Changeset eb4ac2ff2b9e0b43b1aa254fde4f3106f8d5386c

Timestamp:

07/10/12 17:24:51 (11 months ago)

Author:

Theo Schlossnagle <jesus@lethargy.org>

git-committer:

Theo Schlossnagle <jesus@lethargy.org> 1341941091 -0700

git-parent:

[aa2a26950f252650791db1d942c440543fdd3992], [353258a7cab6bd5c7069ab335642da33a6c67a2a]

git-author:

Theo Schlossnagle <jesus@lethargy.org> 1341941091 -0700

Message:

Merge pull request #88 from pamaddox/master

SSL Updates For TCP and IMAP Checks

Files:

• docs/config/modules/noit.module.imap.xml (modified) (1 diff)
• docs/config/modules/noit.module.tcp.xml (modified) (1 diff)
• src/modules-lua/noit/extras.lua (modified) (2 diffs)
• src/modules-lua/noit/module/http.lua (modified) (2 diffs)
• src/modules-lua/noit/module/imap.lua (modified) (4 diffs)
• src/modules-lua/noit/module/tcp.lua (modified) (4 diffs)

docs/config/modules/noit.module.imap.xml

@@ -282 +282 @@
-          </variablelist>
-          <para>A list of ciphers to be used in the SSL protocol (for SSL checks).</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+    <variablelist>
+      <varlistentry>
+        <term>header_Host</term>
+        <listitem>
+          <variablelist>
+            <varlistentry>
+              <term>required</term>
+              <listitem>
+                <para>optional</para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term>allowed</term>
+              <listitem>
+                <para>.+</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+          <para>The host header to validate against the SSL certificate (for SSL checks).</para>
-        </listitem>
-      </varlistentry>

docs/config/modules/noit.module.tcp.xml

@@ -226 +226 @@
-          </variablelist>
-          <para>A list of ciphers to be used in the SSL protocol (for SSL checks).</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+    <variablelist>
+      <varlistentry>
+        <term>header_Host</term>
+        <listitem>
+          <variablelist>
+            <varlistentry>
+              <term>required</term>
+              <listitem>
+                <para>optional</para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term>allowed</term>
+              <listitem>
+                <para>.+</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+          <para>The host header to validate against the SSL certificate (for SSL checks).</para>
-        </listitem>
-      </varlistentry>

src/modules-lua/noit/extras.lua

@@ -29 +29 @@
--- OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
+local ipairs = ipairs
-local string = require("string")
-local table = require("table")
@@ -68 +69 @@
-end
-
+function check_host_header_against_certificate(host_header, cert_subject, san_list)
+  local san_list_check = function (array, value)
+    for i, line in ipairs(array) do
+      if line == value then
+        return true
+      else
+        line = string.gsub(line, '%.', "%%%.")
+        line = string.gsub(line, "%*", "[^\.]*")
+        local match = string.match(value, line)
+        if match == value then
+          return true
+        end
+      end
+    end
+    return false
+  end
+  -- First, check for SAN values if they exist - if they do, check for a match
+  local san_array = { }
+  if san_list ~= nil then
+    san_array = split(san_list, ", ")
+  end
+  if san_list_check(san_array, host_header) then
+    -- The host header was in the SAN list, so we're done
+    return nil
+  end
+  -- Next, pull out the CN value
+  local cn = string.sub(cert_subject, string.find(cert_subject, 'CN=[^/\n]*'))
+  if cn == nil or cn == '' then
+    -- no common name given, give an error
+    return 'CN not found in certificate'
+  end
+  cn = string.sub(cn, 4)
+  if cn == host_header then
+    -- CN and host_header match exactly, so no error
+    return nil
+  end
+  cn = string.gsub(cn, '%.', "%%%.")
+  cn = string.gsub(cn, "%*", "[^\.]*")
+  local match = string.match(host_header, cn)
+  if match == host_header then
+    return nil
+  end
+  return 'host header does not match CN or SANs in certificate'
+end

