[Nagiosplug-devel] [ nagiosplug-Patches-1939022 ] SSL/TLS hostname extension support (SNI)
SourceForge.net
noreply at sourceforge.net
Fri Mar 20 00:03:03 CET 2009
Patches item #1939022, was opened at 2008-04-10 01:56
Message generated for change (Comment added) made by guillomovitch
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=397599&aid=1939022&group_id=29880
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Enhancement
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Joe Presbrey (presbrey)
Assigned to: Thomas Guyot-Sionnest (dermoth)
Summary: SSL/TLS hostname extension support (SNI)
Initial Comment:
Patch against Plugin Version (-V output): SVN trunk
Plugin Name: sslutils/check_http
Example Plugin Commandline: check_http -H wildcard.scripts.mit.edu -S -C 14
Tested on operating system: debian/4.0
Tested on architecture: i686
Tested with compiler: gcc-4.1.2-20061115
A TLS extension called "Server Name Indication" allows name-based HTTPS virtual hosting. (From Gentoo: http://gentoo-wiki.com/HOWTO_Apache_with_Name_Based_Hosting_and_SSL). This is especially common when serving HTTPS requests with a wildcard certificate (*.domain.tld).
This patch adds a call to SSL_set_tlsext_host_name (OpenSSL 0.9.8f and higher) in the certificate check section of sslutils to allow certificate verification of HTTPS virtual-host domains.
This patch also corrects the expiration check to escalate to 'critical' when the certificate is expired but for less than 1 day (currently emits 'warning') and displays the time-zone with the expiration time.
Joe Presbrey
----------------------------------------------------------------------
Comment By: Guillaume Rousse (guillomovitch)
Date: 2009-03-20 00:03
Message:
Here is a slightly different version, changing np_net_ssl_init() prototype
to pass host name, rather than using a global variable. This adress your
question 1).
However, I don't understand the issue with old openssl versions, the patch
already does use #idfef block to only use this function if available ?
----------------------------------------------------------------------
Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2009-03-19 06:16
Message:
Moreover this seems to break old OpsnSSL's (at least on my Solaris
tinderbox)
I rolled it back (except the timestamp fix). I will apply an updated
version if you add the proper ifdef's to keep backwards compatibility.
Thanks
----------------------------------------------------------------------
Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2009-03-17 09:02
Message:
Thanks for your report
I have two questions:
1. This patch does not alter check_http to use the new function to set
host name. Did you expect us to make this change, or do you have a complete
patch around?
2. Regarding printing the timezone, AFAIK is can be longer than three
characters, unless if certificates have a strict standars. This command
will list all timezones in /usr/share/zoneinfo:
$ find /usr/share/zoneinfo/ -type f -exec zdump {} \;|sed 's/^.* 2009
\(.*\)$/\1/'|sort|uniq
If you add "wc -L" this gives you a max length of 6 characters. The
current code will apparently cut it to three characters.
----------------------------------------------------------------------
Comment By: Guillaume Rousse (guillomovitch)
Date: 2009-03-05 12:01
Message:
This is really useful, I'd like to have it merged too...
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=397599&aid=1939022&group_id=29880
More information about the Devel
mailing list