[Nagiosplug-devel] SSL/TLS hostname extension support (SNI)
Joe
presbrey at gmail.com
Thu Apr 10 02:08:57 CEST 2008
Hey all, the patch I submitted on sourceforge (and inline below) is
rather verbose so I'll limit myself to adding just a few other things
here. I've been using this patch with nagios plugins 1.4.10 and
recently regenerated it for the current subversion trunk (r1977).
Correct functioning looks something like this:
# ./check_http -H scripts.mit.edu -S -C 14
OK - Certificate will expire on 07/29/2008 16:00 GMT.
# ./check_http -H wildcard.scripts.mit.edu -S -C 14
OK - Certificate will expire on 04/08/2009 16:00 GMT.
# ./check_http -H presbrey.scripts.mit.edu -S -C 14
OK - Certificate will expire on 04/08/2009 16:00 GMT.
Before this patch is applied, check_http can only verify the
certificate from the first instantiation shown above; the second and
third end up verifying the wrong (non-SNI) certificate. The SNI
extension is officially supported in OpenSSL 0.9.8f in the testing
branch of several distributions and may become common relatively
common soon.
Thanks!
Joe Presbrey
---------- Forwarded message ----------
From: SourceForge.net <noreply at sourceforge.net>
Date: Wed, Apr 9, 2008 at 7:56 PM
Subject: [ nagiosplug-Patches-1939022 ] SSL/TLS hostname extension support (SNI)
To: noreply at sourceforge.net
Patches item #1939022, was opened at 2008-04-09 19:56
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=397599&aid=1939022&group_id=29880
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Enhancement
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Joe Presbrey (presbrey)
Assigned to: Nobody/Anonymous (nobody)
Summary: SSL/TLS hostname extension support (SNI)
Initial Comment:
Patch against Plugin Version (-V output): SVN trunk
Plugin Name: sslutils/check_http
Example Plugin Commandline: check_http -H wildcard.scripts.mit.edu -S -C 14
Tested on operating system: debian/4.0
Tested on architecture: i686
Tested with compiler: gcc-4.1.2-20061115
A TLS extension called "Server Name Indication" allows name-based
HTTPS virtual hosting. (From Gentoo:
http://gentoo-wiki.com/HOWTO_Apache_with_Name_Based_Hosting_and_SSL).
This is especially common when serving HTTPS requests with a wildcard
certificate (*.domain.tld).
This patch adds a call to SSL_set_tlsext_host_name (OpenSSL 0.9.8f
and higher) in the certificate check section of sslutils to allow
certificate verification of HTTPS virtual-host domains.
This patch also corrects the expiration check to escalate to
'critical' when the certificate is expired but for less than 1 day
(currently emits 'warning') and displays the time-zone with the
expiration time.
Joe Presbrey
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=397599&aid=1939022&group_id=29880
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nagiosplug-sni-trunk.patch
Type: application/octet-stream
Size: 2442 bytes
Desc: not available
URL: <http://nagios-plugins.org/archive/devel/attachments/20080409/4f41734a/attachment.obj>
More information about the Devel
mailing list