[Nagiosplug-devel] [ nagiosplug-Patches-1939022 ] SSL/TLS hostname extension support (SNI)
SourceForge.net
noreply at sourceforge.net
Fri Mar 20 00:06:14 CET 2009
Patches item #1939022, was opened at 2008-04-10 01:56
Message generated for change (Comment added) made by guillomovitch
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=397599&aid=1939022&group_id=29880
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Enhancement
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Joe Presbrey (presbrey)
Assigned to: Thomas Guyot-Sionnest (dermoth)
Summary: SSL/TLS hostname extension support (SNI)
Initial Comment:
Patch against Plugin Version (-V output): SVN trunk
Plugin Name: sslutils/check_http
Example Plugin Commandline: check_http -H wildcard.scripts.mit.edu -S -C 14
Tested on operating system: debian/4.0
Tested on architecture: i686
Tested with compiler: gcc-4.1.2-20061115
A TLS extension called "Server Name Indication" allows name-based HTTPS virtual hosting. (From Gentoo: http://gentoo-wiki.com/HOWTO_Apache_with_Name_Based_Hosting_and_SSL). This is especially common when serving HTTPS requests with a wildcard certificate (*.domain.tld).
This patch adds a call to SSL_set_tlsext_host_name (OpenSSL 0.9.8f and higher) in the certificate check section of sslutils to allow certificate verification of HTTPS virtual-host domains.
This patch also corrects the expiration check to escalate to 'critical' when the certificate is expired but for less than 1 day (currently emits 'warning') and displays the time-zone with the expiration time.
Joe Presbrey
----------------------------------------------------------------------
Comment By: Guillaume Rousse (guillomovitch)
Date: 2009-03-20 00:06
Message:
diff -Naur --exclude '*~' nagios-plugins-1.4.13/plugins/check_http.c
nagios-plugins-1.4.13-sni-support/plugins/check_http.c
--- nagios-plugins-1.4.13/plugins/check_http.c 2008-09-02
13:26:31.000000000 +0200
+++ nagios-plugins-1.4.13-sni-support/plugins/check_http.c 2009-03-19
23:54:12.000000000 +0100
@@ -773,7 +773,7 @@
die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP
socket\n"));
#ifdef HAVE_SSL
if (use_ssl == TRUE) {
- np_net_ssl_init(sd);
+ np_net_ssl_init(sd, host_name);
if (check_cert == TRUE) {
result = np_net_ssl_check_cert(days_till_exp);
np_net_ssl_cleanup();
diff -Naur --exclude '*~' nagios-plugins-1.4.13/plugins/check_smtp.c
nagios-plugins-1.4.13-sni-support/plugins/check_smtp.c
--- nagios-plugins-1.4.13/plugins/check_smtp.c 2008-05-07
12:02:42.000000000 +0200
+++ nagios-plugins-1.4.13-sni-support/plugins/check_smtp.c 2009-03-19
23:55:38.000000000 +0100
@@ -236,7 +236,7 @@
smtp_quit();
return STATE_UNKNOWN;
}
- result = np_net_ssl_init(sd);
+ result = np_net_ssl_init(sd, NULL);
if(result != STATE_OK) {
printf (_("CRITICAL - Cannot create SSL context.\n"));
np_net_ssl_cleanup();
diff -Naur --exclude '*~' nagios-plugins-1.4.13/plugins/check_tcp.c
nagios-plugins-1.4.13-sni-support/plugins/check_tcp.c
--- nagios-plugins-1.4.13/plugins/check_tcp.c 2008-05-07
12:02:42.000000000 +0200
+++ nagios-plugins-1.4.13-sni-support/plugins/check_tcp.c 2009-03-19
23:55:21.000000000 +0100
@@ -236,7 +236,7 @@
#ifdef HAVE_SSL
if (flags & FLAG_SSL){
- result = np_net_ssl_init(sd);
+ result = np_net_ssl_init(sd, NULL);
if (result == STATE_OK && check_cert == TRUE) {
result = np_net_ssl_check_cert(days_till_exp);
if(result != STATE_OK) {
diff -Naur --exclude '*~' nagios-plugins-1.4.13/plugins/netutils.h
