check_ldap: add certificate support (#1195)

Jochen Bern Jochen.Bern at
Wed Jan 29 18:53:09 CET 2014

On 29.01.2014 04:58, Thomas Guyot-Sionnest wrote:
> one weird thing I noticed is that for straight up SSL services,
> check_http certificate check works!

That's because - as far as I can tell without examining the code -
having check_http do a cert check terminates/ignores/whatever all
communication following the server cert presentation, and thus the HTTP
part of HTTPS. In other words, it *does* behave like a check_tcp plus
cert check; if I remember correctly, it will even happily *ignore* all
additional limits etc. specified for time, size, string match, etc. from
the command line. Note that that might very well *not* be what we want
check_*http* to do in the long run.

> Then once we get there, what prevent us form adding just the required
> logic in check_tcp to implement the STARTTLS certificate checks for
> every other STARTTLS-cabaple protocol?

The fact that STARTTLS, more precisely the proper point at which to
issue that command, is *embedded into* said STARTTLS-enabled protocol.
Hence OpenSSL's requirement of specifying said protocol (out of two
currently supported) when you do an "openssl s_client -connect -starttls $HERES_DA_MAGIC_KEYWORD".

Kind regards,
								J. Bern
*NEU* - NEC IT-Infrastruktur-Produkte im <>:
Server--Storage--Virtualisierung--Management SW--Passion for Performance
Jochen Bern, Systemingenieur --- LINworks GmbH <>
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel

More information about the Devel mailing list