From bc3307ed6e9911ef9a9e882b00bdb2fa32158fa3 Mon Sep 17 00:00:00 2001 From: Holger Weiss Date: Mon, 28 May 2012 17:16:04 +0200 Subject: Add support for specifying SSL protocol version The check_http -S/--ssl option now takes an optional argument which specifies the desired SSL/TLS protocol version (#3285367 - Jason Lunn). diff --git a/NEWS b/NEWS index 901eaed..fbc5c8b 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,7 @@ This file documents the major additions and syntax changes between releases. check_disk_smb now allows spaces in share names (#990948, #1370031, Debian #601699) check_http now uses standard threshold functions (enables floating point and ranges) check_http now checks for and prints the certificate cn (hostname) in SSL certificate checks (Stéphane Urbanovski) + check_http now supports an optional -S/--ssl value to choose the SSL protocol version (#3066166 - Jason Lunn) Add perfdata to check_ssh (#3244097 - Marco Beck) New option to check_smtp to ignore failures when sending QUIT (#3358348 - Duncan Ferguson) New check_by_ssh -F option which allows for specifying an alternative ssh_config(5) file (#2895334 - Sven Nierlein) diff --git a/THANKS.in b/THANKS.in index c6775bc..0b82024 100644 --- a/THANKS.in +++ b/THANKS.in @@ -269,3 +269,4 @@ Ryan Kelly Stéphane Urbanovski Marco Beck Sebastian Harl +Jason Lunn diff --git a/plugins/check_http.c b/plugins/check_http.c index 3175f6c..ea7ddec 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c @@ -34,7 +34,7 @@ /* splint -I. -I../../plugins -I../../lib/ -I/usr/kerberos/include/ ../../plugins/check_http.c */ const char *progname = "check_http"; -const char *copyright = "1999-2008"; +const char *copyright = "1999-2011"; const char *email = "nagiosplug-devel@lists.sourceforge.net"; #include "common.h" @@ -59,6 +59,7 @@ enum { #ifdef HAVE_SSL int check_cert = FALSE; int days_till_exp; +int ssl_version; char *randbuff; X509 *server_cert; # define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) @@ -188,7 +189,7 @@ process_arguments (int argc, char **argv) STD_LONG_OPTS, {"link", no_argument, 0, 'L'}, {"nohtml", no_argument, 0, 'n'}, - {"ssl", no_argument, 0, 'S'}, + {"ssl", optional_argument, 0, 'S'}, {"sni", no_argument, 0, SNI_OPTION}, {"post", required_argument, 0, 'P'}, {"method", required_argument, 0, 'j'}, @@ -234,7 +235,7 @@ process_arguments (int argc, char **argv) } while (1) { - c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:e:p:s:R:r:u:f:C:nlLSm:M:N", longopts, &option); + c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:e:p:s:R:r:u:f:C:nlLS::m:M:N", longopts, &option); if (c == -1 || c == EOF) break; @@ -294,6 +295,13 @@ process_arguments (int argc, char **argv) usage4 (_("Invalid option - SSL is not available")); #endif use_ssl = TRUE; + if (optarg == NULL) + ssl_version = 0; + else { + ssl_version = atoi(optarg); + if (ssl_version < 1 || ssl_version > 3) + usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 (SSLv3)")); + } if (specify_port == FALSE) server_port = HTTPS_PORT; break; @@ -798,7 +806,7 @@ check_http (void) die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n")); #ifdef HAVE_SSL if (use_ssl == TRUE) { - np_net_ssl_init_with_hostname(sd, (use_sni ? host_name : NULL)); + np_net_ssl_init_with_hostname_and_version(sd, (use_sni ? host_name : NULL), ssl_version); if (check_cert == TRUE) { result = np_net_ssl_check_cert(days_till_exp); np_net_ssl_cleanup(); @@ -1323,8 +1331,9 @@ print_help (void) printf (UT_IPv46); #ifdef HAVE_SSL - printf (" %s\n", "-S, --ssl"); - printf (" %s\n", _("Connect via SSL. Port defaults to 443")); + printf (" %s\n", "-S, --ssl=VERSION"); + printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents")); + printf (" %s\n", _("auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3).")); printf (" %s\n", "--sni"); printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); printf (" %s\n", "-C, --certificate=INTEGER"); @@ -1433,6 +1442,6 @@ print_usage (void) printf (" [-b proxy_auth] [-f ]\n"); printf (" [-e ] [-s string] [-l] [-r | -R ]\n"); printf (" [-P string] [-m :] [-4|-6] [-N] [-M ]\n"); - printf (" [-A string] [-k string] [-S] [--sni] [-C ] [-T ]\n"); + printf (" [-A string] [-k string] [-S ] [--sni] [-C ] [-T ]\n"); printf (" [-j method]\n"); } diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 6e86dc6..2157764 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c @@ -41,6 +41,29 @@ int np_net_ssl_init (int sd) { } int np_net_ssl_init_with_hostname (int sd, char *host_name) { + return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); +} + +int np_net_ssl_init_with_hostname_and_version (int sd, char *host_name, int version) { + const SSL_METHOD *method = NULL; + + switch (version) { + case 0: /* Deafult to auto negotiation */ + method = SSLv23_client_method(); + break; + case 1: /* TLSv1 protocol */ + method = TLSv1_client_method(); + break; + case 2: /* SSLv2 protocol */ + method = SSLv2_client_method(); + break; + case 3: /* SSLv3 protocol */ + method = SSLv3_client_method(); + break; + default: /* Unsupported */ + printf ("%s\n", _("CRITICAL - Unsupported SSL Protocol Version.")); + return STATE_CRITICAL; + } if (!initialized) { /* Initialize SSL context */ SSLeay_add_ssl_algorithms (); @@ -48,7 +71,7 @@ int np_net_ssl_init_with_hostname (int sd, char *host_name) { OpenSSL_add_all_algorithms (); initialized = 1; } - if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) { + if ((c = SSL_CTX_new (method)) == NULL) { printf ("%s\n", _("CRITICAL - Cannot create SSL context.")); return STATE_CRITICAL; } -- cgit v0.10-9-g596f