nagios-plugins-1.4.13-sni-support/plugins/netutils.h
--- nagios-plugins-1.4.13/plugins/netutils.h 2008-01-31 12:45:28.000000000
+0100
+++ nagios-plugins-1.4.13-sni-support/plugins/netutils.h 2009-03-19
23:57:45.000000000 +0100
@@ -94,7 +94,7 @@
/* SSL-Related functionality */
#ifdef HAVE_SSL
/* maybe this could be merged with the above np_net_connect, via some
flags */
-int np_net_ssl_init(int sd);
+int np_net_ssl_init(int sd, char *host_name);
void np_net_ssl_cleanup();
int np_net_ssl_write(const void *buf, int num);
int np_net_ssl_read(void *buf, int num);
diff -Naur --exclude '*~' nagios-plugins-1.4.13/plugins/sslutils.c
nagios-plugins-1.4.13-sni-support/plugins/sslutils.c
--- nagios-plugins-1.4.13/plugins/sslutils.c 2008-01-31 12:27:22.000000000
+0100
+++ nagios-plugins-1.4.13-sni-support/plugins/sslutils.c 2009-03-20
00:01:58.000000000 +0100
@@ -38,7 +38,7 @@
static SSL *s=NULL;
static int initialized=0;
-int np_net_ssl_init (int sd){
+int np_net_ssl_init (int sd, char *host_name){
if (!initialized) {
/* Initialize SSL context */
SSLeay_add_ssl_algorithms ();
@@ -51,6 +51,10 @@
return STATE_CRITICAL;
}
if ((s = SSL_new (c)) != NULL){
+#ifdef SSL_set_tlsext_host_name
+ if (host_name != NULL)
+ SSL_set_tlsext_host_name(s, host_name);
+#endif
SSL_set_fd (s, sd);
if (SSL_connect(s) == 1){
return OK;
@@ -68,6 +72,9 @@
void np_net_ssl_cleanup (){
if(s){
+#ifdef SSL_set_tlsext_host_name
+ SSL_set_tlsext_host_name(s, NULL);
+#endif
SSL_shutdown (s);
SSL_free (s);
if(c) {
----------------------------------------------------------------------
Comment By: Guillaume Rousse (guillomovitch)
Date: 2009-03-20 00:03
Message:
Here is a slightly different version, changing np_net_ssl_init() prototype
to pass host name, rather than using a global variable. This adress your
question 1).
However, I don't understand the issue with old openssl versions, the patch
already does use #idfef block to only use this function if available ?
----------------------------------------------------------------------
Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2009-03-19 06:16
Message:
Moreover this seems to break old OpsnSSL's (at least on my Solaris
tinderbox)
I rolled it back (except the timestamp fix). I will apply an updated
version if you add the proper ifdef's to keep backwards compatibility.
Thanks
----------------------------------------------------------------------
Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2009-03-17 09:02
Message:
Thanks for your report
I have two questions:
1. This patch does not alter check_http to use the new function to set
host name. Did you expect us to make this change, or do you have a complete
patch around?
2. Regarding printing the timezone, AFAIK is can be longer than three
characters, unless if certificates have a strict standars. This command
will list all timezones in /usr/share/zoneinfo:
$ find /usr/share/zoneinfo/ -type f -exec zdump {} \;|sed 's/^.* 2009
\(.*\)$/\1/'|sort|uniq
If you add "wc -L" this gives you a max length of 6 characters. The
current code will apparently cut it to three characters.
----------------------------------------------------------------------
Comment By: Guillaume Rousse (guillomovitch)
Date: 2009-03-05 12:01
Message:
This is really useful, I'd like to have it merged too...
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=397599&aid=1939022&group_id=29880
More information about the Devel
mailing list