From f43083c6a9d5d9e66d42e7cd0b698b7eb1ecf822 Mon Sep 17 00:00:00 2001 From: Holger Weiss Date: Sun, 4 Oct 2015 23:28:35 +0200 Subject: check_http: Allow for requesting TLSv1.1/TLSv1.2 check_http's -S/--ssl option now allows for requesting the TLSv1.1 and TLSv1.2 protocols. Apart from that, a '+' suffix can be appended in oder to also accept newer protocols than the specified version. Closes #1338, and closes #1354, and closes #1359. --- plugins/sslutils.c | 81 ++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 66 insertions(+), 15 deletions(-) (limited to 'plugins/sslutils.c') diff --git a/plugins/sslutils.c b/plugins/sslutils.c index d0ae4741..43b1a5a6 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c @@ -49,28 +49,78 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { SSL_METHOD *method = NULL; + long options = 0; switch (version) { - case 0: /* Deafult to auto negotiation */ - method = SSLv23_client_method(); - break; - case 1: /* TLSv1 protocol */ - method = TLSv1_client_method(); - break; - case 2: /* SSLv2 protocol */ + case MP_SSLv2: /* SSLv2 protocol */ #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) - printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library."))); - return STATE_CRITICAL; + printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); + return STATE_UNKNOWN; #else method = SSLv2_client_method(); -#endif break; - case 3: /* SSLv3 protocol */ +#endif + case MP_SSLv3: /* SSLv3 protocol */ +#if defined(OPENSSL_NO_SSL3) + printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); + return STATE_UNKNOWN; +#else method = SSLv3_client_method(); break; - default: /* Unsupported */ - printf("%s\n", _("CRITICAL - Unsupported SSL protocol version.")); - return STATE_CRITICAL; +#endif + case MP_TLSv1: /* TLSv1 protocol */ +#if defined(OPENSSL_NO_TLS1) + printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); + return STATE_UNKNOWN; +#else + method = TLSv1_client_method(); + break; +#endif + case MP_TLSv1_1: /* TLSv1.1 protocol */ +#if !defined(SSL_OP_NO_TLSv1_1) + printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); + return STATE_UNKNOWN; +#else + method = TLSv1_1_client_method(); + break; +#endif + case MP_TLSv1_2: /* TLSv1.2 protocol */ +#if !defined(SSL_OP_NO_TLSv1_2) + printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); + return STATE_UNKNOWN; +#else + method = TLSv1_2_client_method(); + break; +#endif + case MP_TLSv1_2_OR_NEWER: +#if !defined(SSL_OP_NO_TLSv1_1) + printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); + return STATE_UNKNOWN; +#else + options |= SSL_OP_NO_TLSv1_1; +#endif + /* FALLTHROUGH */ + case MP_TLSv1_1_OR_NEWER: +#if !defined(SSL_OP_NO_TLSv1) + printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); + return STATE_UNKNOWN; +#else + options |= SSL_OP_NO_TLSv1; +#endif + /* FALLTHROUGH */ + case MP_TLSv1_OR_NEWER: +#if defined(SSL_OP_NO_SSLv3) + options |= SSL_OP_NO_SSLv3; +#endif + /* FALLTHROUGH */ + case MP_SSLv3_OR_NEWER: +#if defined(SSL_OP_NO_SSLv2) + options |= SSL_OP_NO_SSLv2; +#endif + case MP_SSLv2_OR_NEWER: + /* FALLTHROUGH */ + default: /* Default to auto negotiation */ + method = SSLv23_client_method(); } if (!initialized) { /* Initialize SSL context */ @@ -94,8 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int #endif } #ifdef SSL_OP_NO_TICKET - SSL_CTX_set_options(c, SSL_OP_NO_TICKET); + options |= SSL_OP_NO_TICKET; #endif + SSL_CTX_set_options(c, options); SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); if ((s = SSL_new(c)) != NULL) { #ifdef SSL_set_tlsext_host_name -- cgit v1.2.3