Bug#644627: [Pkg-nagios-devel] Bug#644627: nagios-plugins-basic: check_http --ssl doesn't verify the validity of a certificate
Hi Michael, On Thursday, 23. February 2012, Michael Renner wrote: On Feb 23, 2012, at 13:55 , Jan Wagner wrote: that was not my point. I asked, _where_ do you expect such an information. And while we are at it, maybe you can tell me, _what_ do you expect at this place. Feel free to provide patches and/or just the text. Sorry, misinterpreted you there :S I'd describe it something like this: --- -S, --ssl Connect via SSL. Port defaults to 443. See below for details. [..] This plugin can also check whether an SSL enabled web server is able to serve content (optionally within a specified time) or whether the X509 certificate is still valid for the specified number of days. Please note that this plugin does not check if the presented server certificate matches the hostname of the server or if the certificate has a valid chain of trust to one of the locally installed CAs. this will be included in the next debian package and also in the next upstream release. Anyways we will accept patche(s) implementing checking if the certificate matches the hostname and maybe other usefull extensions (as always). With kind regards, Jan. -- Never write mail to w...@spamfalle.info, you have been warned! -BEGIN GEEK CODE BLOCK- Version: 3.12 GIT d-- s+: a C+++ UL P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h r+++ y --END GEEK CODE BLOCK-- signature.asc Description: This is a digitally signed message part.
Bug#644627: [Pkg-nagios-devel] Bug#644627: nagios-plugins-basic: check_http --ssl doesn't verify the validity of a certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Michael, Am 24.02.2012 14:45, schrieb Jan Wagner: this will be included in the next debian package and also in the next upstream release. Anyways we will accept patche(s) implementing checking if the certificate matches the hostname and maybe other usefull extensions (as always). I just stumbled upon https://trac.id.ethz.ch/projects/nagios_plugins/wiki/check_ssl_cert, which does exactly what you are searching. Maybe it's a candidate for nagios-plugins-contrib? With kind regards, Jan. - -- Never write mail to w...@spamfalle.info, you have been warned! - -BEGIN GEEK CODE BLOCK- Version: 3.12 GIT d-- s+: a C+++ UL P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h r+++ y - --END GEEK CODE BLOCK-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPR+RZ9u6Dud+QFyQRArNUAJ9Wr+p7mgZDBVNp/ied6rejKvJatwCeK06K HPjSmoOwz9FZcAZ2d5KFZ9g= =JBld -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#644627: [Pkg-nagios-devel] Bug#644627: nagios-plugins-basic: check_http --ssl doesn't verify the validity of a certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/24/2012 08:26 PM, Jan Wagner wrote: Hi Michael, Am 24.02.2012 14:45, schrieb Jan Wagner: this will be included in the next debian package and also in the next upstream release. Anyways we will accept patche(s) implementing checking if the certificate matches the hostname and maybe other usefull extensions (as always). I just stumbled upon https://trac.id.ethz.ch/projects/nagios_plugins/wiki/check_ssl_cert, which does exactly what you are searching. Maybe it's a candidate for nagios-plugins-contrib? Sounds like a good cancdidate. Please send patches or a pull request on github. - -- Bernd ZeimetzDebian GNU/Linux Developer http://bzed.dehttp://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJPR/YlAAoJEOs2Fxpv+UNf6TAQAMD9LM7CpesFwCJDquS/MftH Lo91q2CcJI6dJs125Ec0NyoNsHvbWcwo+U2c3IlK/8MV0/43zYSlBSXn1MET4ELf dRNM728YwBRYVdSNJ46WUaCoJ6VPKHLsh8JWMg4kF02z3AF56kweTII3UvV1hwTW 7+OQ0sZYEd+pKqL2NPFhvu+yerU7DxFbWlpCssxFfiJRmNtXUz/ZWXPEBOd49unX WDzsp9f0p8XBhlpqJfjk7T0VH0vBRybuYHBXJNnqeNFxA4MQ5AJ1dAI+/NyU9qzl pttNkpzEUfzrxOrgAS21e75EEoHtM8R/7biKrNvMrmh+mRx+CKtSwLtjKsuSEimf J1TVYHUxrUTLuvaDDRfV+ceYDWy3bQq6ru6Osl1dBLkebWeTtZItLg9gG94sKi9v cdLiLOl76P7TUq5p/yGGEB5G3MV78+o+V/PuUxq1O1J8QVOb6Fcbt2OS5Kq5QEcX gJ0cJeO83gk/K4nCMv7UCkLMauZbNgnFdt7sWGMGGcUFvrBgNK79WJZ9FY3cJ5y8 9aK98qXP86LPmq+L2Ie30PoiODuusHw1Fbg4rNxPnBq7YfI5+sE3iWPgNsfSI2dM gkTDiEtiT8eAR2FrzU10sHAsQdJP0p+hk1X2O6baXlH4zaVhPwH051DlbuEH9kIG QDcIXwfLpRbzZCOK6Prw =FjDW -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#644627: [Pkg-nagios-devel] Bug#644627: nagios-plugins-basic: check_http --ssl doesn't verify the validity of a certificate
