Comment 6 for bug 1677951

Hi Developers:
     In @plugins/sslutils.c:164~248, I see you get the certificate and verify
some properties of it.So plugin is planning to do so? Why not use the
judgement :SSL_get_verify_result(ssl)==X509_V_OK to guarantee valid cert
verification?

2017-04-06 17:16 GMT+08:00 Jan Wagner <email address hidden>:

> check_http (and every other plugin) does NOT verify certificates and was
> never planed to do so.
>
> ** Changed in: monitoring-plugins (Ubuntu)
> Status: Confirmed => Invalid
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677951
>
> Title:
> incomplete SSL certificate verify
>
> Status in monitoring-plugins package in Ubuntu:
> Invalid
>
> Bug description:
> Hi developers:
> We made a large scale security static analysis on several open
> source projects, and found some mistakes in monitoring-plugins-2.1.2. In
> the @plugins/sslutils.c:164:
> int np_net_ssl_check_cert(int days_till_exp_warn, int
> days_till_exp_crit){
> # ifdef USE_OPENSSL
> [...]
> certificate=SSL_get_peer_certificate(s);
>
> if (!certificate) {
> printf("%s\n",_("CRITICAL - Cannot retrieve server
> certificate."));
> return STATE_CRITICAL;
> }
>
> /* Extract CN from certificate subject */
> subj=X509_get_subject_name(certificate);
> [...]
> }
>
> We find that you use SSL_get_peer_certificate() to get the cert
> and verify some properties of it.But it still not secure enough and
> can lead to MITM attack. To guarantee the security,we recommand you
> add the judgement if(SSL_get_verify_result(ssl)==X509_V_OK) to make
> sure validation succeeds.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/monitoring-
> plugins/+bug/1677951/+subscriptions
>