check_http: Add SSL/TLS hostname extension support (SNI) - (#1939022 - Joe Presbrey)

diff --git a/NEWS b/NEWS
index 25009822348a66fd8bfa65fb2a7e9aed43f2253f..c5d820f8ea151debd386dc1d4619acdf75a5775f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -34,6 +34,7 @@ This file documents the major additions and syntax changes between releases.
        Fixed typos for check_disk (Chris Pepper)
        Fixed check_mysql* not using password set in my.cnf (#2531905 - Ben Timby) - Specify an empty password explicitly if you need to override it.
        Fixed awk subst.in/subst script path error (#2722832 - Martin Foster)
+       check_http: Add SSL/TLS hostname extension support (SNI) - (#1939022 - Joe Presbrey)
 
 1.4.13 25th Sept 2008
        Fix Debian bug #460097: check_http --max-age broken (Hilko Bengen)

diff --git a/THANKS.in b/THANKS.in
index b173eb6e37b607fb39dfb63cacf02ca983fe1817..9209bcfc4c64578f86de9a28cec427b52745d359 100644 (file)
--- a/THANKS.in
+++ b/THANKS.in
@@ -252,3 +252,4 @@ Oskar Ahner
 Chris Pepper
 Ben Timby
 Martin Foster
+Joe Presbrey

diff --git a/plugins/check_http.c b/plugins/check_http.c
index 03102033a0f9a3b85036be76d1551b953daf86d8..79f6adf39962767c4d14a19d6d587c988afb6d8f 100644 (file)
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -790,7 +790,7 @@ check_http (void)
     die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n"));
 #ifdef HAVE_SSL
   if (use_ssl == TRUE) {
-    np_net_ssl_init(sd);
+    np_net_ssl_init_with_hostname(sd, host_name);
     if (check_cert == TRUE) {
       result = np_net_ssl_check_cert(days_till_exp);
       np_net_ssl_cleanup();

diff --git a/plugins/netutils.h b/plugins/netutils.h
index b479b7411b7682beac07817e6e33c0ef2caa7e4d..572a3ae2253c9417bd2d764b372387213cc2f17a 100644 (file)
--- a/plugins/netutils.h
+++ b/plugins/netutils.h
@@ -99,6 +99,7 @@ extern int address_family;
 #ifdef HAVE_SSL
 /* maybe this could be merged with the above np_net_connect, via some flags */
 int np_net_ssl_init(int sd);
+int np_net_ssl_init_with_hostname(int sd, char *host_name);
 void np_net_ssl_cleanup();
 int np_net_ssl_write(const void *buf, int num);
 int np_net_ssl_read(void *buf, int num);

diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 1d4ef94a210683b55bf3cde64a8cc86d50ad1bac..aa571b6c2c59da721329f63c625530ee7f43d774 100644 (file)
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -35,7 +35,11 @@ static SSL_CTX *c=NULL;
 static SSL *s=NULL;
 static int initialized=0;
 
-int np_net_ssl_init (int sd){
+int np_net_ssl_init (int sd) {
+    return np_net_ssl_init_with_hostname(sd, NULL);
+}
+
+int np_net_ssl_init_with_hostname (int sd, char *host_name) {
                if (!initialized) {
                        /* Initialize SSL context */
                        SSLeay_add_ssl_algorithms ();
@@ -48,6 +52,10 @@ int np_net_ssl_init (int sd){
                                return STATE_CRITICAL;
                }
                if ((s = SSL_new (c)) != NULL){
+#ifdef SSL_set_tlsext_host_name
+                               if (host_name != NULL)
+                                       SSL_set_tlsext_host_name(s, host_name);
+#endif
                                SSL_set_fd (s, sd);
                                if (SSL_connect(s) == 1){
                                                return OK;
@@ -65,6 +73,9 @@ int np_net_ssl_init (int sd){
 
 void np_net_ssl_cleanup (){
                if(s){
+#ifdef SSL_set_tlsext_host_name
+                               SSL_set_tlsext_host_name(s, NULL);
+#endif
                                SSL_shutdown (s);
                                SSL_free (s);
                                if(c) {