check_http - support TLS v1.2 (#1338)

Stuart Henderson stu at spacehopper.org
Fri Sep 18 18:24:35 CEST 2015
Previous message: check_http - support TLS v1.2 (#1338)
Next message: check_http - support TLS v1.2 (#1338)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 2015-09-18, Gsemia <notifications at github.com> wrote:
>
> PCI demanded from my company to disable internal TLSv1 Access to our Servers
> immediately. Only Public TLSv1 Access is still allowed until 2015-06-31.
> This means Monitoring is also affected and needs to have TLSv1 disabled.
> Having check_http not support TLSv1.2 breaks our Nagios monitoring.
>

You could do something like this which changes the default check to
TLSv1.0+ (I think at this point in the game it's reasonable to consider
a service which doesn't TLS at all as down/broken ;-) and adds a new
option to enforce TLSv1.2+ (allowing it to autodetect and connect to
future protocol versions).

--- plugins/check_http.c.orig	Sun Nov 30 10:36:26 2014
+++ plugins/check_http.c	Fri Sep 18 17:10:46 2015
@@ -344,8 +344,8 @@ process_arguments (int argc, char **argv)
       use_ssl = TRUE;
       if (c=='S' && optarg != NULL) {
         ssl_version = atoi(optarg);
-        if (ssl_version < 1 || ssl_version > 3)
-            usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 (SSLv3)"));
+        if (ssl_version < 1 || ssl_version > 4)
+            usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1.0), 2 (SSLv2), 3 (SSLv3) or 4 (TLSv1.2+)"));
       }
       if (specify_port == FALSE)
         server_port = HTTPS_PORT;
@@ -1468,8 +1468,8 @@ print_help (void)
 
 #ifdef HAVE_SSL
   printf (" %s\n", "-S, --ssl=VERSION");
-  printf ("    %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"));
-  printf ("    %s\n", _("auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3)."));
+  printf ("    %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and forces a"));
+  printf ("    %s\n", _("particular version (1 = TLSv1.0, 2 = SSLv2, 3 = SSLv3, 4 = TLSv1.2+)."));
   printf (" %s\n", "--sni");
   printf ("    %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
   printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
--- plugins/sslutils.c.orig	Sun Nov 30 10:36:26 2014
+++ plugins/sslutils.c	Fri Sep 18 17:05:25 2015
@@ -49,12 +49,14 @@ int np_net_ssl_init_with_hostname_and_version(int sd, 
 
 int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) {
 	SSL_METHOD *method = NULL;
+	long options = 0;
 
 	switch (version) {
-	case 0: /* Deafult to auto negotiation */
+	case 0: /* Default to auto negotiate, TLS only */
+		options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
 		method = SSLv23_client_method();
 		break;
-	case 1: /* TLSv1 protocol */
+	case 1: /* TLSv1.0 only */
 		method = TLSv1_client_method();
 		break;
 	case 2: /* SSLv2 protocol */
@@ -66,8 +68,22 @@ int np_net_ssl_init_with_hostname_version_and_cert(int
 #endif
 		break;
 	case 3: /* SSLv3 protocol */
+#if defined(OPENSSL_NO_SSL3)
+		printf(("%s\n", _("CRITICAL - SSL protocol version 3 is not supported by your SSL library.")));
+		return STATE_CRITICAL;
+#else
 		method = SSLv3_client_method();
+#endif
 		break;
+	case 4: /* TLSv1.2+ only */
+#if !defined(SSL_OP_NO_TLSv1_2) || !defined(SSL_OP_NO_TLSv1_1) || !defined(SSL_OP_NO_TLSv1)
+		printf(("%s\n", _("CRITICAL - TLS protocol version 1.2 is not supported by your SSL library.")));
+		return STATE_CRITICAL;
+#else
+		method = SSLv23_client_method();
+		options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
+		break;
+#endif
 	default: /* Unsupported */
 		printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));
 		return STATE_CRITICAL;
@@ -94,8 +110,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int
 #endif
 	}
 #ifdef SSL_OP_NO_TICKET
-	SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
+	options |= SSL_OP_NO_TICKET;
 #endif
+	SSL_CTX_set_options(c, options);
 	SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY);
 	if ((s = SSL_new(c)) != NULL) {
 #ifdef SSL_set_tlsext_host_name
--- po/de.po.orig	Mon Dec  1 23:46:17 2014
+++ po/de.po	Fri Sep 18 17:12:25 2015
@@ -1182,8 +1182,8 @@ msgstr "Ung�ltiger Zertifikatsablauftermin"
 
