From 0489df95fc5ab2c84cd7830df97942a874e431d9 Mon Sep 17 00:00:00 2001
From: Thomas Guyot-Sionnest <dermoth@aei.ca>
Date: Wed, 20 May 2009 01:05:35 -0400
Subject: check_http: Add SSL/TLS hostname extension support (SNI) - (#1939022
 - Joe Presbrey)

---
 NEWS                 |  1 +
 THANKS.in            |  1 +
 plugins/check_http.c |  2 +-
 plugins/netutils.h   |  1 +
 plugins/sslutils.c   | 13 ++++++++++++-
 5 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 25009822..c5d820f8 100644
--- a/NEWS
+++ b/NEWS
@@ -34,6 +34,7 @@ This file documents the major additions and syntax changes between releases.
 	Fixed typos for check_disk (Chris Pepper)
 	Fixed check_mysql* not using password set in my.cnf (#2531905 - Ben Timby) - Specify an empty password explicitly if you need to override it.
 	Fixed awk subst.in/subst script path error (#2722832 - Martin Foster)
+	check_http: Add SSL/TLS hostname extension support (SNI) - (#1939022 - Joe Presbrey)
 
 1.4.13 25th Sept 2008
 	Fix Debian bug #460097: check_http --max-age broken (Hilko Bengen)
diff --git a/THANKS.in b/THANKS.in
index b173eb6e..9209bcfc 100644
--- a/THANKS.in
+++ b/THANKS.in
@@ -252,3 +252,4 @@ Oskar Ahner
 Chris Pepper
 Ben Timby
 Martin Foster
+Joe Presbrey
diff --git a/plugins/check_http.c b/plugins/check_http.c
index 03102033..79f6adf3 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -790,7 +790,7 @@ check_http (void)
     die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n"));
 #ifdef HAVE_SSL
   if (use_ssl == TRUE) {
-    np_net_ssl_init(sd);
+    np_net_ssl_init_with_hostname(sd, host_name);
     if (check_cert == TRUE) {
       result = np_net_ssl_check_cert(days_till_exp);
       np_net_ssl_cleanup();
diff --git a/plugins/netutils.h b/plugins/netutils.h
index b479b741..572a3ae2 100644
--- a/plugins/netutils.h
+++ b/plugins/netutils.h
@@ -99,6 +99,7 @@ extern int address_family;
 #ifdef HAVE_SSL
 /* maybe this could be merged with the above np_net_connect, via some flags */
 int np_net_ssl_init(int sd);
+int np_net_ssl_init_with_hostname(int sd, char *host_name);
 void np_net_ssl_cleanup();
 int np_net_ssl_write(const void *buf, int num);
 int np_net_ssl_read(void *buf, int num);
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 1d4ef94a..aa571b6c 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -35,7 +35,11 @@ static SSL_CTX *c=NULL;
 static SSL *s=NULL;
 static int initialized=0;
 
-int np_net_ssl_init (int sd){
+int np_net_ssl_init (int sd) {
+    return np_net_ssl_init_with_hostname(sd, NULL);
+}
+
+int np_net_ssl_init_with_hostname (int sd, char *host_name) {
 		if (!initialized) {
 			/* Initialize SSL context */
 			SSLeay_add_ssl_algorithms ();
@@ -48,6 +52,10 @@ int np_net_ssl_init (int sd){
 				return STATE_CRITICAL;
 		}
 		if ((s = SSL_new (c)) != NULL){
+#ifdef SSL_set_tlsext_host_name
+				if (host_name != NULL)
+					SSL_set_tlsext_host_name(s, host_name);
+#endif
 				SSL_set_fd (s, sd);
 				if (SSL_connect(s) == 1){
 						return OK;
@@ -65,6 +73,9 @@ int np_net_ssl_init (int sd){
 
 void np_net_ssl_cleanup (){
 		if(s){
+#ifdef SSL_set_tlsext_host_name
+				SSL_set_tlsext_host_name(s, NULL);
+#endif
 				SSL_shutdown (s);
 				SSL_free (s);
 				if(c) {
-- 
cgit v1.2.3-74-g34f1