[Nagiosplug-devel] sslutils patch : show certificate subject
Stéphane Urbanovski
stephane.urbanovski at ac-nancy-metz.fr
Wed Dec 29 11:35:57 CET 2010
Le 23/12/2010 18:02, Thomas Guyot-Sionnest a écrit :
> On 10-12-03 12:26 PM, Stéphane Urbanovski wrote:
>> No comments ?
>>
>
> I do have some...
Ok, thanks for reviewing.
> 1.
>
> + char cn[128] = "?";
>
> Where has 128 been taken from? Could is be defined as a macro, so
> changing it doesn't require finding all the places where this number or
> a derivative is used?
This choice is completely arbitrary. The CN is used only as an
additional information in the output message.
Using a macro should be cleaner and allow us to get further (checking
the certificate subject value for example)
> 2.
>
> + if(! subj){
> + printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
> + return STATE_CRITICAL;
> + }
>
> Why would that be critical? Is it possible that a cert do not specify a
> subject, and still being used for authentication/encryption?
The subject in the form of a Distinguished Name (DN) is mandatory in an
X509 certificate, but it may be empty when using a subjectAltName (see
http://tools.ietf.org/html/rfc5280 and http://tools.ietf.org/html/rfc2818).
The subjectAltName is not implemented here.
The proposed patch check the "CN" of the subject. It may be improved by
also checking the "dNSName" attribut.
> 3. Shouldn't *subj be freed at the end?
Certainly :-/
> 4. Patch should use /* ... */ comments only, some c compilers do not
> like c++-style comments (// ...)
I'll fix this
> I can fix the comments; please address the first 3 points and then I can
> look at applying the patch. This will also require some tests fixes and
> additions, which I can do as well when find the time for that...
At least check_http.t certificate checking should be fixed. I can
provide a patch for it.
> I'm particularly interested about #2: if this is the correct behaviour,
> could you please link to some specification that say so? Otherwise I'd
> rather retain the previous behaviour - or just use "unknown" - when the
> subject cannot be retrieved.
>
> Thanks
>
> - --
> Thomas
--
Stéphane Urbanovski
More information about the Devel
mailing list