 #: plugins/check_http.c:348
 msgid ""
-"Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 "
-"(SSLv3)"
+"Invalid option - Valid values for SSL Version are 1 (TLSv1.0), 2 (SSLv2), 3 (SSLv3) "
+"or 4 (TLSv1.2+)"
 msgstr ""
 
 #: plugins/check_http.c:354 plugins/check_tcp.c:603
@@ -1442,11 +1442,11 @@ msgstr ""
 
 #: plugins/check_http.c:1471
 msgid ""
-"Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"
+"Connect via SSL. Port defaults to 443. VERSION is optional, and forces a"
 msgstr ""
 
 #: plugins/check_http.c:1472
-msgid "auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3)."
+msgid "particular version (1 = TLSv1.0, 2 = SSLv2, 3 = SSLv3, 4 = TLSv1.2+)."
 msgstr ""
 
 #: plugins/check_http.c:1474
--- po/fr.po.orig	Mon Dec  1 23:46:17 2014
+++ po/fr.po	Fri Sep 18 17:12:32 2015
@@ -1221,8 +1221,8 @@ msgstr "Période d'expiration du certificat invalide"
 
 #: plugins/check_http.c:348
 msgid ""
-"Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 "
-"(SSLv3)"
+"Invalid option - Valid values for SSL Version are 1 (TLSv1.0), 2 (SSLv2), 3 (SSLv3) "
+"or 4 (TLSv1.2+)"
 msgstr ""
 
 #: plugins/check_http.c:354 plugins/check_tcp.c:603
@@ -1483,11 +1483,11 @@ msgstr "Numéro du port (défaut: "
 
 #: plugins/check_http.c:1471
 msgid ""
-"Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"
+"Connect via SSL. Port defaults to 443. VERSION is optional, and forces a"
 msgstr ""
 
 #: plugins/check_http.c:1472
-msgid "auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3)."
+msgid "particular version (1 = TLSv1.0, 2 = SSLv2, 3 = SSLv3, 4 = TLSv1.2+)."
 msgstr ""
 
 #: plugins/check_http.c:1474
--- po/monitoring-plugins.pot.orig	Mon Dec  1 23:46:16 2014
+++ po/monitoring-plugins.pot	Fri Sep 18 17:12:20 2015
@@ -1142,8 +1142,8 @@ msgstr ""
 
 #: plugins/check_http.c:348
 msgid ""
-"Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 "
-"(SSLv3)"
+"Invalid option - Valid values for SSL Version are 1 (TLSv1.0), 2 (SSLv2), 3 (SSLv3) "
+"or 4 (TLSv1.2+)"
 msgstr ""
 
 #: plugins/check_http.c:354 plugins/check_tcp.c:603
@@ -1393,11 +1393,11 @@ msgstr ""
 
 #: plugins/check_http.c:1471
 msgid ""
-"Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"
+"Connect via SSL. Port defaults to 443. VERSION is optional, and forces a"
 msgstr ""
 
 #: plugins/check_http.c:1472
-msgid "auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3)."
+msgid "particular version (1 = TLSv1.0, 2 = SSLv2, 3 = SSLv3, 4 = TLSv1.2+)."
 msgstr ""
 
 #: plugins/check_http.c:1474
Previous message: check_http - support TLS v1.2 (#1338)
Next message: check_http - support TLS v1.2 (#1338)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Devel mailing list