src/modules-lua/noit/module/http.lua

@@ -294 +294 @@
-    toReturn = string.gsub(toReturn, "%./", "")
-    return toReturn
-end
-
-function san_list_check(array, value)
-  for i, line in ipairs(array) do
-    if line == value then
-      return true
-    else
-      line = string.gsub(line, '%.', "%%%.")
-      line = string.gsub(line, "%*", "[^\.]*")
-      local match = string.match(value, line)
-      if match == value then
-        return true
-      end
-    end
-  end
-  return false
-end
-
-function check_host_header_against_certificate(host_header, cert_subject, san_list)
-  -- First, check for SAN values if they exist - if they do, check for a match
-  local san_array = { }
-  if san_list ~= nil then
-    san_array = noit.extras.split(san_list, ", ")
-  end
-  if san_list_check(san_array, host_header) then
-    -- The host header was in the SAN list, so we're done
-    return nil
-  end
-  -- Next, pull out the CN value
-  local cn = string.sub(cert_subject, string.find(cert_subject, 'CN=[^/\n]*'))
-  if cn == nil or cn == '' then
-    -- no common name given, give an error
-    return 'CN not found in certificate'
-  end
-  cn = string.sub(cn, 4)
-  if cn == host_header then
-    -- CN and host_header match exactly, so no error
-    return nil
-  end
-  cn = string.gsub(cn, '%.', "%%%.")
-  cn = string.gsub(cn, "%*", "[^\.]*")
-  local match = string.match(host_header, cn)
-  if match == host_header then
-    return nil
-  end
-  return 'host header does not match CN or SANs in certificate'
-end
-
@@ -633 +587 @@
-    local ssl_ctx = client:ssl_ctx()
-    if ssl_ctx ~= nil then
-
+
+
+
+
-      if ssl_ctx.error ~= nil then status = status .. ',sslerror' end
-      if header_match_error == nil then

src/modules-lua/noit/module/imap.lua

@@ -68 +68 @@
-               required="optional"
-               allowed=".+">A list of ciphers to be used in the SSL protocol (for SSL checks).</parameter>
+    <parameter name="header_Host"
+               required="optional"
+               allowed=".+">The host header to validate against the SSL certificate (for SSL checks).</parameter>
-  </checkconfig>
-  <examples>
@@ -163 +166 @@
-  local _tok = 0
-  local last_msg = 0
+  local host_header = check.config.header_Host or ''
-
-  if check.target_ip == nil then
@@ -191 +195 @@
-  end
-
+  local ca_chain = 
+     noit.conf_get_string("/noit/eventer/config/default_ca_chain")
+
+  if check.config.ca_chain ~= nil and check.config.ca_chain ~= '' then
+    ca_chain = check.config.ca_chain
+  end
+
-  if use_ssl == true then
-    rv, err = e:ssl_upgrade_socket(check.config.certificate_file,
-                                        check.config.key_file,
-heck.config.c
+
-                                        check.config.ciphers)
-  end 
@@ -212 +223 @@
-  local ssl_ctx = e:ssl_ctx()
-  if ssl_ctx ~= nil then
+    local header_match_error = nil
+    if host_header ~= '' then
+      header_match_error = noit.extras.check_host_header_against_certificate(host_header, ssl_ctx.subject, ssl_ctx.san_list)
+    end
-    if ssl_ctx.error ~= nil then status = status .. ',sslerror' end
-
+
+
+
+
+
+
+
-    check.metric_string("cert_issuer", ssl_ctx.issuer)
-    check.metric_string("cert_subject", ssl_ctx.subject)
+    if ssl_ctx.san_list ~= nil then
+      check.metric_string("cert_subject_alternative_names", ssl_ctx.san_list)
+    end
-    check.metric_uint32("cert_start", ssl_ctx.start_time)
-    check.metric_uint32("cert_end", ssl_ctx.end_time)

src/modules-lua/noit/module/tcp.lua

@@ -64 +64 @@
-               required="optional"
-               allowed=".+">A list of ciphers to be used in the SSL protocol (for SSL checks).</parameter>
+    <parameter name="header_Host"
+               required="optional"
+               allowed=".+">The host header to validate against the SSL certificate (for SSL checks).</parameter>
-  </checkconfig>
-  <examples>
@@ -128 +131 @@
-  local status = ""
-  local use_ssl = false
+  local host_header = check.config.header_Host or ''
-
-  if check.config.port == nil then
@@ -147 +151 @@
-  end
-
+  local ca_chain = 
+     noit.conf_get_string("/noit/eventer/config/default_ca_chain")
+
+  if check.config.ca_chain ~= nil and check.config.ca_chain ~= '' then
+    ca_chain = check.config.ca_chain
+  end
+
-  if use_ssl == true then
-    rv, err = e:ssl_upgrade_socket(check.config.certificate_file,
-                                        check.config.key_file,
-heck.config.c
+
-                                        check.config.ciphers)
-  end 
@@ -168 +179 @@
-  local ssl_ctx = e:ssl_ctx()
-  if ssl_ctx ~= nil then
+    local header_match_error = nil
+    if host_header ~= '' then
+      header_match_error = noit.extras.check_host_header_against_certificate(host_header, ssl_ctx.subject, ssl_ctx.san_list)
+    end
-    if ssl_ctx.error ~= nil then status = status .. ',sslerror' end
-
+
+
+
+
+
+
+
-    check.metric_string("cert_issuer", ssl_ctx.issuer)
-    check.metric_string("cert_subject", ssl_ctx.subject)
+    if ssl_ctx.san_list ~= nil then
+      check.metric_string("cert_subject_alternative_names", ssl_ctx.san_list)
+    end
-    check.metric_uint32("cert_start", ssl_ctx.start_time)
-    check.metric_uint32("cert_end", ssl_ctx.end_time)