diff options
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | THANKS.in | 1 | ||||
-rw-r--r-- | plugins/check_http.c | 23 | ||||
-rw-r--r-- | plugins/sslutils.c | 25 |
4 files changed, 42 insertions, 8 deletions
@@ -6,6 +6,7 @@ This file documents the major additions and syntax changes between releases. | |||
6 | check_disk_smb now allows spaces in share names (#990948, #1370031, Debian #601699) | 6 | check_disk_smb now allows spaces in share names (#990948, #1370031, Debian #601699) |
7 | check_http now uses standard threshold functions (enables floating point and ranges) | 7 | check_http now uses standard threshold functions (enables floating point and ranges) |
8 | check_http now checks for and prints the certificate cn (hostname) in SSL certificate checks (Stéphane Urbanovski) | 8 | check_http now checks for and prints the certificate cn (hostname) in SSL certificate checks (Stéphane Urbanovski) |
9 | check_http now supports an optional -S/--ssl value to choose the SSL protocol version (#3066166 - Jason Lunn) | ||
9 | Add perfdata to check_ssh (#3244097 - Marco Beck) | 10 | Add perfdata to check_ssh (#3244097 - Marco Beck) |
10 | New option to check_smtp to ignore failures when sending QUIT (#3358348 - Duncan Ferguson) | 11 | New option to check_smtp to ignore failures when sending QUIT (#3358348 - Duncan Ferguson) |
11 | New check_by_ssh -F option which allows for specifying an alternative ssh_config(5) file (#2895334 - Sven Nierlein) | 12 | New check_by_ssh -F option which allows for specifying an alternative ssh_config(5) file (#2895334 - Sven Nierlein) |
@@ -269,3 +269,4 @@ Ryan Kelly | |||
269 | Stéphane Urbanovski | 269 | Stéphane Urbanovski |
270 | Marco Beck | 270 | Marco Beck |
271 | Sebastian Harl | 271 | Sebastian Harl |
272 | Jason Lunn | ||
diff --git a/plugins/check_http.c b/plugins/check_http.c index 3175f6cb..ea7ddec1 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c | |||
@@ -34,7 +34,7 @@ | |||
34 | /* splint -I. -I../../plugins -I../../lib/ -I/usr/kerberos/include/ ../../plugins/check_http.c */ | 34 | /* splint -I. -I../../plugins -I../../lib/ -I/usr/kerberos/include/ ../../plugins/check_http.c */ |
35 | 35 | ||
36 | const char *progname = "check_http"; | 36 | const char *progname = "check_http"; |
37 | const char *copyright = "1999-2008"; | 37 | const char *copyright = "1999-2011"; |
38 | const char *email = "nagiosplug-devel@lists.sourceforge.net"; | 38 | const char *email = "nagiosplug-devel@lists.sourceforge.net"; |
39 | 39 | ||
40 | #include "common.h" | 40 | #include "common.h" |
@@ -59,6 +59,7 @@ enum { | |||
59 | #ifdef HAVE_SSL | 59 | #ifdef HAVE_SSL |
60 | int check_cert = FALSE; | 60 | int check_cert = FALSE; |
61 | int days_till_exp; | 61 | int days_till_exp; |
62 | int ssl_version; | ||
62 | char *randbuff; | 63 | char *randbuff; |
63 | X509 *server_cert; | 64 | X509 *server_cert; |
64 | # define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) | 65 | # define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) |
@@ -188,7 +189,7 @@ process_arguments (int argc, char **argv) | |||
188 | STD_LONG_OPTS, | 189 | STD_LONG_OPTS, |
189 | {"link", no_argument, 0, 'L'}, | 190 | {"link", no_argument, 0, 'L'}, |
190 | {"nohtml", no_argument, 0, 'n'}, | 191 | {"nohtml", no_argument, 0, 'n'}, |
191 | {"ssl", no_argument, 0, 'S'}, | 192 | {"ssl", optional_argument, 0, 'S'}, |
192 | {"sni", no_argument, 0, SNI_OPTION}, | 193 | {"sni", no_argument, 0, SNI_OPTION}, |
193 | {"post", required_argument, 0, 'P'}, | 194 | {"post", required_argument, 0, 'P'}, |
194 | {"method", required_argument, 0, 'j'}, | 195 | {"method", required_argument, 0, 'j'}, |
@@ -234,7 +235,7 @@ process_arguments (int argc, char **argv) | |||
234 | } | 235 | } |
235 | 236 | ||
236 | while (1) { | 237 | while (1) { |
237 | c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:e:p:s:R:r:u:f:C:nlLSm:M:N", longopts, &option); | 238 | c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:e:p:s:R:r:u:f:C:nlLS::m:M:N", longopts, &option); |
238 | if (c == -1 || c == EOF) | 239 | if (c == -1 || c == EOF) |
239 | break; | 240 | break; |
240 | 241 | ||
@@ -294,6 +295,13 @@ process_arguments (int argc, char **argv) | |||
294 | usage4 (_("Invalid option - SSL is not available")); | 295 | usage4 (_("Invalid option - SSL is not available")); |
295 | #endif | 296 | #endif |
296 | use_ssl = TRUE; | 297 | use_ssl = TRUE; |
298 | if (optarg == NULL) | ||
299 | ssl_version = 0; | ||
300 | else { | ||
301 | ssl_version = atoi(optarg); | ||
302 | if (ssl_version < 1 || ssl_version > 3) | ||
