diff options
author | Holger Weiss <holger@zedat.fu-berlin.de> | 2012-05-07 12:11:48 +0200 |
---|---|---|
committer | Holger Weiss <holger@zedat.fu-berlin.de> | 2012-05-07 12:11:48 +0200 |
commit | 5a5d3d7013dbc098a5fed9831fa443af93bdd983 (patch) | |
tree | 5e989f7a3e3f77e454290613a52026de00175c35 /plugins | |
parent | efa2a32a167a0395f5430b56da437cc96cc276e8 (diff) | |
download | monitoring-plugins-5a5d3d7013dbc098a5fed9831fa443af93bdd983.tar.gz |
Disable stateless SSL session resumption
Some versions of OpenSSL fail to negotiate the SSL connection with at
least some versions of Tomcat if stateless SSL session resumption
support (see RFC4507) is enabled:
| CRITICAL - Cannot make SSL connection
| 140099330348712:error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message:s3_pkt.c:1195:SSL alert number 10
The problem is reproducible with OpenSSL 1.0.0h, but not with OpenSSL
0.9.8o-4squeeze12 (as shipped with Debian 6.0.4). We work around it by
disabling the RFC4507 functionality when using OpenSSL versions which
support it.
Thanks to Dag Bakke for reporting the issue and for giving me access to
a server I could use to reproduce the problem.
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/sslutils.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 0bc61ed3..6e86dc62 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
@@ -52,6 +52,9 @@ int np_net_ssl_init_with_hostname (int sd, char *host_name) { | |||
52 | printf ("%s\n", _("CRITICAL - Cannot create SSL context.")); | 52 | printf ("%s\n", _("CRITICAL - Cannot create SSL context.")); |
53 | return STATE_CRITICAL; | 53 | return STATE_CRITICAL; |
54 | } | 54 | } |
55 | #ifdef SSL_OP_NO_TICKET | ||
56 | SSL_CTX_set_options(c, SSL_OP_NO_TICKET); | ||
57 | #endif | ||
55 | if ((s = SSL_new (c)) != NULL){ | 58 | if ((s = SSL_new (c)) != NULL){ |
56 | #ifdef SSL_set_tlsext_host_name | 59 | #ifdef SSL_set_tlsext_host_name |
57 | if (host_name != NULL) | 60 | if (host_name != NULL) |