check_http - support TLS v1.2 (#1338)

seccentral notifications at github.com
Tue Sep 15 17:53:20 CEST 2015


Big update on this and solution *nohack* 
So how do you check a host with SNI ? like this :
openssl s_client -connect www.example.com:443 -servername www.example.com 
works perfectly. And this made me think.

now back to the icinga1/2/nagios/etc check_http execution.
this is the correct way to use the command to check a webhost with sni 
check_http -H www.example.com -S --sni 
HTTP OK: HTTP/1.1 200 OK - 13667 bytes in 1.031 second response time
|time=1.031097s;;;0.000000 size=13667B;;;0
Now, -H stands for vhost but i guess in the context of sni it's somewhat the
same thing tho the documentation should be updated.

Here is a host object definition for such a check 
sequence from hosts.conf 
====
[...]
object Host www.example.com { 
 address www.example.com 
 vars.http_vhost = "www.example.com"
 vars.http_sni = "true"
 vars.server_type = "Web Servers" 
 vars[...] # any other required on-setup vars 
}
[...]

and the check is simple . 
sequence from a customservicechecks.conf *justanexamplename*
====
[...]
apply Service "https" {
        import "generic-service"
        check_command = "http"
        vars.http_ssl = "true"
       assign where host.vars.server_type == "Web Servers" 
}
[...]

Now i don't know about nagios 1/2/3/4, this is icinga2 syntax but this
should be adaptable to nagios configs. 

Yay and big thanks to Mr. Rob Stradling at openssl who (although unrelated
to nagios/icinga) gave me a very important hint. 
Rock on \m/

-- 
Reply to this email on GitHub:
https://github.com/monitoring-plugins/monitoring-plugins/issues/1338#issuecomment-140439377
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-plugins.org/archive/devel/attachments/20150915/3c1124bf/attachment.html>


More information about the Devel mailing list