aboutsummaryrefslogtreecommitdiff
path: root/plugins/sslutils.c
diff options
context:
space:
mode:
authorGravatar Holger Weiss <holger@zedat.fu-berlin.de> 2015-10-04 23:28:35 +0200
committerGravatar Holger Weiss <holger@zedat.fu-berlin.de> 2015-10-04 23:28:35 +0200
commitf43083c6a9d5d9e66d42e7cd0b698b7eb1ecf822 (patch)
tree51a749e312bd74ffae30f9b2da0bc891350a7299 /plugins/sslutils.c
parenta9b02e7affe6d940e1fb4830156d06e4d816458b (diff)
downloadmonitoring-plugins-f43083c6a9d5d9e66d42e7cd0b698b7eb1ecf822.tar.gz
check_http: Allow for requesting TLSv1.1/TLSv1.2
check_http's -S/--ssl option now allows for requesting the TLSv1.1 and TLSv1.2 protocols. Apart from that, a '+' suffix can be appended in oder to also accept newer protocols than the specified version. Closes #1338, and closes #1354, and closes #1359.
Diffstat (limited to 'plugins/sslutils.c')
-rw-r--r--plugins/sslutils.c81
1 files changed, 66 insertions, 15 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index d0ae4741..43b1a5a6 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -49,28 +49,78 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) {
SSL_METHOD *method = NULL;
+ long options = 0;
switch (version) {
- case 0: /* Deafult to auto negotiation */
- method = SSLv23_client_method();
- break;
- case 1: /* TLSv1 protocol */
- method = TLSv1_client_method();
- break;
- case 2: /* SSLv2 protocol */
+ case MP_SSLv2: /* SSLv2 protocol */
#if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2)
- printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library.")));
- return STATE_CRITICAL;
+ printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
+ return STATE_UNKNOWN;
#else
method = SSLv2_client_method();
-#endif
break;
- case 3: /* SSLv3 protocol */
+#endif
+ case MP_SSLv3: /* SSLv3 protocol */
+#if defined(OPENSSL_NO_SSL3)
+ printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
+ return STATE_UNKNOWN;
+#else
method = SSLv3_client_method();
break;
- default: /* Unsupported */
- printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));
- return STATE_CRITICAL;
+#endif
+ case MP_TLSv1: /* TLSv1 protocol */
+#if defined(OPENSSL_NO_TLS1)
+ printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
+ return STATE_UNKNOWN;
+#else
+ method = TLSv1_client_method();
+ break;
+#endif
+ case MP_TLSv1_1: /* TLSv1.1 protocol */
+#if !defined(SSL_OP_NO_TLSv1_1)
+ printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
+ return STATE_UNKNOWN;
+#else
+ method = TLSv1_1_client_method();
+ break;
+#endif
+ case MP_TLSv1_2: /* TLSv1.2 protocol */
+#if !defined(SSL_OP_NO_TLSv1_2)
+ printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
+ return STATE_UNKNOWN;
+#else
+ method = TLSv1_2_client_method();
+ break;
+#endif
+ case MP_TLSv1_2_OR_NEWER:
+#if !defined(SSL_OP_NO_TLSv1_1)
+ printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
+ return STATE_UNKNOWN;
+#else
+ options |= SSL_OP_NO_TLSv1_1;
+#endif
+ /* FALLTHROUGH */
+ case MP_TLSv1_1_OR_NEWER:
+#if !defined(SSL_OP_NO_TLSv1)
+ printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
+ return STATE_UNKNOWN;
+#else
+ options |= SSL_OP_NO_TLSv1;
+#endif
+ /* FALLTHROUGH */
+ case MP_TLSv1_OR_NEWER:
+#if defined(SSL_OP_NO_SSLv3)
+ options |= SSL_OP_NO_SSLv3;
+#endif
+ /* FALLTHROUGH */
+ case MP_SSLv3_OR_NEWER:
+#if defined(SSL_OP_NO_SSLv2)
+ options |= SSL_OP_NO_SSLv2;
+#endif
+ case MP_SSLv2_OR_NEWER:
+ /* FALLTHROUGH */
+ default: /* Default to auto negotiation */
+ method = SSLv23_client_method();
}
if (!initialized) {
/* Initialize SSL context */
@@ -94,8 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
#endif
}
#ifdef SSL_OP_NO_TICKET
- SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
+ options |= SSL_OP_NO_TICKET;
#endif
+ SSL_CTX_set_options(c, options);
SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY);
if ((s = SSL_new(c)) != NULL) {
#ifdef SSL_set_tlsext_host_name