[Nagiosplug-devel] [ nagiosplug-Patches-1939022 ] SSL/TLS hostname extension support (SNI)

[SourceForge.net]

Patches item #1939022, was opened at 2008-04-10 01:56
Message generated for change (Comment added) made by guillomovitch
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397599&aid=1939022&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Enhancement
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Joe Presbrey (presbrey)
Assigned to: Thomas Guyot-Sionnest (dermoth)
Summary: SSL/TLS hostname extension support (SNI)

Initial Comment:
Patch against Plugin Version (-V output): SVN trunk
Plugin Name: sslutils/check_http
Example Plugin Commandline: check_http -H wildcard.scripts.mit.edu -S -C 14
Tested on operating system: debian/4.0
Tested on architecture: i686
Tested with compiler: gcc-4.1.2-20061115

A TLS extension called "Server Name Indication" allows name-based HTTPS virtual hosting.  (From Gentoo: http://gentoo-wiki.com/HOWTO_Apache_with_Name_Based_Hosting_and_SSL).  This is especially common when serving HTTPS requests with a wildcard certificate (*.domain.tld).

This patch adds a call to SSL_set_tlsext_host_name (OpenSSL 0.9.8f and higher) in the certificate check section of sslutils to allow certificate verification of HTTPS virtual-host domains.

This patch also corrects the expiration check to escalate to 'critical' when the certificate is expired but for less than 1 day (currently emits 'warning') and displays the time-zone with the expiration time.

Joe Presbrey

----------------------------------------------------------------------

Comment By: Guillaume Rousse (guillomovitch)
Date: 2009-03-20 00:03

Message:
Here is a slightly different version, changing np_net_ssl_init() prototype
to pass host name, rather than using a global variable. This adress your
question 1).

However, I don't understand the issue with old openssl versions, the patch
already does use #idfef block to only use this function if available ?



----------------------------------------------------------------------

Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2009-03-19 06:16

Message:
Moreover this seems to break old OpsnSSL's (at least on my Solaris
tinderbox)

I rolled it back (except the timestamp fix). I will apply an updated
version if you add the proper ifdef's to keep backwards compatibility.

Thanks


----------------------------------------------------------------------

Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2009-03-17 09:02

Message:
Thanks for your report

I have two questions:

1. This patch does not alter check_http to use the new function to set
host name. Did you expect us to make this change, or do you have a complete
patch around?

2. Regarding printing the timezone, AFAIK is can be longer than three
characters, unless if certificates have a strict standars. This command
will list all timezones in /usr/share/zoneinfo:
$ find /usr/share/zoneinfo/ -type f -exec zdump {} \;|sed 's/^.* 2009
\(.*\)$/\1/'|sort|uniq
If you add "wc -L" this gives you a max length of 6 characters. The
current code will apparently cut it to three characters.


----------------------------------------------------------------------

Comment By: Guillaume Rousse (guillomovitch)
Date: 2009-03-05 12:01

Message:
This is really useful, I'd like to have it merged too...

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397599&aid=1939022&group_id=29880