[Nagiosplug-devel] sslutils patch : show certificate subject

Stéphane Urbanovski stephane.urbanovski at ac-nancy-metz.fr
Wed Dec 29 11:35:57 CET 2010


Le 23/12/2010 18:02, Thomas Guyot-Sionnest a écrit :
> On 10-12-03 12:26 PM, Stéphane Urbanovski wrote:
>> No comments ?
>>
>
> I do have some...

Ok, thanks for reviewing.

> 1.
>
> +	char cn[128] = "?";
>
> Where has 128 been taken from? Could is be defined as a macro, so
> changing it doesn't require finding all the places where this number or
> a derivative is used?

This choice is completely arbitrary. The CN is used only as an 
additional information in the output message.
Using a macro should be cleaner and allow us to get further (checking 
the certificate subject value for example)

> 2.
>
> +	if(! subj){
> +		printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
> +		return STATE_CRITICAL;
> +	}
>
> Why would that be critical? Is it possible that a cert do not specify a
> subject, and still being used for authentication/encryption?

The subject in the form of a Distinguished Name (DN) is mandatory in an 
X509 certificate, but it may be empty when using a subjectAltName (see 
http://tools.ietf.org/html/rfc5280 and http://tools.ietf.org/html/rfc2818).
The subjectAltName is not implemented here.

The proposed patch check the "CN" of the subject. It may be improved by 
also checking the "dNSName" attribut.


> 3. Shouldn't *subj be freed at the end?

Certainly :-/

> 4. Patch should use /* ... */ comments only, some c compilers do not
> like c++-style  comments (// ...)

I'll fix this

> I can fix the comments; please address the first 3 points and then I can
> look at applying the patch. This will also require some tests fixes and
> additions, which I can do as well when find the time for that...

At least check_http.t certificate checking should be fixed. I can 
provide a patch for it.


> I'm particularly interested about #2: if this is the correct behaviour,
> could you please link to some specification that say so? Otherwise I'd
> rather retain the previous behaviour - or just use "unknown" - when the
> subject cannot be retrieved.
>
> Thanks
>
> - --
> Thomas


-- 
Stéphane Urbanovski





More information about the Devel mailing list