Fix regression in check_http ssl checks on some servers

The fix is making SNI an option.

diff --git a/NEWS b/NEWS
index e261abfdd245c73aec80afe919c927c99644d88e..5305d448e01020b91ff993a85d99667fe5e429c4 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,7 @@ This file documents the major additions and syntax changes between releases.
        Fix memory leak in check_http for large pages (Jimmy Bergman - #2957455)
        Fix compilation with GCC 2.96 (Konstantin Khomoutov - #2977105)
        Fix regression introduced in #1867716 where partially valid performance strings would not be printed anymore
        Fix memory leak in check_http for large pages (Jimmy Bergman - #2957455)
        Fix compilation with GCC 2.96 (Konstantin Khomoutov - #2977105)
        Fix regression introduced in #1867716 where partially valid performance strings would not be printed anymore

+       Fix regression in check_http ssl checks on some servers - make SNI an option

        WARNINGS
        Updated developer documentation to say that performance labels should not have an equals sign or
        single quote in the label
        WARNINGS
        Updated developer documentation to say that performance labels should not have an equals sign or
        single quote in the label

diff --git a/plugins/check_http.c b/plugins/check_http.c
index 5cdf144bdf8b2bf788fe27dae84fedd52f410529..536b40085c138eb8bc122e2998a2ffc44efa3571 100644 (file)
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -112,6 +112,7 @@ int http_opt_headers_count = 0;
 int onredirect = STATE_OK;
 int followsticky = STICKY_NONE;
 int use_ssl = FALSE;
 int onredirect = STATE_OK;
 int followsticky = STICKY_NONE;
 int use_ssl = FALSE;

+int use_sni = FALSE;

 int verbose = FALSE;
 int sd;
 int min_page_len = 0;
 int verbose = FALSE;
 int sd;
 int min_page_len = 0;


@@ -178,7 +179,8 @@ process_arguments (int argc, char **argv)
   char *p;
 
   enum {
   char *p;
 
   enum {

-    INVERT_REGEX = CHAR_MAX + 1
+    INVERT_REGEX = CHAR_MAX + 1,
+    SNI_OPTION

   };
 
   int option = 0;
   };
 
   int option = 0;


@@ -187,6 +189,7 @@ process_arguments (int argc, char **argv)
     {"link", no_argument, 0, 'L'},
     {"nohtml", no_argument, 0, 'n'},
     {"ssl", no_argument, 0, 'S'},
     {"link", no_argument, 0, 'L'},
     {"nohtml", no_argument, 0, 'n'},
     {"ssl", no_argument, 0, 'S'},

+    {"sni", no_argument, 0, SNI_OPTION},

     {"post", required_argument, 0, 'P'},
     {"method", required_argument, 0, 'j'},
     {"IP-address", required_argument, 0, 'I'},
     {"post", required_argument, 0, 'P'},
     {"method", required_argument, 0, 'j'},
     {"IP-address", required_argument, 0, 'I'},


@@ -304,6 +307,9 @@ process_arguments (int argc, char **argv)
       if (specify_port == FALSE)
         server_port = HTTPS_PORT;
       break;
       if (specify_port == FALSE)
         server_port = HTTPS_PORT;
       break;

+    case SNI_OPTION:
+      use_sni = TRUE;
+      break;

     case 'f': /* onredirect */
       if (!strcmp (optarg, "stickyport"))
         onredirect = STATE_DEPENDENT, followsticky = STICKY_HOST|STICKY_PORT;
     case 'f': /* onredirect */
       if (!strcmp (optarg, "stickyport"))
         onredirect = STATE_DEPENDENT, followsticky = STICKY_HOST|STICKY_PORT;


@@ -797,7 +803,7 @@ check_http (void)
     die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n"));
 #ifdef HAVE_SSL
   if (use_ssl == TRUE) {
     die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n"));
 #ifdef HAVE_SSL
   if (use_ssl == TRUE) {

-    np_net_ssl_init_with_hostname(sd, host_name);
+    np_net_ssl_init_with_hostname(sd, (use_sni ? host_name : NULL));

     if (check_cert == TRUE) {
       result = np_net_ssl_check_cert(days_till_exp);
       np_net_ssl_cleanup();
     if (check_cert == TRUE) {
       result = np_net_ssl_check_cert(days_till_exp);
       np_net_ssl_cleanup();


@@ -1323,6 +1329,8 @@ print_help (void)
 #ifdef HAVE_SSL
   printf (" %s\n", "-S, --ssl");
   printf ("   %s\n", _("Connect via SSL. Port defaults to 443"));
 #ifdef HAVE_SSL
   printf (" %s\n", "-S, --ssl");
   printf ("   %s\n", _("Connect via SSL. Port defaults to 443"));

+  printf (" %s\n", "--sni");
+  printf ("   %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));

   printf (" %s\n", "-C, --certificate=INTEGER");
   printf ("   %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443"));
   printf ("   %s\n", _("(when this option is used the URL is not checked.)\n"));
   printf (" %s\n", "-C, --certificate=INTEGER");
   printf ("   %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443"));
   printf ("   %s\n", _("(when this option is used the URL is not checked.)\n"));


@@ -1427,5 +1435,6 @@ print_usage (void)
   printf ("       [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n");
   printf ("       [-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
   printf ("       [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");
   printf ("       [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n");
   printf ("       [-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
   printf ("       [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");

-  printf ("       [-A string] [-k string] [-S] [-C <age>] [-T <content-type>] [-j method]\n");
+  printf ("       [-A string] [-k string] [-S] [--sni] [-C <age>] [-T <content-type>]\n");
+  printf ("       [-j method]\n");

 }
 }