summaryrefslogtreecommitdiffstats
path: root/plugins
diff options
context:
space:
mode:
authorHolger Weiss <holger@zedat.fu-berlin.de>2012-05-28 17:16:04 +0200
committerHolger Weiss <holger@zedat.fu-berlin.de>2012-05-28 17:16:04 +0200
commitbc3307ed6e9911ef9a9e882b00bdb2fa32158fa3 (patch)
tree428186b29058adb1a8b4c0e93e2ce6dedbe674d4 /plugins
parent5a5d3d7013dbc098a5fed9831fa443af93bdd983 (diff)
downloadmonitoring-plugins-bc3307ed6e9911ef9a9e882b00bdb2fa32158fa3.tar.gz
Add support for specifying SSL protocol version
The check_http -S/--ssl option now takes an optional argument which specifies the desired SSL/TLS protocol version (#3285367 - Jason Lunn).
Diffstat (limited to 'plugins')
-rw-r--r--plugins/check_http.c23
-rw-r--r--plugins/sslutils.c25
2 files changed, 40 insertions, 8 deletions
diff --git a/plugins/check_http.c b/plugins/check_http.c
index 3175f6cb..ea7ddec1 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -34,7 +34,7 @@
34/* splint -I. -I../../plugins -I../../lib/ -I/usr/kerberos/include/ ../../plugins/check_http.c */ 34/* splint -I. -I../../plugins -I../../lib/ -I/usr/kerberos/include/ ../../plugins/check_http.c */
35 35
36const char *progname = "check_http"; 36const char *progname = "check_http";
37const char *copyright = "1999-2008"; 37const char *copyright = "1999-2011";
38const char *email = "nagiosplug-devel@lists.sourceforge.net"; 38const char *email = "nagiosplug-devel@lists.sourceforge.net";
39 39
40#include "common.h" 40#include "common.h"
@@ -59,6 +59,7 @@ enum {
59#ifdef HAVE_SSL 59#ifdef HAVE_SSL
60int check_cert = FALSE; 60int check_cert = FALSE;
61int days_till_exp; 61int days_till_exp;
62int ssl_version;
62char *randbuff; 63char *randbuff;
63X509 *server_cert; 64X509 *server_cert;
64# define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) 65# define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
@@ -188,7 +189,7 @@ process_arguments (int argc, char **argv)
188 STD_LONG_OPTS, 189 STD_LONG_OPTS,
189 {"link", no_argument, 0, 'L'}, 190 {"link", no_argument, 0, 'L'},
190 {"nohtml", no_argument, 0, 'n'}, 191 {"nohtml", no_argument, 0, 'n'},
191 {"ssl", no_argument, 0, 'S'}, 192 {"ssl", optional_argument, 0, 'S'},
192 {"sni", no_argument, 0, SNI_OPTION}, 193 {"sni", no_argument, 0, SNI_OPTION},
193 {"post", required_argument, 0, 'P'}, 194 {"post", required_argument, 0, 'P'},
194 {"method", required_argument, 0, 'j'}, 195 {"method", required_argument, 0, 'j'},
@@ -234,7 +235,7 @@ process_arguments (int argc, char **argv)
234 } 235 }
235 236
236 while (1) { 237 while (1) {
237 c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:e:p:s:R:r:u:f:C:nlLSm:M:N", longopts, &option); 238 c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:e:p:s:R:r:u:f:C:nlLS::m:M:N", longopts, &option);
238 if (c == -1 || c == EOF) 239 if (c == -1 || c == EOF)
239 break; 240 break;
240 241
@@ -294,6 +295,13 @@ process_arguments (int argc, char **argv)
294 usage4 (_("Invalid option - SSL is not available")); 295 usage4 (_("Invalid option - SSL is not available"));
295#endif 296#endif
296 use_ssl = TRUE; 297 use_ssl = TRUE;
298 if (optarg == NULL)
299 ssl_version = 0;
300 else {
301 ssl_version = atoi(optarg);
302 if (ssl_version < 1 || ssl_version > 3)
303 usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 (SSLv3)"));
304 }
297 if (specify_port == FALSE) 305 if (specify_port == FALSE)
298 server_port = HTTPS_PORT; 306 server_port = HTTPS_PORT;
299 break; 307 break;
@@ -798,7 +806,7 @@ check_http (void)
798 die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n")); 806 die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n"));
