Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[dev.icinga.com #10358] ITL: Allow to enforce specific SSL versions using the http check command #3484

Closed
icinga-migration opened this issue Oct 14, 2015 · 12 comments
Milestone

Comments

@icinga-migration
Copy link
Member

@icinga-migration icinga-migration commented Oct 14, 2015

This issue has been migrated from Redmine: https://dev.icinga.com/issues/10358

Created by bldewolf on 2015-10-14 07:08:19 +00:00

Assignee: mfriedrich
Status: Resolved (closed on 2016-03-15 14:29:09 +00:00)
Target Version: 2.4.4
Last Update: 2016-03-15 14:29:09 +00:00 (in Redmine)

Backport?: Already backported
Include in Changelog: 1

In itl/command-plugins.conf, the CheckCommand object for "http" assumes "-S" is only a flag and can't take arguments. It actually can take arguments, specifying the required version of SSL (instead of negotiating).

My fix for this was to make a derivative object (I was already making one for "https" anyway) that adds:

object CheckCommand "https" {
    import "plugin-check-command"
    argument["-S1"] = { set_if = "$http_force_tlsv1" }
}

Attachments

Changesets

2016-02-24 22:38:22 +00:00 by (unknown) 2e1a214

ITL: add check_http args for SSL version forcing

The -S argument of check_http can take a number, which forces the connection to
use a specific SSL version.  This is implemented as multiple options because
check_http does not accept the number following -S if they are separated.

fixes #10358

Signed-off-by: Michael Friedrich <michael.friedrich@netways.de>

2016-02-24 22:38:52 +00:00 by mfriedrich e0974d8

Update AUTHORS

refs #10358

2016-03-11 14:49:53 +00:00 by (unknown) 5c52e3e

ITL: add check_http args for SSL version forcing

The -S argument of check_http can take a number, which forces the connection to
use a specific SSL version.  This is implemented as multiple options because
check_http does not accept the number following -S if they are separated.

fixes #10358

Signed-off-by: Michael Friedrich <michael.friedrich@netways.de>

2016-03-11 14:50:02 +00:00 by mfriedrich 7f7f46b

Update AUTHORS

refs #10358

2016-03-15 14:26:22 +00:00 by mfriedrich d8b70f8

ITL: Add additional http check command parameters for SSL version enforcement

refs #10358

2016-03-15 14:28:10 +00:00 by mfriedrich ba989f4

ITL: Add additional http check command parameters for SSL version enforcement

refs #10358
@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Oct 14, 2015

Updated by gbeutner on 2015-10-14 07:09:26 +00:00

  • Description updated
@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Oct 26, 2015

Updated by gbeutner on 2015-10-26 08:54:32 +00:00

  • Status changed from New to Feedback
  • Assigned to set to bldewolf

Are you interested in providing a patch for this problem (as in, for the ITL definitions)?

@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Nov 14, 2015

Updated by gbeutner on 2015-11-14 18:38:22 +00:00

  • Status changed from Feedback to New
  • Assigned to deleted bldewolf

I'm guessing that's a no then, removing assignee for now.

@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Nov 16, 2015

Updated by bldewolf on 2015-11-16 19:41:49 +00:00

  • File added 0001-ITL-add-check_http-args-for-SSL-version-forcing.patch

Woops, sorry, this fell out of my queue. See attached.

@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Feb 24, 2016

Updated by mfriedrich on 2016-02-24 22:39:19 +00:00

  • Status changed from New to Assigned
  • Target Version set to 2.4.4

Thanks. Next time please also update the documentation section :)

@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Feb 24, 2016

Updated by Anonymous on 2016-02-24 22:40:04 +00:00

  • Status changed from Assigned to Resolved
  • Done % changed from 0 to 100

Applied in changeset 2e1a214.

@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Feb 29, 2016

Updated by holzkeil on 2016-02-29 16:19:06 +00:00

Hello,

I stumbled upon the same issue and I think the patch does not cover all cases. check_http is a bit more flexible and not only accepts 1,2 and 3 as arguments, but also 1.1, 1.2 and also every argument with a plus sign appended, e.g. 1.1+ which means that specific or any higher TLS/SSL version is accepted.

This means the patch should be extended:

#diff command-plugins.conf command-plugins.conf.bak
333,362d332
< }
< "-S1" = {
< set_if = "$http_ssl_force_tlsv1$"
< }
< "-S1.1" = {
< set_if = "$http_ssl_force_tlsv1_1$"
< }
< "-S1.2" = {
< set_if = "$http_ssl_force_tlsv1_2$"
< }
< "-S2" = {
< set_if = "$http_ssl_force_sslv2$"
< }
< "-S3" = {
< set_if = "$http_ssl_force_sslv3$"
< }
< "-S1+" = {
< set_if = "$http_ssl_force_tlsv1_or_higher$"
< }
< "-S1.1+" = {
< set_if = "$http_ssl_force_tlsv1_1_or_higher$"
< }
< "-S1.2+" = {
< set_if = "$http_ssl_force_tlsv1_2_or_higher$"
< }
< "-S2+" = {
< set_if = "$http_ssl_force_sslv2$_or_higher"
< }
< "-S3+" = {
< set_if = "$http_ssl_force_sslv3$_or_higher"

regards
Lars

@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Mar 11, 2016

Updated by mfriedrich on 2016-03-11 14:50:10 +00:00

  • Backport? changed from Not yet backported to Already backported
@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Mar 15, 2016

Updated by gbeutner on 2016-03-15 13:36:22 +00:00

  • Status changed from Resolved to Assigned
  • Assigned to set to mfriedrich
  • Backport? changed from Already backported to Not yet backported
@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Mar 15, 2016

Updated by mfriedrich on 2016-03-15 14:25:49 +00:00

  • Subject changed from http CheckCommand object missing options for forcing SSL version to ITL: Allow to enforce specific SSL versions using the http check command
@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Mar 15, 2016

Updated by mfriedrich on 2016-03-15 14:26:08 +00:00

  • Tracker changed from Bug to Feature
@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Mar 15, 2016

Updated by mfriedrich on 2016-03-15 14:29:09 +00:00

  • Status changed from Assigned to Resolved
  • Backport? changed from Not yet backported to Already backported

Converted the path into a clean one, and created documentation. Next time please provide a git patch including the doc update bits. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.