[Nagiosplug-devel] SSL/TLS hostname extension support (SNI)

Joe presbrey at gmail.com
Thu Apr 10 02:08:57 CEST 2008


Hey all, the patch I submitted on sourceforge (and inline below) is
rather verbose so I'll limit myself to adding just a few other things
here.  I've been using this patch with nagios plugins 1.4.10 and
recently regenerated it for the current subversion trunk (r1977).
Correct functioning looks something like this:

# ./check_http -H scripts.mit.edu -S -C 14
OK - Certificate will expire on 07/29/2008 16:00 GMT.
# ./check_http -H wildcard.scripts.mit.edu -S -C 14
OK - Certificate will expire on 04/08/2009 16:00 GMT.
# ./check_http -H presbrey.scripts.mit.edu -S -C 14
OK - Certificate will expire on 04/08/2009 16:00 GMT.

Before this patch is applied, check_http can only verify the
certificate from the first instantiation shown above; the second and
third end up verifying the wrong (non-SNI) certificate.  The SNI
extension is officially supported in OpenSSL 0.9.8f in the testing
branch of several distributions and may become common relatively
common soon.

Thanks!

Joe Presbrey

---------- Forwarded message ----------
From: SourceForge.net <noreply at sourceforge.net>
Date: Wed, Apr 9, 2008 at 7:56 PM
Subject: [ nagiosplug-Patches-1939022 ] SSL/TLS hostname extension support (SNI)
To: noreply at sourceforge.net


Patches item #1939022, was opened at 2008-04-09 19:56
 Message generated for change (Tracker Item Submitted) made by Item Submitter
 You can respond by visiting:
 https://sourceforge.net/tracker/?func=detail&atid=397599&aid=1939022&group_id=29880

 Please note that this message will contain a full copy of the comment thread,
 including the initial issue submission, for this request,
 not just the latest update.
 Category: Enhancement
 Group: None
 Status: Open
 Resolution: None
 Priority: 5
 Private: No
 Submitted By: Joe Presbrey (presbrey)
 Assigned to: Nobody/Anonymous (nobody)
 Summary: SSL/TLS hostname extension support (SNI)

 Initial Comment:
 Patch against Plugin Version (-V output): SVN trunk
 Plugin Name: sslutils/check_http
 Example Plugin Commandline: check_http -H wildcard.scripts.mit.edu -S -C 14
 Tested on operating system: debian/4.0
 Tested on architecture: i686
 Tested with compiler: gcc-4.1.2-20061115

 A TLS extension called "Server Name Indication" allows name-based
HTTPS virtual hosting.  (From Gentoo:
http://gentoo-wiki.com/HOWTO_Apache_with_Name_Based_Hosting_and_SSL).
This is especially common when serving HTTPS requests with a wildcard
certificate (*.domain.tld).

 This patch adds a call to SSL_set_tlsext_host_name (OpenSSL 0.9.8f
and higher) in the certificate check section of sslutils to allow
certificate verification of HTTPS virtual-host domains.

 This patch also corrects the expiration check to escalate to
'critical' when the certificate is expired but for less than 1 day
(currently emits 'warning') and displays the time-zone with the
expiration time.

 Joe Presbrey

 ----------------------------------------------------------------------

 You can respond by visiting:
 https://sourceforge.net/tracker/?func=detail&atid=397599&aid=1939022&group_id=29880
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nagiosplug-sni-trunk.patch
Type: application/octet-stream
Size: 2442 bytes
Desc: not available
URL: <http://nagios-plugins.org/archive/devel/attachments/20080409/4f41734a/attachment.obj>


More information about the Devel mailing list