799#ifdef HAVE_SSL 807#ifdef HAVE_SSL
800 if (use_ssl == TRUE) { 808 if (use_ssl == TRUE) {
801 np_net_ssl_init_with_hostname(sd, (use_sni ? host_name : NULL)); 809 np_net_ssl_init_with_hostname_and_version(sd, (use_sni ? host_name : NULL), ssl_version);
802 if (check_cert == TRUE) { 810 if (check_cert == TRUE) {
803 result = np_net_ssl_check_cert(days_till_exp); 811 result = np_net_ssl_check_cert(days_till_exp);
804 np_net_ssl_cleanup(); 812 np_net_ssl_cleanup();
@@ -1323,8 +1331,9 @@ print_help (void)
1323 printf (UT_IPv46); 1331 printf (UT_IPv46);
1324 1332
1325#ifdef HAVE_SSL 1333#ifdef HAVE_SSL
1326 printf (" %s\n", "-S, --ssl"); 1334 printf (" %s\n", "-S, --ssl=VERSION");
1327 printf (" %s\n", _("Connect via SSL. Port defaults to 443")); 1335 printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"));
1336 printf (" %s\n", _("auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3)."));
1328 printf (" %s\n", "--sni"); 1337 printf (" %s\n", "--sni");
1329 printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); 1338 printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
1330 printf (" %s\n", "-C, --certificate=INTEGER"); 1339 printf (" %s\n", "-C, --certificate=INTEGER");
@@ -1433,6 +1442,6 @@ print_usage (void)
1433 printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n"); 1442 printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n");
1434 printf (" [-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n"); 1443 printf (" [-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
1435 printf (" [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n"); 1444 printf (" [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");
1436 printf (" [-A string] [-k string] [-S] [--sni] [-C <age>] [-T <content-type>]\n"); 1445 printf (" [-A string] [-k string] [-S <version>] [--sni] [-C <age>] [-T <content-type>]\n");
1437 printf (" [-j method]\n"); 1446 printf (" [-j method]\n");
1438} 1447}
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 6e86dc62..2157764f 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -41,6 +41,29 @@ int np_net_ssl_init (int sd) {
41} 41}
42 42
43int np_net_ssl_init_with_hostname (int sd, char *host_name) { 43int np_net_ssl_init_with_hostname (int sd, char *host_name) {
44 return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
45}
46
47int np_net_ssl_init_with_hostname_and_version (int sd, char *host_name, int version) {
48 const SSL_METHOD *method = NULL;
49
50 switch (version) {
51 case 0: /* Deafult to auto negotiation */
52 method = SSLv23_client_method();
53 break;
54 case 1: /* TLSv1 protocol */
55 method = TLSv1_client_method();
56 break;
57 case 2: /* SSLv2 protocol */
58 method = SSLv2_client_method();
59 break;
60 case 3: /* SSLv3 protocol */
61 method = SSLv3_client_method();
62 break;
63 default: /* Unsupported */
64 printf ("%s\n", _("CRITICAL - Unsupported SSL Protocol Version."));
65 return STATE_CRITICAL;
66 }
44 if (!initialized) { 67 if (!initialized) {
45 /* Initialize SSL context */ 68 /* Initialize SSL context */
46 SSLeay_add_ssl_algorithms (); 69 SSLeay_add_ssl_algorithms ();
@@ -48,7 +71,7 @@ int np_net_ssl_init_with_hostname (int sd, char *host_name) {
48 OpenSSL_add_all_algorithms (); 71 OpenSSL_add_all_algorithms ();
49 initialized = 1; 72 initialized = 1;
50 } 73 }
51 if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) { 74 if ((c = SSL_CTX_new (method)) == NULL) {
52 printf ("%s\n", _("CRITICAL - Cannot create SSL context.")); 75 printf ("%s\n", _("CRITICAL - Cannot create SSL context."));
53 return STATE_CRITICAL; 76 return STATE_CRITICAL;
54 } 77 }