Halaman utama Jelajahi Bantuan
Masuk
LBP
/
nagios-plugins
cermin dari https://github.com/nagios-plugins/nagios-plugins.git
4
0
Fork 0
Berkas Masalah 0 Wiki
Jelajahi Sumber

New parameter `--verify-host` will check if -H hostname matches the SSL certificate

Fix for issue #138
John C. Frickson 8 tahun lalu
induk
41039cf402
melakukan
9ceee1ba40
4 mengubah file dengan 43 tambahan dan 3 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 5 0
      NEWS
  2. 20 3
      plugins/check_http.c
  3. 6 0
      plugins/common.h
  4. 12 0
      plugins/sslutils.c

+ 5 - 0
NEWS
Tampilan Berkas 

@@ -1,5 +1,10 @@
 
 This file documents the major additions and syntax changes between releases.
 
 
+x.x.x xxxx-xx-xx
 
+	ENHANCEMENTS
 
+	Added directory plugins-python containing three Python plugins
 
+	check_http: New parameter `--verify-host` will check if -H hostname matches the SSL certificate
 
+
 
 2.2.1 2017-04-19
 
 	FIXES
 
 	check_users: not accepting zero as the threshold

+ 20 - 3
plugins/check_http.c
Tampilan Berkas 

@@ -146,6 +146,9 @@ char *perfd_size (int page_len);
 
 void print_help (void);
 
 void print_usage (void);
 
 
+extern int check_hostname;
 
+
 
+
 
 int
 
 main (int argc, char **argv)
 
 {
 
@@ -200,7 +203,8 @@ process_arguments (int argc, char **argv)
 
 
   enum {
 
     INVERT_REGEX = CHAR_MAX + 1,
 
-    SNI_OPTION
 
+    SNI_OPTION,
 
+		VERIFY_HOST
 
   };
 
 
   int option = 0;
 
@@ -210,6 +214,7 @@ process_arguments (int argc, char **argv)
 
     {"nohtml", no_argument, 0, 'n'},
 
     {"ssl", optional_argument, 0, 'S'},
 
     {"sni", no_argument, 0, SNI_OPTION},
 
+		{"verify-host", no_argument, 0, VERIFY_HOST},
 
     {"post", required_argument, 0, 'P'},
 
     {"method", required_argument, 0, 'j'},
 
     {"IP-address", required_argument, 0, 'I'},
 
@@ -368,6 +373,9 @@ process_arguments (int argc, char **argv)
 
     case SNI_OPTION:
 
       use_sni = TRUE;
 
       break;
 
+		case VERIFY_HOST:
 
+			check_hostname = 1;
 
+			break;
 
     case 'f': /* onredirect */
 
       if (!strcmp (optarg, "stickyport"))
 
         onredirect = STATE_DEPENDENT, followsticky = STICKY_HOST|STICKY_PORT;
 
@@ -1668,6 +1676,10 @@ print_help (void)
 
   printf ("    %s\n", _("1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted."));
 
   printf (" %s\n", "--sni");
 
   printf ("    %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
 
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 
+	printf (" %s\n", "--verify-host");
 
+  printf ("    %s\n", _("Verify SSL certificate is for the -H hostname (with --sni and -S)"));
 
+#endif
 
   printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
 
   printf ("    %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443"));
 
   printf ("    %s\n", _("(when this option is used the URL is not checked.)"));
 
@@ -1802,6 +1814,11 @@ print_usage (void)
 
   printf ("       [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n");
 
   printf ("       [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
 
   printf ("       [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");
 
-  printf ("       [-A string] [-k string] [-S <version>] [--sni] [-C <warn_age>[,<crit_age>]]\n");
 
-  printf ("       [-T <content-type>] [-j method]\n");
 
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 
+	printf ("       [-A string] [-k string] [-S <version>] [--sni] [--verify-host]\n");
 
+	printf ("       [-C <warn_age>[,<crit_age>]] [-T <content-type>] [-j method]\n");
 
+#else
 
+	printf ("       [-A string] [-k string] [-S <version>] [--sni] [-C <warn_age>[,<crit_age>]]\n");
 
+	printf ("       [-T <content-type>] [-j method]\n");
 
+#endif
 
 }

+ 6 - 0
plugins/common.h
Tampilan Berkas 

@@ -146,6 +146,9 @@
 
 #    include <rsa.h>
 
 #    include <crypto.h>
 
 #    include <x509.h>
 
+#    if OPENSSL_VERSION_NUMBER >= 0x10002000L
 
+#      include <x509v3.h>
 
+#    endif
 
 #    include <pem.h>
 
 #    include <ssl.h>
 
 #    include <err.h>
 
@@ -154,6 +157,9 @@
 
 #      include <openssl/rsa.h>
 
 #      include <openssl/crypto.h>
 
 #      include <openssl/x509.h>
 
+#      if OPENSSL_VERSION_NUMBER >= 0x10002000L
 
+#        include <openssl/x509v3.h>
 
+#      endif
 
 #      include <openssl/pem.h>
 
 #      include <openssl/ssl.h>
 
 #      include <openssl/err.h>

+ 12 - 0
plugins/sslutils.c
Tampilan Berkas 

@@ -35,6 +35,8 @@ static SSL_CTX *c=NULL;
 
 static SSL *s=NULL;
 
 static int initialized=0;
 
 
+int check_hostname = 0;
 
+
 
 int np_net_ssl_init(int sd) {
 
 	return np_net_ssl_init_with_hostname(sd, NULL);
 
 }
 
@@ -157,6 +159,16 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
 
 #endif
 
 		SSL_set_fd(s, sd);
 
 		if (SSL_connect(s) == 1) {
 
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 
+			if (check_hostname && host_name && *host_name) {
 
+				X509 *certificate=SSL_get_peer_certificate(s);
 
+				int rc = X509_check_host(certificate, host_name, 0, 0, NULL);
 
+				if (rc != 1) {
 
+					printf("%s\n", _("CRITICAL - Hostname mismatch."));
 
+					return STATE_CRITICAL;
 
+				}
 
+			}
 
+#endif
 
 			return OK;
 
 		} else {
 
 			printf("%s\n", _("CRITICAL - Cannot make SSL connection."));