Your message dated Fri, 21 Mar 2014 16:40:06 +0100
with message-id <[email protected]>
and subject line Re: [Pkg-nagios-devel] Bug#742246: check_http: certificate
check does not check if CN is correct
has caused the Debian Bug report #742246,
regarding check_http: certificate check does not check if CN is correct
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
742246: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742246
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nagios-plugins-basic
Version: 1.4.16-1
Severity: normal
Dear Maintainer,
I use a call like follows to check the validity (expiry date) of my
certs:
check_http -C 14 --ssl=1 --sni -H theDomain.de -I 1.2.3.4
I noticed that the above check does NOT compare the CN in the SSL
certificate to the hostname used with "-H". The check is basically
useless if you can deploy any (valid) certificate that does not match
the hostname indicated via SNI.
Thank you for looking into this.
KR,
Ralf
-- System Information:
Debian Release: 7.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages nagios-plugins-basic depends on:
ii iputils-ping 3:20101006-1+b1
ii libc6 2.13-38+deb7u1
ii libssl1.0.0 1.0.1e-2+deb7u4
ii nagios-plugins-common 1.4.16-1
ii procps 1:3.3.3-3
ii ucf 3.0025+nmu3
nagios-plugins-basic recommends no packages.
Versions of packages nagios-plugins-basic suggests:
ii nagios3 3.4.1-3+deb7u1
-- no debconf information
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ralf,
many thanks for taking the time to report your issue.
Am 21.03.14 08:57, schrieb Ralf G. R. Bergs:
> I use a call like follows to check the validity (expiry date) of
> my certs:
>
> check_http -C 14 --ssl=1 --sni -H theDomain.de -I 1.2.3.4
>
> I noticed that the above check does NOT compare the CN in the SSL
> certificate to the hostname used with "-H". The check is basically
> useless if you can deploy any (valid) certificate that does not
> match the hostname indicated via SNI.
Unfortunately this is no functionality check_http provides:
$ /usr/lib/nagios/plugins/check_http --help | tail -29|head -3
Please note that this plugin does not check if the presented server
certificate matches the hostname of the server, or if the certificate
has a valid chain of trust to one of the locally installed CAs.
Anyways ... as always ... everybody is welcome to provide patches
upstream[1]
With kind regards, Jan.
[1] https://github.com/monitoring-plugins/monitoring-plugins
- --
Never write mail to <[email protected]>, you have been warned!
- -----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT d-- s+: a C+++ UL++++ P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V-
PS PE Y++
PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h---- r+++ y++++
- ------END GEEK CODE BLOCK------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTLF1WAAoJEAxwVXtaBlE+VMMQAKFFYeXjokRZQU9MSk4+X9BB
+CKuekGBXcigcapoRqCBiSiUES5w+dAcKXu2CZG/cc2SFnspJRCyO9FdhuHFL9J7
dMFIMgl8NLhFEf+NC84AZJtYRmagi/BhXeATN6jfeRmHXccRwhZMIDqUrnSHNhbV
E+hy2E66LpW7zAIgefAoas7/+AiT/ytWxJNjQx4SyzFRGTNQ0MxKGazKd+GA1M0x
3eV+CeFBIWyqudRDKGGRdpE2GuWJvUuyM2KApsMRx6uw2SF4xIdzy1MilUkvNboM
cYEKdFRAJx41vqwnye3gVnOY+mdrMnxafVRK9hLutE8JqagadY+LUCB0K3dfbWCX
kth01j5tLUb60kdgV1klFozuz+G7/gqEqoJ8A37OA6nlRRFauvW62AcJou2ha6fV
H1FLRpFGrOl8C0U1zMI9wIe4Amb5Up2WDJj052JYiITtyKLju0bZ6hn9CGytw5v0
Vz7fpRjyGkCiw39rTDz67GGPm6V1YgOpokcgwYR+x7IVv3er2gtdYj/0y2eGQvj7
3upiVIR9vexifftLfFE9fJt+oEc8e39yhPN1SXOm9Lgc1/jWOzid7TA4CSlJeH15
ggA/n8Fcoiwr0Nd7+XzpPtu8uVyWP4WWpMvMTVno3AVlRtSetqJPLAL3hpGGmYUh
Q9hg+EXAeUD9PVcEKWu2
=99rz
-----END PGP SIGNATURE-----
--- End Message ---