[Pkg-nagios-devel] Bug#644627: nagios-plugins-basic: check_http --ssl doesn't verify the validity of a certificate

[Michael Renner]

Package: nagios-plugins-basic
Version: 1.4.15-3squeeze1
Severity: normal
Tags: upstream

Nagios' check_http plugin does no verification whatsoever on the SSL
certificate presented by the server next to checking the expiry time.

This is highly counter-intuitive and makes the plugin pretty much unusable for
serious environments where HTTPS is used.

You can test this yourself with https://workbench2.amd.co.at/ which
will present a SSL certificate with a wrong hostname.

Demonstration:

workbench:~# /usr/lib/nagios/plugins/check_http --ssl -H workbench2.amd.co.at
HTTP OK: HTTP/1.1 200 OK - 527 bytes in 0.028 second response time |time=0.028253s;;;0.000000 size=527B;;;0
workbench:~# echo $?
0
workbench:~# curl --silent --show-error https://workbench2.amd.co.at
curl: (51) SSL peer certificate or SSH remote key was not OK
workbench:~# echo $?
51
workbench:~#


-- System Information:
Debian Release: 6.0.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages nagios-plugins-basic depends on:
ii  iputils-ping            3:20100418-3     Tools to test the reachability of 
ii  libc6                   2.11.2-10        Embedded GNU C Library: Shared lib
ii  libssl0.9.8             0.9.8o-4squeeze2 SSL shared libraries
ii  procps                  1:3.2.8-9        /proc file system utilities
ii  ucf                     3.0025+nmu1      Update Configuration File: preserv

nagios-plugins-basic recommends no packages.

Versions of packages nagios-plugins-basic suggests:
pn  nagios3                       <none>     (no description available)

-- no debconf information