[Bug 1677951] Re: incomplete SSL certificate verify
Have a look into [check_ssl_cert](https://github.com/matteocorti/check_ssl_cert) for certificate verification. Its also part of the [nagios-plugins- contrib](http://packages.ubuntu.com/search?keywords=nagios-plugins- contrib) package. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677951 Title: incomplete SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/monitoring-plugins/+bug/1677951/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1677951] Re: incomplete SSL certificate verify
Hi Developers: In @plugins/sslutils.c:164~248, I see you get the certificate and verify some properties of it.So plugin is planning to do so? Why not use the judgement :SSL_get_verify_result(ssl)==X509_V_OK to guarantee valid cert verification? 2017-04-06 17:16 GMT+08:00 Jan Wagner <1677...@bugs.launchpad.net>: > check_http (and every other plugin) does NOT verify certificates and was > never planed to do so. > > ** Changed in: monitoring-plugins (Ubuntu) >Status: Confirmed => Invalid > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1677951 > > Title: > incomplete SSL certificate verify > > Status in monitoring-plugins package in Ubuntu: > Invalid > > Bug description: > Hi developers: > We made a large scale security static analysis on several open > source projects, and found some mistakes in monitoring-plugins-2.1.2. In > the @plugins/sslutils.c:164: > int np_net_ssl_check_cert(int days_till_exp_warn, int > days_till_exp_crit){ > # ifdef USE_OPENSSL > [...] > certificate=SSL_get_peer_certificate(s); > > if (!certificate) { > printf("%s\n",_("CRITICAL - Cannot retrieve server > certificate.")); > return STATE_CRITICAL; > } > > /* Extract CN from certificate subject */ > subj=X509_get_subject_name(certificate); > [...] > } > > We find that you use SSL_get_peer_certificate() to get the cert > and verify some properties of it.But it still not secure enough and > can lead to MITM attack. To guarantee the security,we recommand you > add the judgement if(SSL_get_verify_result(ssl)==X509_V_OK) to make > sure validation succeeds. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/monitoring- > plugins/+bug/1677951/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677951 Title: incomplete SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/monitoring-plugins/+bug/1677951/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677951] Re: incomplete SSL certificate verify
check_http (and every other plugin) does NOT verify certificates and was never planed to do so. ** Changed in: monitoring-plugins (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677951 Title: incomplete SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/monitoring-plugins/+bug/1677951/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677951] Re: incomplete SSL certificate verify
@shoppingruan, looks like they asked you to file that against another project, can you do that and again report the bug issue link? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677951 Title: incomplete SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/monitoring-plugins/+bug/1677951/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677951] Re: incomplete SSL certificate verify
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: monitoring-plugins (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677951 Title: incomplete SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/monitoring-plugins/+bug/1677951/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677951] Re: incomplete SSL certificate verify
OK.Here are the link: https://github.com/monitoring-plugins/monitoring-plugins/issues/1479 Thanks. 2017-03-31 22:01 GMT+08:00 Daniel Llewellyn : > Thank you for taking the time to report this bug and helping to make > Ubuntu better. The issue you are reporting is an upstream one and it > would be nice if somebody having it could send the bug to the developers > of the software by following the instructions at https://github.com > /monitoring-plugins/monitoring-plugins/issues. If you have done so, > please tell us the number of the upstream bug (or the link), so we can > add a bugwatch that will inform us about its status. Thanks in advance. > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1677951 > > Title: > incomplete SSL certificate verify > > Status in monitoring-plugins package in Ubuntu: > New > > Bug description: > Hi developers: > We made a large scale security static analysis on several open > source projects, and found some mistakes in monitoring-plugins-2.1.2. In > the @plugins/sslutils.c:164: > int np_net_ssl_check_cert(int days_till_exp_warn, int > days_till_exp_crit){ > # ifdef USE_OPENSSL > [...] > certificate=SSL_get_peer_certificate(s); > > if (!certificate) { > printf("%s\n",_("CRITICAL - Cannot retrieve server > certificate.")); > return STATE_CRITICAL; > } > > /* Extract CN from certificate subject */ > subj=X509_get_subject_name(certificate); > [...] > } > > We find that you use SSL_get_peer_certificate() to get the cert > and verify some properties of it.But it still not secure enough and > can lead to MITM attack. To guarantee the security,we recommand you > add the judgement if(SSL_get_verify_result(ssl)==X509_V_OK) to make > sure validation succeeds. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/monitoring- > plugins/+bug/1677951/+subscriptions > ** Bug watch added: github.com/monitoring-plugins/monitoring-plugins/issues #1479 https://github.com/monitoring-plugins/monitoring-plugins/issues/1479 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677951 Title: incomplete SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/monitoring-plugins/+bug/1677951/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677951] Re: incomplete SSL certificate verify
Thank you for taking the time to report this bug and helping to make Ubuntu better. The issue you are reporting is an upstream one and it would be nice if somebody having it could send the bug to the developers of the software by following the instructions at https://github.com /monitoring-plugins/monitoring-plugins/issues. If you have done so, please tell us the number of the upstream bug (or the link), so we can add a bugwatch that will inform us about its status. Thanks in advance. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677951 Title: incomplete SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/monitoring-plugins/+bug/1677951/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677951] Re: incomplete SSL certificate verify
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677951 Title: incomplete SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/monitoring-plugins/+bug/1677951/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs