On Sun, Oct 09, 2005 at 07:14:37PM -0400, sean finney wrote: > On Sun, Oct 09, 2005 at 11:21:01PM +0200, Jeroen van Wolffelaar wrote: > > > okay, so then then that's two problems, as even though the starttls > > > was refused to the first error, it blindly kept on going regardless of > > > the 5xx error. > > > > Yup, and the EHLO thingy being the primary one -- if all things go right, > > the > > second one doesn't matter (but yeah, should still be fixed -- and result in > > a > > nagios check failure). > > okay, i've attached a patch which should work around this. i've > verified it on my end, but i'd appreciate if you could try it out as > well and point out any issues it may have. it does the following: > > - send ehlo if starttls is required check > - exit with STATE_WARNING if STARTTLS isn't listed as a server capability couldn't set, smtp firewalled away, and no non-TLS capable smtp hosts in my net > - send QUIT commands in all premature return points. check > - provide a -F/--fqdn option to pass to helo/ehlo check > - if not specified, use a gethostbyname(hostname) method similar to what you > suggested for the helo/ehlo. check
Cool. See some code comments below in the patch. > i'm still not quite happy with that last one, as gethostbyname isn't > defined by posix/sus/iso, but it's being used elsewhere in the > code base already, so oh well. As long as Debian supporst it across all architectures... But yeah, something for upstream to generalize if possible. Anyway, it doesn't work yet over here completely. I get a segmentation fault in the call to SSL_CTX_free(ctx). Feel free to use mail.wolffelaar.nl as test SMTP server as much as you like, by the way. It's default sarge exim4 with TLS enabled, otherwise nothing really special that should be relevant for this check. Backtrace: #0 0x40072f77 in SSL_SESSION_hash () from /usr/lib/i686/cmov/libssl.so.0.9.8 #1 0x401272c7 in lh_delete () from /usr/lib/i686/cmov/libcrypto.so.0.9.8 #2 0x400773d8 in SSL_CTX_get_timeout () from /usr/lib/i686/cmov/libssl.so.0.9.8 #3 0x40126f34 in lh_doall_arg () from /usr/lib/i686/cmov/libcrypto.so.0.9.8 #4 0x4007750e in SSL_CTX_flush_sessions () from /usr/lib/i686/cmov/libssl.so.0.9.8 #5 0x400730cc in SSL_CTX_free () from /usr/lib/i686/cmov/libssl.so.0.9.8 #6 0x08049777 in my_close () at check_smtp.c:759 #7 0x08049813 in connect_STARTTLS () at check_smtp.c:655 #8 0x0804a7ae in main (argc=3, argv=0xbffffaf4) at check_smtp.c:236 I also see no code doing a QUIT over the TLS'd connection, or for that matter, anything. I don't think that'd really be needed though, it's definitely not in the scope of the original check_smtp... Though I guess it's actually going to cause a log entry (exim tends to log "connection closed unexpectedly" if there is no QUIT). Currently my logs for the SEGV'ing check_smtp say: 2005-10-10 02:11:13 TLS error on connection from 22pc220.sshunet.nl (bla.wolffelaar.nl) [145.97.220.22] (gnutls_handshake): Could not negotiate a supported cipher suite. (...) > + localhostname = malloc (HOST_MAX_BYTES); > + gethostname(localhostname, HOST_MAX_BYTES); Hm, if gethostname fails, you end up with a bogus localhostname, but you don't detect that and continue anyway. Fwiw, this was already present in the old code too. Now fortunately nobody but root can set the hostname... Or it'd be a security hole. I also get: check_smtp.c:134: warning: unused variable 'ehlo_resp' check_smtp.c:131: warning: unused variable 'amt_read' > + hp = gethostbyname(localhostname); --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