303 | usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 (SSLv3)")); | ||
304 | } | ||
297 | if (specify_port == FALSE) | 305 | if (specify_port == FALSE) |
298 | server_port = HTTPS_PORT; | 306 | server_port = HTTPS_PORT; |
299 | break; | 307 | break; |
@@ -798,7 +806,7 @@ check_http (void) | |||
798 | die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n")); | 806 | die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n")); |
799 | #ifdef HAVE_SSL | 807 | #ifdef HAVE_SSL |
800 | if (use_ssl == TRUE) { | 808 | if (use_ssl == TRUE) { |
801 | np_net_ssl_init_with_hostname(sd, (use_sni ? host_name : NULL)); | 809 | np_net_ssl_init_with_hostname_and_version(sd, (use_sni ? host_name : NULL), ssl_version); |
802 | if (check_cert == TRUE) { | 810 | if (check_cert == TRUE) { |
803 | result = np_net_ssl_check_cert(days_till_exp); | 811 | result = np_net_ssl_check_cert(days_till_exp); |
804 | np_net_ssl_cleanup(); | 812 | np_net_ssl_cleanup(); |
@@ -1323,8 +1331,9 @@ print_help (void) | |||
1323 | printf (UT_IPv46); | 1331 | printf (UT_IPv46); |
1324 | 1332 | ||
1325 | #ifdef HAVE_SSL | 1333 | #ifdef HAVE_SSL |
1326 | printf (" %s\n", "-S, --ssl"); | 1334 | printf (" %s\n", "-S, --ssl=VERSION"); |
1327 | printf (" %s\n", _("Connect via SSL. Port defaults to 443")); | 1335 | printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents")); |
1336 | printf (" %s\n", _("auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3).")); | ||
1328 | printf (" %s\n", "--sni"); | 1337 | printf (" %s\n", "--sni"); |
1329 | printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); | 1338 | printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); |
1330 | printf (" %s\n", "-C, --certificate=INTEGER"); | 1339 | printf (" %s\n", "-C, --certificate=INTEGER"); |
@@ -1433,6 +1442,6 @@ print_usage (void) | |||
1433 | printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n"); | 1442 | printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n"); |
1434 | printf (" [-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n"); | 1443 | printf (" [-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n"); |
1435 | printf (" [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n"); | 1444 | printf (" [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n"); |
1436 | printf (" [-A string] [-k string] [-S] [--sni] [-C <age>] [-T <content-type>]\n"); | 1445 | printf (" [-A string] [-k string] [-S <version>] [--sni] [-C <age>] [-T <content-type>]\n"); |
1437 | printf (" [-j method]\n"); | 1446 | printf (" [-j method]\n"); |
1438 | } | 1447 | } |
diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 6e86dc62..2157764f 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
@@ -41,6 +41,29 @@ int np_net_ssl_init (int sd) { | |||
41 | } | 41 | } |
42 | 42 | ||
43 | int np_net_ssl_init_with_hostname (int sd, char *host_name) { | 43 | int np_net_ssl_init_with_hostname (int sd, char *host_name) { |
44 | return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); | ||
45 | } | ||
46 | |||
47 | int np_net_ssl_init_with_hostname_and_version (int sd, char *host_name, int version) { | ||
48 | const SSL_METHOD *method = NULL; | ||
49 | |||
50 | switch (version) { | ||
51 | case 0: /* Deafult to auto negotiation */ | ||
52 | method = SSLv23_client_method(); | ||
53 | break; | ||
54 | case 1: /* TLSv1 protocol */ | ||
55 | method = TLSv1_client_method(); | ||
56 | break; | ||
57 | case 2: /* SSLv2 protocol */ | ||
58 | method = SSLv2_client_method(); | ||
59 | break; | ||
60 | case 3: /* SSLv3 protocol */ | ||
61 | method = SSLv3_client_method(); | ||
62 | break; | ||
63 | default: /* Unsupported */ | ||
64 | printf ("%s\n", _("CRITICAL - Unsupported SSL Protocol Version.")); | ||
65 | return STATE_CRITICAL; | ||
66 | } | ||
44 | if (!initialized) { | 67 | if (!initialized) { |
45 | /* Initialize SSL context */ | 68 | /* Initialize SSL context */ |
46 | SSLeay_add_ssl_algorithms (); | 69 | SSLeay_add_ssl_algorithms (); |
@@ -48,7 +71,7 @@ int np_net_ssl_init_with_hostname (int sd, char *host_name) { | |||
48 | OpenSSL_add_all_algorithms (); | 71 | OpenSSL_add_all_algorithms (); |
49 | initialized = 1; | 72 | initialized = 1; |
50 | } | 73 | } |
51 | if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) { | 74 | if ((c = SSL_CTX_new (method)) == NULL) { |
52 | printf ("%s\n", _("CRITICAL - Cannot create SSL context.")); | 75 | printf ("%s\n", _("CRITICAL - Cannot create SSL context.")); |
53 | return STATE_CRITICAL; | 76 | return STATE_CRITICAL; |
54 | } | 77 | } |