On Feb 24, 2012, at 21:42 , Bernd Zeimetz wrote: I just stumbled upon https://trac.id.ethz.ch/projects/nagios_plugins/wiki/check_ssl_cert, which does exactly what you are searching. Maybe it's a candidate for nagios-plugins-contrib? Sounds like a good cancdidate. Please send patches or a pull request on github. Great find, thanks a bunch Jan and Bernd! best, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#644627: [Pkg-nagios-devel] Bug#644627: nagios-plugins-basic: check_http --ssl doesn't verify the validity of a certificate
Hi Michael, On Sunday, 19. February 2012, Michael Renner wrote: On Feb 19, 2012, at 13:05 , Jan Wagner wrote: Explicitly pointing out that this plugin will _ONLY_ verify the expiry date of the certificate should prevent surprises for other people in the future. /usr/lib/nagios/plugins/check_http --help doesn't count as documentation? Where do you expect such informations exactly? Regarding HTTPS certificates my version shows: --- -S, --ssl Connect via SSL. Port defaults to 443 --sni Enable SSL/TLS hostname extension support (SNI) -C, --certificate=INTEGER Minimum number of days a certificate has to be valid. Port defaults to 443 (when this option is used the URL is not checked.) [..] This plugin can also check whether an SSL enabled web server is able to serve content (optionally within a specified time) or whether the X509 certificate is still valid for the specified number of days. --- If you think that this is sufficient to communicate what the plugin does and what it doesn't please close this bug report. that was not my point. I asked, _where_ do you expect such an information. And while we are at it, maybe you can tell me, _what_ do you expect at this place. Feel free to provide patches and/or just the text. Many thanks, Jan. -- Never write mail to w...@spamfalle.info, you have been warned! -BEGIN GEEK CODE BLOCK- Version: 3.12 GIT d-- s+: a C+++ UL P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h r+++ y --END GEEK CODE BLOCK-- signature.asc Description: This is a digitally signed message part.
Bug#644627: [Pkg-nagios-devel] Bug#644627: nagios-plugins-basic: check_http --ssl doesn't verify the validity of a certificate
On Feb 23, 2012, at 13:55 , Jan Wagner wrote: that was not my point. I asked, _where_ do you expect such an information. And while we are at it, maybe you can tell me, _what_ do you expect at this place. Feel free to provide patches and/or just the text. Sorry, misinterpreted you there :S I'd describe it something like this: --- -S, --ssl Connect via SSL. Port defaults to 443. See below for details. [..] This plugin can also check whether an SSL enabled web server is able to serve content (optionally within a specified time) or whether the X509 certificate is still valid for the specified number of days. Please note that this plugin does not check if the presented server certificate matches the hostname of the server or if the certificate has a valid chain of trust to one of the locally installed CAs. [..] --- best, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#644627: [Pkg-nagios-devel] Bug#644627: nagios-plugins-basic: check_http --ssl doesn't verify the validity of a certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 tags 644627 +upstream severity 644627 wishlist thanks Hi Michael, Am 07.10.2011 16:44, schrieb Michael Renner: Nagios' check_http plugin does no verification whatsoever on the SSL certificate presented by the server next to checking the expiry time. This is highly counter-intuitive and makes the plugin pretty much unusable for serious environments where HTTPS is used. looking into /usr/lib/nagios/plugins/check_http --help will give you informations about the purpose of the plugin: Notes: This plugin will attempt to open an HTTP connection with the host. [...] This plugin can also check whether an SSL enabled web server is able to serve content (optionally within a specified time) or whether the X509 certificate is still valid for the specified number of days. This indicates, that you are trying to use this plugin for something that is not intended to be used for. Anyways, this would be indeed an usefull extension. I actually see two ways to proceed with your request. One would be you provide us a patch for the requested feature. The more usefull way is to open[1] a feature request upstream and provide a patch there or hope anybody else is taking care of it. Thanks and with kind regards, Jan. [1] http://sourceforge.net/tracker/?func=addgroup_id=29880atid=397600 - -- Never write mail to w...