web/attachments/463009-NegSSLVers.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

--- nagios-plugins-1.4.16/plugins/sslutils.c	2012-06-27 19:32:47.000000000 +0200
+++ nagios-plugins-1.4.16b/plugins/sslutils.c	2013-04-30 12:05:14.000000000 +0200
@@ -46,8 +46,21 @@
 
 int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
 	const SSL_METHOD *method = NULL;
+	long ver_option = 0;
 
 	switch (version) {
+	case -3: /* Anything *but* SSLv3 */
+		method = SSLv23_client_method();
+		ver_option = SSL_OP_NO_SSLv3;
+		break;
+	case -2: /* Anything *but* SSLv2 */
+		method = SSLv23_client_method();
+		ver_option = SSL_OP_NO_SSLv2;
+		break;
+	case -1: /* Anything *but* TLSv1 */
+		method = SSLv23_client_method();
+		ver_option = SSL_OP_NO_TLSv1;
+		break;
 	case 0: /* Deafult to auto negotiation */
 		method = SSLv23_client_method();
 		break;
@@ -83,6 +96,7 @@
 #ifdef SSL_OP_NO_TICKET
 	SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
 #endif
+	if (ver_option) SSL_CTX_set_options(c, ver_option);
 	if ((s = SSL_new(c)) != NULL) {
 #ifdef SSL_set_tlsext_host_name
 		if (host_name != NULL)
--- nagios-plugins-1.4.16/plugins/check_http.c	2012-06-27 19:32:47.000000000 +0200
+++ nagios-plugins-1.4.16b/plugins/check_http.c	2013-04-30 12:08:48.000000000 +0200
@@ -312,8 +312,8 @@
         ssl_version = 0;
       else {
         ssl_version = atoi(optarg);
-        if (ssl_version < 1 || ssl_version > 3)
-            usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 (SSLv3)"));
+        if (ssl_version < -3 || ssl_version > 3)
+            usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2), 3 (SSLv3) and their negatives (exclude that version)"));
       }
       if (specify_port == FALSE)
         server_port = HTTPS_PORT;
@@ -1348,7 +1348,8 @@
 #ifdef HAVE_SSL
   printf (" %s\n", "-S, --ssl=VERSION");
   printf ("    %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"));
-  printf ("    %s\n", _("auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3)."));
+  printf ("    %s\n", _("auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3) for positive values, or"));
+  printf ("    %s\n", _("use of the respective protocol in auto-negotiation when negative."));
   printf (" %s\n", "--sni");
   printf ("    %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
   printf (" %s\n", "-C, --certificate=INTEGER");