Re: check_http - support TLS v1.2 (#1338)

Stuart Henderson Fri, 18 Sep 2015 09:25:32 -0700

On 2015-09-18, Gsemia <notificati...@github.com> wrote:
>
> PCI demanded from my company to disable internal TLSv1 Access to our Servers
> immediately. Only Public TLSv1 Access is still allowed until 2015-06-31.
> This means Monitoring is also affected and needs to have TLSv1 disabled.
> Having check_http not support TLSv1.2 breaks our Nagios monitoring.
>


You could do something like this which changes the default check to
TLSv1.0+ (I think at this point in the game it's reasonable to consider
a service which doesn't TLS at all as down/broken ;-) and adds a new
option to enforce TLSv1.2+ (allowing it to autodetect and connect to
future protocol versions).

--- plugins/check_http.c.orig   Sun Nov 30 10:36:26 2014
+++ plugins/check_http.c        Fri Sep 18 17:10:46 2015
@@ -344,8 +344,8 @@ process_arguments (int argc, char **argv)
       use_ssl = TRUE;
       if (c=='S' && optarg != NULL) {
         ssl_version = atoi(optarg);
-        if (ssl_version < 1 || ssl_version > 3)
-            usage4 (_("Invalid option - Valid values for SSL Version are 1 
(TLSv1), 2 (SSLv2) or 3 (SSLv3)"));
+        if (ssl_version < 1 || ssl_version > 4)
+            usage4 (_("Invalid option - Valid values for SSL Version are 1 
(TLSv1.0), 2 (SSLv2), 3 (SSLv3) or 4 (TLSv1.2+)"));
       }
       if (specify_port == FALSE)
         server_port = HTTPS_PORT;
@@ -1468,8 +1468,8 @@ print_help (void)
 
 #ifdef HAVE_SSL
   printf (" %s\n", "-S, --ssl=VERSION");
-  printf ("    %s\n", _("Connect via SSL. Port defaults to 443. VERSION is 
optional, and prevents"));
-  printf ("    %s\n", _("auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = 
SSLv3)."));
+  printf ("    %s\n", _("Connect via SSL. Port defaults to 443. VERSION is 
optional, and forces a"));
+  printf ("    %s\n", _("particular version (1 = TLSv1.0, 2 = SSLv2, 3 = 
SSLv3, 4 = TLSv1.2+)."));
   printf (" %s\n", "--sni");
   printf ("    %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
   printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
--- plugins/sslutils.c.orig     Sun Nov 30 10:36:26 2014
+++ plugins/sslutils.c  Fri Sep 18 17:05:25 2015
@@ -49,12 +49,14 @@ int np_net_ssl_init_with_hostname_and_version(int sd, 
 
 int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, 
int version, char *cert, char *privkey) {
        SSL_METHOD *method = NULL;
+       long options = 0;
 
        switch (version) {
-       case 0: /* Deafult to auto negotiation */
+       case 0: /* Default to auto negotiate, TLS only */
+               options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
                method = SSLv23_client_method();
                break;
-       case 1: /* TLSv1 protocol */
+       case 1: /* TLSv1.0 only */
                method = TLSv1_client_method();
                break;
        case 2: /* SSLv2 protocol */
@@ -66,8 +68,22 @@ int np_net_ssl_init_with_hostname_version_and_cert(int
 #endif
                break;
        case 3: /* SSLv3 protocol */
+#if defined(OPENSSL_NO_SSL3)
+               printf(("%s\n", _("CRITICAL - SSL protocol version 3 is not 
supported by your SSL library.")));
+               return STATE_CRITICAL;
+#else
                method = SSLv3_client_method();
+#endif
                break;
+       case 4: /* TLSv1.2+ only */
+#if !defined(SSL_OP_NO_TLSv1_2) || !defined(SSL_OP_NO_TLSv1_1) || 
!defined(SSL_OP_NO_TLSv1)
+               printf(("%s\n", _("CRITICAL - TLS protocol version 1.2 is not 
supported by your SSL library.")));
+               return STATE_CRITICAL;
+#else
+               method = SSLv23_client_method();
+               options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | 
SSL_OP_NO_TLSv1_1;
+               break;
+#endif
        default: /* Unsupported */
                printf("%s\n", _("CRITICAL - Unsupported SSL protocol 
version."));
                return STATE_CRITICAL;
@@ -94,8 +110,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int
 #endif
        }
 #ifdef SSL_OP_NO_TICKET
-       SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
+       options |= SSL_OP_NO_TICKET;
 #endif
+       SSL_CTX_set_options(c, options);
        SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY);
        if ((s = SSL_new(c)) != NULL) {
 #ifdef SSL_set_tlsext_host_name
--- po/de.po.orig       Mon Dec  1 23:46:17 2014
+++ po/de.po    Fri Sep 18 17:12:25 2015
@@ -1182,8 +1182,8 @@ msgstr "Ung�ltiger Zertifikatsablauftermin"
 