@spamfalle.info, you have been warned! - -BEGIN GEEK CODE BLOCK- Version: 3.12 GIT d-- s+: a C+++ UL P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h r+++ y - --END GEEK CODE BLOCK-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFPQNez9u6Dud+QFyQRAt9cAKDBG1JCHIf8SNaIfs2Pl3RBKZ5UugCgkuGF o7I8JpiqTUG2nv5fTmb9l/w= =UBMz -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#644627: [Pkg-nagios-devel] Bug#644627: nagios-plugins-basic: check_http --ssl doesn't verify the validity of a certificate
On Feb 19, 2012, at 12:06 , Jan Wagner wrote: Notes: This plugin will attempt to open an HTTP connection with the host. [...] This plugin can also check whether an SSL enabled web server is able to serve content (optionally within a specified time) or whether the X509 certificate is still valid for the specified number of days. This indicates, that you are trying to use this plugin for something that is not intended to be used for. Anyways, this would be indeed an usefull extension. Hi Jan, thanks for your answer! I was negatively surprised by check_http since (nearly?) every other SSL/TLS implementation will at least warn about not checking specific things you'd expect from a sane/full implementation or explicitly mention it in the docs. Explicitly pointing out that this plugin will _ONLY_ verify the expiry date of the certificate should prevent surprises for other people in the future. best, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#644627: [Pkg-nagios-devel] Bug#644627: nagios-plugins-basic: check_http --ssl doesn't verify the validity of a certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Michael, Am 19.02.2012 12:17, schrieb Michael Renner: thanks for your answer! I was negatively surprised by check_http since (nearly?) every other SSL/TLS implementation will at least warn about not checking specific things you'd expect from a sane/full implementation or explicitly mention it in the docs. Explicitly pointing out that this plugin will _ONLY_ verify the expiry date of the certificate should prevent surprises for other people in the future. /usr/lib/nagios/plugins/check_http --help doesn't count as documentation? Where do you expect such informations exactly? With kind regards, Jan. - -- Never write mail to w...@spamfalle.info, you have been warned! - -BEGIN GEEK CODE BLOCK- Version: 3.12 GIT d-- s+: a C+++ UL P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h r+++ y - --END GEEK CODE BLOCK-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFPQOWl9u6Dud+QFyQRAvEjAJoD84wln7ZrAiK2tNzCE91AITohegCg3Wor DabH0xejIlAkmDqAJ4UVrrU= =I55v -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#644627: [Pkg-nagios-devel] Bug#644627: nagios-plugins-basic: check_http --ssl doesn't verify the validity of a certificate
On Feb 19, 2012, at 13:05 , Jan Wagner wrote: Explicitly pointing out that this plugin will _ONLY_ verify the expiry date of the certificate should prevent surprises for other people in the future. /usr/lib/nagios/plugins/check_http --help doesn't count as documentation? Where do you expect such informations exactly? Regarding HTTPS certificates my version shows: --- -S, --ssl Connect via SSL. Port defaults to 443 --sni Enable SSL/TLS hostname extension support (SNI) -C, --certificate=INTEGER Minimum number of days a certificate has to be valid. Port defaults to 443 (when this option is used the URL is not checked.) [..] This plugin can also check whether an SSL enabled web server is able to serve content (optionally within a specified time) or whether the X509 certificate is still valid for the specified number of days. --- If you think that this is sufficient to communicate what the plugin does and what it doesn't please close this bug report. best, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org