1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
--- nagios-plugins-1.4.15/plugins/sslutils.c 2010-07-27 20:47:16.000000000 +0000
+++ nagios-plugins-1.4.15-patched/plugins/sslutils.c 2011-04-12 14:13:29.035426121 +0000
@@ -40,6 +40,28 @@
}
int np_net_ssl_init_with_hostname (int sd, char *host_name) {
+ return np_net_ssl_init_with_hostname_and_version (sd, host_name, 0);
+}
+
+int np_net_ssl_init_with_hostname_and_version (int sd, char *host_name, int version) {
+ const SSL_METHOD * method = NULL;
+ switch ( version ) {
+ case 0: /* Deafult to auto negotiation */
+ method = SSLv23_client_method();
+ break;
+ case 1: /* TLSv1 protocol */
+ method = TLSv1_client_method();
+ break;
+ case 2: /* SSLv2 protocol */
+ method = SSLv2_client_method();
+ break;
+ case 3: /* SSLv3 protocol */
+ method = SSLv3_client_method();
+ break;
+ default: /* Unsupported */
+ printf ("%s\n", _("CRITICAL - Unsupported SSL Protocol Version."));
+ return STATE_CRITICAL;
+ }
if (!initialized) {
/* Initialize SSL context */
SSLeay_add_ssl_algorithms ();
@@ -47,7 +69,7 @@
OpenSSL_add_all_algorithms ();
initialized = 1;
}
- if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) {
+ if ((c = SSL_CTX_new (method)) == NULL) {
printf ("%s\n", _("CRITICAL - Cannot create SSL context."));
return STATE_CRITICAL;
}
--- nagios-plugins-1.4.15/plugins/check_http.c 2010-07-27 20:47:16.000000000 +0000
+++ nagios-plugins-1.4.15-patched/plugins/check_http.c 2011-04-12 14:14:58.426446596 +0000
@@ -34,7 +34,7 @@
/* splint -I. -I../../plugins -I../../lib/ -I/usr/kerberos/include/ ../../plugins/check_http.c */
const char *progname = "check_http";
-const char *copyright = "1999-2008";
+const char *copyright = "1999-2011";
const char *email = "nagiosplug-devel@lists.sourceforge.net";
#include "common.h"
@@ -59,6 +59,7 @@
#ifdef HAVE_SSL
int check_cert = FALSE;
int days_till_exp;
+int ssl_version;
char *randbuff;
X509 *server_cert;
# define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
@@ -189,7 +190,7 @@
STD_LONG_OPTS,
{"link", no_argument, 0, 'L'},
{"nohtml", no_argument, 0, 'n'},
- {"ssl", no_argument, 0, 'S'},
+ {"ssl", optional_argument, 0, 'S'},
{"sni", no_argument, 0, SNI_OPTION},
{"post", required_argument, 0, 'P'},
{"method", required_argument, 0, 'j'},
@@ -235,7 +236,7 @@
}
while (1) {
- c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:e:p:s:R:r:u:f:C:nlLSm:M:N", longopts, &option);
+ c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:e:p:s:R:r:u:f:C:nlLS::m:M:N", longopts, &option);
if (c == -1 || c == EOF)
break;
@@ -305,6 +306,21 @@
usage4 (_("Invalid option - SSL is not available"));
#endif
use_ssl = TRUE;
+ if (optarg == NULL)
+ ssl_version = 0;
+ else if (!is_intnonneg (optarg))
+ usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 (SSLv3)"));
+ else {
+ ssl_version = atoi( optarg );
+ switch ( ssl_version ) {
+ case 1:
+ case 2:
+ case 3: break;
+ default:
+ usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 (SSLv3)"));
+ break;
+ }
+ }
if (specify_port == FALSE)
server_port = HTTPS_PORT;
break;
@@ -807,7 +823,7 @@
die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n"));
#ifdef HAVE_SSL
if (use_ssl == TRUE) {
- np_net_ssl_init_with_hostname(sd, (use_sni ? host_name : NULL));
+ np_net_ssl_init_with_hostname_and_version(sd, (use_sni ? host_name : NULL), ssl_version);
if (check_cert == TRUE) {
result = np_net_ssl_check_cert(days_till_exp);
np_net_ssl_cleanup();
@@ -1335,8 +1351,10 @@
printf (UT_IPv46);
#ifdef HAVE_SSL
- printf (" %s\n", "-S, --ssl");
+ printf (" %s\n", "-S, --ssl=VERSION");
printf (" %s\n", _("Connect via SSL. Port defaults to 443"));
+ printf (" %s\n", _("VERSION is optional, and prevents auto negotiation."));
+ printf (" %s\n", _("1 = TLSv1, 2 = SSLv2, 3 = SSLv3."));
printf (" %s\n", "--sni");
printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
printf (" %s\n", "-C, --certificate=INTEGER");
@@ -1441,6 +1459,6 @@
printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n");
printf (" [-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
printf (" [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");
- printf (" [-A string] [-k string] [-S] [--sni] [-C <age>] [-T <content-type>]\n");
+ printf (" [-A string] [-k string] [-S <version>] [--sni] [-C <age>] [-T <content-type>]\n");
printf (" [-j method]\n");
}
|