 #: plugins/check_http.c:348
 msgid ""
-"Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 "
-"(SSLv3)"
+"Invalid option - Valid values for SSL Version are 1 (TLSv1.0), 2 (SSLv2), 3 
(SSLv3) "
+"or 4 (TLSv1.2+)"
 msgstr ""
 
 #: plugins/check_http.c:354 plugins/check_tcp.c:603
@@ -1442,11 +1442,11 @@ msgstr ""
 
 #: plugins/check_http.c:1471
 msgid ""
-"Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"
+"Connect via SSL. Port defaults to 443. VERSION is optional, and forces a"
 msgstr ""
 
 #: plugins/check_http.c:1472
-msgid "auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3)."
+msgid "particular version (1 = TLSv1.0, 2 = SSLv2, 3 = SSLv3, 4 = TLSv1.2+)."
 msgstr ""
 
 #: plugins/check_http.c:1474
--- po/fr.po.orig       Mon Dec  1 23:46:17 2014
+++ po/fr.po    Fri Sep 18 17:12:32 2015
@@ -1221,8 +1221,8 @@ msgstr "Période d'expiration du certificat invalide"
 
 #: plugins/check_http.c:348
 msgid ""
-"Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 "
-"(SSLv3)"
+"Invalid option - Valid values for SSL Version are 1 (TLSv1.0), 2 (SSLv2), 3 
(SSLv3) "
+"or 4 (TLSv1.2+)"
 msgstr ""
 
 #: plugins/check_http.c:354 plugins/check_tcp.c:603
@@ -1483,11 +1483,11 @@ msgstr "Numéro du port (défaut: "
 
 #: plugins/check_http.c:1471
 msgid ""
-"Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"
+"Connect via SSL. Port defaults to 443. VERSION is optional, and forces a"
 msgstr ""
 
 #: plugins/check_http.c:1472
-msgid "auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3)."
+msgid "particular version (1 = TLSv1.0, 2 = SSLv2, 3 = SSLv3, 4 = TLSv1.2+)."
 msgstr ""
 
 #: plugins/check_http.c:1474
--- po/monitoring-plugins.pot.orig      Mon Dec  1 23:46:16 2014
+++ po/monitoring-plugins.pot   Fri Sep 18 17:12:20 2015
@@ -1142,8 +1142,8 @@ msgstr ""
 
 #: plugins/check_http.c:348
 msgid ""
-"Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 "
-"(SSLv3)"
+"Invalid option - Valid values for SSL Version are 1 (TLSv1.0), 2 (SSLv2), 3 
(SSLv3) "
+"or 4 (TLSv1.2+)"
 msgstr ""
 
 #: plugins/check_http.c:354 plugins/check_tcp.c:603
@@ -1393,11 +1393,11 @@ msgstr ""
 
 #: plugins/check_http.c:1471
 msgid ""
-"Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"
+"Connect via SSL. Port defaults to 443. VERSION is optional, and forces a"
 msgstr ""
 
 #: plugins/check_http.c:1472
-msgid "auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3)."
+msgid "particular version (1 = TLSv1.0, 2 = SSLv2, 3 = SSLv3, 4 = TLSv1.2+)."
 msgstr ""
 
 #: plugins/check_http.c:1474

Re: check_http - support TLS v1.2 (#1338)

Reply via email to