[Nagiosplug-devel] [ nagiosplug-Bugs-1446016 ] check_jabber forces SSL

SourceForge.net noreply at sourceforge.net
Fri Feb 2 18:33:54 CET 2007


Bugs item #1446016, was opened at 2006-03-08 23:40
Message generated for change (Comment added) made by tonvoon
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=1446016&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
>Status: Closed
Resolution: None
Priority: 5
Private: No
Submitted By: Hadmut Danisch (hadmut)
Assigned to: M. Sean Finney (seanius)
Summary: check_jabber forces SSL

Initial Comment:
Hi,

if check_tcp is called as check_jabber it forces the
SSL flag to be set and thus fails to check jabber
daemons without SSL. 

There are reasons to use jabber without SSL, e.g. when
client certificates are required. Since jabberd does
not support this feature, it must be used with stunnel. 

Since check_tcp does not support client certificates,
it must check the unencrypted port directly, which is
impossible due to the SSL enforcement.

regards
Hadmut


----------------------------------------------------------------------

>Comment By: Ton Voon (tonvoon)
Date: 2007-02-02 17:33

Message:
Logged In: YES 
user_id=664364
Originator: NO

Hadmut,

This has been fixed in CVS now by Thomas Guyot - check_jabber will not use
SSL by default.

Ton


----------------------------------------------------------------------

Comment By: Hadmut Danisch (hadmut)
Date: 2006-04-01 09:59

Message:
Logged In: YES 
user_id=44878

Hi, 

sorry for answering so late, but I had difficulties in
logging me in into sourceforge, the server seems to have
been down or under maintenance several times.

Introducing client certs would be a pretty good idea, also
for other checks. :-)

But this still does not solve the problem how to verify
services without SSL. In my particular case the jabberd sits
behind an stunnel, so I would need to check it twice, once
without SSL from inside, and once with a SSL client
certificate from outside. Both checks are currently impossible. 


BTW: the client cert and the certificate age check should be
enabled for all types of SSL query, including things like
SMTP+TLS etc. 


It does not make sense to offer a server, because I simply
use stunnel to provide services. You can easily setup this
on your own machine by using an /etc/inetd.conf entry like 



ssljabber stream tcp   nowait  root    /usr/sbin/stunnel
stunnel -v 3 -N rackjabber -p /etc/ssl/private/jabber.pem -r
5222

or any other TCP service. See the stunnel manual
(just add ssljabber with a different port number to
/etc/services)

regards
Hadmut



----------------------------------------------------------------------

Comment By: M. Sean Finney (seanius)
Date: 2006-03-13 17:53

Message:
Logged In: YES 
user_id=226838

hi hadmut,

would a better solution be to introduce client cert
checking?  this was on my todo list for check_tcp quite a
while ago but i never got around to it largely because i
don't have any setups that require it.  if you'd be
interested in pursuing this and have a server i could test
with maybe we could work together on this?

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=1446016&group_id=29880




More information about the Devel mailing list