check_http: Add SSL/TLS hostname extension support (SNI) - (#1939022 - Joe Presbrey)

NEWS

@@ -34,6 +34,7 @@ This file documents the major additions and syntax changes between releases.
 	Fixed typos for check_disk (Chris Pepper)
 	Fixed check_mysql* not using password set in my.cnf (#2531905 - Ben Timby) - Specify an empty password explicitly if you need to override it.
 	Fixed awk subst.in/subst script path error (#2722832 - Martin Foster)
+	check_http: Add SSL/TLS hostname extension support (SNI) - (#1939022 - Joe Presbrey)
 
 1.4.13 25th Sept 2008
 	Fix Debian bug #460097: check_http --max-age broken (Hilko Bengen)

THANKS.in

@@ -252,3 +252,4 @@ Oskar Ahner
 Chris Pepper
 Ben Timby
 Martin Foster
+Joe Presbrey

plugins/check_http.c

@@ -790,7 +790,7 @@ check_http (void)
     die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n"));
 #ifdef HAVE_SSL
   if (use_ssl == TRUE) {
-    np_net_ssl_init(sd);
+    np_net_ssl_init_with_hostname(sd, host_name);
     if (check_cert == TRUE) {
       result = np_net_ssl_check_cert(days_till_exp);
       np_net_ssl_cleanup();

plugins/netutils.h

@@ -99,6 +99,7 @@ extern int address_family;
 #ifdef HAVE_SSL
 /* maybe this could be merged with the above np_net_connect, via some flags */
 int np_net_ssl_init(int sd);
+int np_net_ssl_init_with_hostname(int sd, char *host_name);
 void np_net_ssl_cleanup();
 int np_net_ssl_write(const void *buf, int num);
 int np_net_ssl_read(void *buf, int num);

plugins/sslutils.c

@@ -35,7 +35,11 @@ static SSL_CTX *c=NULL;
 static SSL *s=NULL;
 static int initialized=0;
 
-int np_net_ssl_init (int sd){
+int np_net_ssl_init (int sd) {
+    return np_net_ssl_init_with_hostname(sd, NULL);
+}
+
+int np_net_ssl_init_with_hostname (int sd, char *host_name) {
 		if (!initialized) {
 			/* Initialize SSL context */
 			SSLeay_add_ssl_algorithms ();
@@ -48,6 +52,10 @@ int np_net_ssl_init (int sd){
 				return STATE_CRITICAL;
 		}
 		if ((s = SSL_new (c)) != NULL){
+#ifdef SSL_set_tlsext_host_name
+				if (host_name != NULL)
+					SSL_set_tlsext_host_name(s, host_name);
+#endif
 				SSL_set_fd (s, sd);
 				if (SSL_connect(s) == 1){
 						return OK;
@@ -65,6 +73,9 @@ int np_net_ssl_init (int sd){
 
 void np_net_ssl_cleanup (){
 		if(s){
+#ifdef SSL_set_tlsext_host_name
+				SSL_set_tlsext_host_name(s, NULL);
+#endif
 				SSL_shutdown (s);
 				SSL_free (s);
 				if(c) {