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c index d0ae4741..43b1a5a6 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
@@ -49,28 +49,78 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi | |||
49 | 49 | ||
50 | int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { | 50 | int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { |
51 | SSL_METHOD *method = NULL; | 51 | SSL_METHOD *method = NULL; |
52 | long options = 0; | ||
52 | 53 | ||
53 | switch (version) { | 54 | switch (version) { |
54 | case 0: /* Deafult to auto negotiation */ | 55 | case MP_SSLv2: /* SSLv2 protocol */ |
55 | method = SSLv23_client_method(); | ||
56 | break; | ||
57 | case 1: /* TLSv1 protocol */ | ||
58 | method = TLSv1_client_method(); | ||
59 | break; | ||
60 | case 2: /* SSLv2 protocol */ | ||
61 | #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) | 56 | #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) |
62 | printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library."))); | 57 | printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); |
63 | return STATE_CRITICAL; | 58 | return STATE_UNKNOWN; |
64 | #else | 59 | #else |
65 | method = SSLv2_client_method(); | 60 | method = SSLv2_client_method(); |
66 | #endif | ||
67 | break; | 61 | break; |
68 | case 3: /* SSLv3 protocol */ | 62 | #endif |
63 | case MP_SSLv3: /* SSLv3 protocol */ | ||
64 | #if defined(OPENSSL_NO_SSL3) | ||
65 | printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); | ||
66 | return STATE_UNKNOWN; | ||
67 | #else | ||
69 | method = SSLv3_client_method(); | 68 | method = SSLv3_client_method(); |
70 | break; | 69 | break; |
71 | default: /* Unsupported */ | 70 | #endif |
72 | printf("%s\n", _("CRITICAL - Unsupported SSL protocol version.")); | 71 | case MP_TLSv1: /* TLSv1 protocol */ |
73 | return STATE_CRITICAL; | 72 | #if defined(OPENSSL_NO_TLS1) |
73 | printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); | ||
74 | return STATE_UNKNOWN; | ||
75 | #else | ||
76 | method = TLSv1_client_method(); | ||
77 | break; | ||
78 | #endif | ||
79 | case MP_TLSv1_1: /* TLSv1.1 protocol */ | ||
80 | #if !defined(SSL_OP_NO_TLSv1_1) | ||
81 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); | ||
82 | return STATE_UNKNOWN; | ||
83 | #else | ||
84 | method = TLSv1_1_client_method(); | ||
85 | break; | ||
86 | #endif | ||
87 | case MP_TLSv1_2: /* TLSv1.2 protocol */ | ||
88 | #if !defined(SSL_OP_NO_TLSv1_2) | ||
89 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); | ||
90 | return STATE_UNKNOWN; | ||
91 | #else | ||
92 | method = TLSv1_2_client_method(); | ||
93 | break; | ||
94 | #endif | ||
95 | case MP_TLSv1_2_OR_NEWER: | ||
96 | #if !defined(SSL_OP_NO_TLSv1_1) | ||
97 | printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); | ||
98 | return STATE_UNKNOWN; | ||
99 | #else | ||
100 | options |= SSL_OP_NO_TLSv1_1; | ||
101 | #endif | ||
102 | /* FALLTHROUGH */ | ||
103 | case MP_TLSv1_1_OR_NEWER: | ||
104 | #if !defined(SSL_OP_NO_TLSv1) | ||
105 | printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); | ||
106 | return STATE_UNKNOWN; | ||
107 | #else | ||
108 | options |= SSL_OP_NO_TLSv1; | ||
109 | #endif | ||
110 | /* FALLTHROUGH */ | ||
111 | case MP_TLSv1_OR_NEWER: | ||
112 | #if defined(SSL_OP_NO_SSLv3) | ||
113 | options |= SSL_OP_NO_SSLv3; | ||
114 | #endif | ||
115 | /* FALLTHROUGH */ | ||
116 | case MP_SSLv3_OR_NEWER: | ||
117 | #if defined(SSL_OP_NO_SSLv2) | ||
118 | options |= SSL_OP_NO_SSLv2; | ||
119 | #endif | ||
120 | case MP_SSLv2_OR_NEWER: | ||
121 | /* FALLTHROUGH */ | ||
122 | default: /* Default to auto negotiation */ | ||
123 | method = SSLv23_client_method(); | ||
74 | } | 124 | } |
75 | if (!initialized) { | 125 | if (!initialized) { |
76 | /* Initialize SSL context */ | 126 | /* Initialize SSL context */ |
@@ -94,8 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
94 | #endif | 144 | #endif |
95 | } | 145 | } |
96 | #ifdef SSL_OP_NO_TICKET | 146 | #ifdef SSL_OP_NO_TICKET |
97 | SSL_CTX_set_options(c, SSL_OP_NO_TICKET); | 147 | options |= SSL_OP_NO_TICKET; |
98 | #endif | 148 | #endif |
149 | SSL_CTX_set_options(c, options); | ||
99 | SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); | 150 | SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); |
100 | if ((s = SSL_new(c)) != NULL) { | 151 | if ((s = SSL_new(c)) != NULL) { |
101 | #ifdef SSL_set_tlsext_host_name | 152 | #ifdef SSL_set_tlsext_host_name |