[MediaWiki-commits] [Gerrit] check_ssl: add support for picking the auth algorithm - change (operations/puppet)

Faidon Liambotis (Code Review) Wed, 15 Jul 2015 11:58:10 -0700

Faidon Liambotis has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/224860


Change subject: check_ssl: add support for picking the auth algorithm
......................................................................

check_ssl: add support for picking the auth algorithm

Different authentication algorithms may result into different
certificates, each with their own notBefore/notAfter (case in point:
production right now is serving both RSA and ECDSA and the two certs
have a different notBefore date as they were issued at a different
time).

This adds a --authalg argument to check_ssl that can be used to force
DSS, RSA or ECDSA, to be used in the future by invoking check_ssl
multiple times.

Change-Id: I07255a283da4d6815ff302aba0d0d6487e067e9b
---
M modules/nagios_common/files/check_commands/check_ssl
1 file changed, 9 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/60/224860/1

diff --git a/modules/nagios_common/files/check_commands/check_ssl 
b/modules/nagios_common/files/check_commands/check_ssl
index a9cb41a..5812f82 100755
--- a/modules/nagios_common/files/check_commands/check_ssl
+++ b/modules/nagios_common/files/check_commands/check_ssl
@@ -85,6 +85,10 @@
         default => 0,
     );
     $ng->arg(
+        spec    => 'authalg=s',
+        help    => 'authentication algorithm (DSS, RSA, ECDSA)',
+    );
+    $ng->arg(
         spec => 'subject|s=s',
         help => 'subject name to match against',
     );
@@ -136,6 +140,11 @@
     # only setting to empty string does (this is documented)
     $sopts{SSL_hostname} = '' if $ng->nosni;
 
+    if ( defined $ng->authalg ) {
+        $sopts{SSL_cipher_list} = 'a' . uc($ng->authalg);
+        $sopts{SSL_cipher_list} .= ':!eNULL';
+    }
+
     if ( -d $ng->rootcert ) {
         $sopts{'SSL_ca_path'} = $ng->rootcert;
     }

-- 
To view, visit https://gerrit.wikimedia.org/r/224860
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I07255a283da4d6815ff302aba0d0d6487e067e9b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] check_ssl: add support for picking the auth algorithm - change (operations/puppet)

Reply via email to