[Nagiosplug-devel] New release planned next week

Jochen Bern Jochen.Bern at LINworks.de
Tue Sep 17 14:30:48 CEST 2013


On 16.09.2013 14:54, Holger Weiß wrote:
> With newer OpenSSL releases, the semantics are a bit weirdo:
> | In order to ensure interoperability SSL_OP_NO_protocolX does not disable
> | just protocol X, but all protocols above X *if* there are protocols
> | *below* X still enabled.
> [ http://www.openssl.org/news/changelog.html ]

It also means that my quick patch is broken *already*, given a
sufficiently recent OpenSSL, as is the basic approach (which is assuming
that there are N=3 protocols so that there's no uncharted territory
between "1 allowed" and "N-1 allowed"). :-/

> More importantly, I guess other users might want to combine e.g.
> SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3, so maybe we should support this?

OR'ing constant values together and passing the result to the OpenSSL
calls should be easy enough, it might be more of a challenge to come up
with a plugin options syntax that can keep up with future protocol
designations. Yesterday, we had SSLv2/SSLv3/TLSv1(.0), today, versions
1.1 and 1.2 of TLS have appeared, and there's nothing to keep tomorrow's
contender from going by the name of FOOBARBAZ 0.0.7 or requiring an
explicit *en*able instead of a *dis*able, I'm afraid ...

(If you meant to have the CLI options say "SSL_OP_NO_SSLv2" etc., just
as they're called by OpenSSL itself: That solves the naming problem, of
course, but it also maximizes the dependency of the parameters I need to
put into the Nagios config from the exact version of the underlying
OpenSSL library - which yum etc. can happily change with every update
window ...)

Regards,
								J. Bern
-- 
*NEU* - NEC IT-Infrastruktur-Produkte im <http://www.linworks-shop.de/>:
Server--Storage--Virtualisierung--Management SW--Passion for Performance
Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/>
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel




More information about the Devel mailing list