incomplete SSL certificate verify

Thank you for taking the time to report this bug and helping to make Ubuntu better. The issue you are reporting is an upstream one and it would be nice if somebody having it could send the bug to the developers of the software by following the instructions at https://github.com/monitoring-plugins/monitoring-plugins/issues. If you have done so, please tell us the number of the upstream bug (or the link), so we can add a bugwatch that will inform us about its status. Thanks in advance.

OK.Here are the link:
https://github.com/monitoring-plugins/monitoring-plugins/issues/1479

Thanks.

2017-03-31 22:01 GMT+08:00 Daniel Llewellyn <email address hidden>:

> Thank you for taking the time to report this bug and helping to make
> Ubuntu better. The issue you are reporting is an upstream one and it
> would be nice if somebody having it could send the bug to the developers
> of the software by following the instructions at https://github.com
> /monitoring-plugins/monitoring-plugins/issues. If you have done so,
> please tell us the number of the upstream bug (or the link), so we can
> add a bugwatch that will inform us about its status. Thanks in advance.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677951
>
> Title:
> incomplete SSL certificate verify
>
> Status in monitoring-plugins package in Ubuntu:
> New
>
> Bug description:
> Hi developers:
> We made a large scale security static analysis on several open
> source projects, and found some mistakes in monitoring-plugins-2.1.2. In
> the @plugins/sslutils.c:164:
> int np_net_ssl_check_cert(int days_till_exp_warn, int
> days_till_exp_crit){
> # ifdef USE_OPENSSL
> [...]
> certificate=SSL_get_peer_certificate(s);
>
> if (!certificate) {
> printf("%s\n",_("CRITICAL - Cannot retrieve server
> certificate."));
> return STATE_CRITICAL;
> }
>
> /* Extract CN from certificate subject */
> subj=X509_get_subject_name(certificate);
> [...]
> }
>
> We find that you use SSL_get_peer_certificate() to get the cert
> and verify some properties of it.But it still not secure enough and
> can lead to MITM attack. To guarantee the security,we recommand you
> add the judgement if(SSL_get_verify_result(ssl)==X509_V_OK) to make
> sure validation succeeds.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/monitoring-
> plugins/+bug/1677951/+subscriptions
>

Status changed to 'Confirmed' because the bug affects multiple users.

@shoppingruan, looks like they asked you to file that against another project, can you do that and again report the bug issue link?

check_http (and every other plugin) does NOT verify certificates and was never planed to do so.

Hi Developers:
     In @plugins/sslutils.c:164~248, I see you get the certificate and verify
some properties of it.So plugin is planning to do so? Why not use the
judgement :SSL_get_verify_result(ssl)==X509_V_OK to guarantee valid cert
verification?

2017-04-06 17:16 GMT+08:00 Jan Wagner <email address hidden>:

> check_http (and every other plugin) does NOT verify certificates and was
> never planed to do so.
>
> ** Changed in: monitoring-plugins (Ubuntu)
> Status: Confirmed => Invalid
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677951
>
> Title:
> incomplete SSL certificate verify
>
> Status in monitoring-plugins package in Ubuntu:
> Invalid
>
> Bug description:
> Hi developers:
> We made a large scale security static analysis on several open
> source projects, and found some mistakes in monitoring-plugins-2.1.2. In
> the @plugins/sslutils.c:164:
> int np_net_ssl_check_cert(int days_till_exp_warn, int
> days_till_exp_crit){
> # ifdef USE_OPENSSL
> [...]
> certificate=SSL_get_peer_certificate(s);
>
> if (!certificate) {
> printf("%s\n",_("CRITICAL - Cannot retrieve server
> certificate."));
> return STATE_CRITICAL;
> }
>
> /* Extract CN from certificate subject */
> subj=X509_get_subject_name(certificate);
> [...]
> }
>
> We find that you use SSL_get_peer_certificate() to get the cert
> and verify some properties of it.But it still not secure enough and
> can lead to MITM attack. To guarantee the security,we recommand you
> add the judgement if(SSL_get_verify_result(ssl)==X509_V_OK) to make
> sure validation succeeds.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/monitoring-
> plugins/+bug/1677951/+subscriptions
>

Have a look into [check_ssl_cert](https://github.com/matteocorti/check_ssl_cert) for certificate verification. Its also part of the [nagios-plugins-contrib](http://packages.ubuntu.com/search?keywords=nagios-plugins-contrib) package.