Startsida Utforska Hjälp
Logga in
LBP
/
nagios-plugins
spegling av https://github.com/nagios-plugins/nagios-plugins.git
4
0
Fork 0
Filer Ärenden 0 Wiki
Bläddra i källkod

Revert "New parameter `--verify-host` will check if -H hostname matches the SSL certificate"

This reverts commit 8798e4bb0e44541edd0b8e1b4409bcde588f9077.

This will have to wait for a bit so bug fixes can be released
John C. Frickson 8 år sedan
förälder
2b1610034f
incheckning
ae6eb8506d
4 ändrade filer med 3 tillägg och 42 borttagningar
Delad Vy Visa Diff Statistik
  1. 0 4
      NEWS
  2. 3 20
      plugins/check_http.c
  3. 0 6
      plugins/common.h
  4. 0 12
      plugins/sslutils.c

+ 0 - 4
NEWS
Visa fil 

@@ -1,10 +1,6 @@
 
 This file documents the major additions and syntax changes between releases.
 
 
 x.x.x xxxx-xx-xx
 
-	ENHANCEMENTS
 
-	Added directory plugins-python containing three Python plugins
 
-	check_http: New parameter `--verify-host` will check if -H hostname matches the SSL certificate
 
-
 
 	FIXES
 
 	check_users: not accepting zero as the threshold
 
 	check_http: reports warning where it should report ok with -e

+ 3 - 20
plugins/check_http.c
Visa fil 

@@ -146,9 +146,6 @@ char *perfd_size (int page_len);
 
 void print_help (void);
 
 void print_usage (void);
 
 
-extern int check_hostname;
 
-
 
-
 
 int
 
 main (int argc, char **argv)
 
 {
 
@@ -203,8 +200,7 @@ process_arguments (int argc, char **argv)
 
 
   enum {
 
     INVERT_REGEX = CHAR_MAX + 1,
 
-    SNI_OPTION,
 
-		VERIFY_HOST
 
+    SNI_OPTION
 
   };
 
 
   int option = 0;
 
@@ -214,7 +210,6 @@ process_arguments (int argc, char **argv)
 
     {"nohtml", no_argument, 0, 'n'},
 
     {"ssl", optional_argument, 0, 'S'},
 
     {"sni", no_argument, 0, SNI_OPTION},
 
-		{"verify-host", no_argument, 0, VERIFY_HOST},
 
     {"post", required_argument, 0, 'P'},
 
     {"method", required_argument, 0, 'j'},
 
     {"IP-address", required_argument, 0, 'I'},
 
@@ -373,9 +368,6 @@ process_arguments (int argc, char **argv)
 
     case SNI_OPTION:
 
       use_sni = TRUE;
 
       break;
 
-		case VERIFY_HOST:
 
-			check_hostname = 1;
 
-			break;
 
     case 'f': /* onredirect */
 
       if (!strcmp (optarg, "stickyport"))
 
         onredirect = STATE_DEPENDENT, followsticky = STICKY_HOST|STICKY_PORT;
 
@@ -1676,10 +1668,6 @@ print_help (void)
 
   printf ("    %s\n", _("1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted."));
 
   printf (" %s\n", "--sni");
 
   printf ("    %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 
-	printf (" %s\n", "--verify-host");
 
-  printf ("    %s\n", _("Verify SSL certificate is for the -H hostname (with --sni and -S)"));
 
-#endif
 
   printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
 
   printf ("    %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443"));
 
   printf ("    %s\n", _("(when this option is used the URL is not checked.)"));
 
@@ -1814,11 +1802,6 @@ print_usage (void)
 
   printf ("       [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n");
 
   printf ("       [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
 
   printf ("       [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 
-	printf ("       [-A string] [-k string] [-S <version>] [--sni] [--verify-host]\n");
 
-	printf ("       [-C <warn_age>[,<crit_age>]] [-T <content-type>] [-j method]\n");
 
-#else
 
-	printf ("       [-A string] [-k string] [-S <version>] [--sni] [-C <warn_age>[,<crit_age>]]\n");
 
-	printf ("       [-T <content-type>] [-j method]\n");
 
-#endif
 
+  printf ("       [-A string] [-k string] [-S <version>] [--sni] [-C <warn_age>[,<crit_age>]]\n");
 
+  printf ("       [-T <content-type>] [-j method]\n");
 
 }

+ 0 - 6
plugins/common.h
Visa fil 

@@ -146,9 +146,6 @@
 
 #    include <rsa.h>
 
 #    include <crypto.h>
 
 #    include <x509.h>
 
-#    if OPENSSL_VERSION_NUMBER >= 0x10002000L
 
-#      include <x509v3.h>
 
-#    endif
 
 #    include <pem.h>
 
 #    include <ssl.h>
 
 #    include <err.h>
 
@@ -157,9 +154,6 @@
 
 #      include <openssl/rsa.h>
 
 #      include <openssl/crypto.h>
 
 #      include <openssl/x509.h>
 
-#      if OPENSSL_VERSION_NUMBER >= 0x10002000L
 
-#        include <openssl/x509v3.h>
 
-#      endif
 
 #      include <openssl/pem.h>
 
 #      include <openssl/ssl.h>
 
 #      include <openssl/err.h>

+ 0 - 12
plugins/sslutils.c
Visa fil 

@@ -35,8 +35,6 @@ static SSL_CTX *c=NULL;
 
 static SSL *s=NULL;
 
 static int initialized=0;
 
 
-int check_hostname = 0;
 
-
 
 int np_net_ssl_init(int sd) {
 
 	return np_net_ssl_init_with_hostname(sd, NULL);
 
 }
 
@@ -159,16 +157,6 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
 
 #endif
 
 		SSL_set_fd(s, sd);
 
 		if (SSL_connect(s) == 1) {
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 
-			if (check_hostname && host_name && *host_name) {
 
-				X509 *certificate=SSL_get_peer_certificate(s);
 
-				int rc = X509_check_host(certificate, host_name, 0, 0, NULL);
 
-				if (rc != 1) {
 
-					printf("%s\n", _("CRITICAL - Hostname mismatch."));
 
-					return STATE_CRITICAL;
 
-				}
 
-			}
 
-#endif
 
 			return OK;
 
 		} else {
 
 			printf("%s\n", _("CRITICAL - Cannot make SSL connection."));