Package: nagios-plugins-basic Version: 1.4.15-3squeeze1 Severity: normal Tags: upstream
Nagios' check_http plugin does no verification whatsoever on the SSL certificate presented by the server next to checking the expiry time. This is highly counter-intuitive and makes the plugin pretty much unusable for serious environments where HTTPS is used. You can test this yourself with https://workbench2.amd.co.at/ which will present a SSL certificate with a wrong hostname. Demonstration: workbench:~# /usr/lib/nagios/plugins/check_http --ssl -H workbench2.amd.co.at HTTP OK: HTTP/1.1 200 OK - 527 bytes in 0.028 second response time |time=0.028253s;;;0.000000 size=527B;;;0 workbench:~# echo $? 0 workbench:~# curl --silent --show-error https://workbench2.amd.co.at curl: (51) SSL peer certificate or SSH remote key was not OK workbench:~# echo $? 51 workbench:~# -- System Information: Debian Release: 6.0.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages nagios-plugins-basic depends on: ii iputils-ping 3:20100418-3 Tools to test the reachability of ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib ii libssl0.9.8 0.9.8o-4squeeze2 SSL shared libraries ii procps 1:3.2.8-9 /proc file system utilities ii ucf 3.0025+nmu1 Update Configuration File: preserv nagios-plugins-basic recommends no packages. Versions of packages nagios-plugins-basic suggests: pn nagios3 <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
