net-snmp uses the same pre processor name "USE_OPENSSL" as we do.
To avoid the conflict, this commit renames it on our side to
"MOPL_USE_OPENSSL".
"MOPL" (better "MoPl"?) stands for Monitoring Plugins.
OpenBSD's pledge(2) system call allows the current process to
self-restrict itself, being reduced to promised pledges. For example,
unless a process says it wants to write to files, it is not allowed to
do so any longer.
This change starts by calling pledge(2) in some network-facing checks,
removing the more dangerous privileges, such as executing other files.
My initial motivation came from check_icmp, being installed as a setuid
binary and (temporarily) running with root privileges. There, the
pledge(2) calls result in check_icmp to only being allowed to interact
with the network and to setuid(2) to the calling user later on.
Afterwards, I went through my most commonly used monitoring plugins
directly interacting with the network. Thus, I continued with
pledge(2)-ing check_curl - having a huge codebase and all -,
check_ntp_time, check_smtp, check_ssh, and check_tcp.
For most of those, the changes were quite similar: start with
network-friendly promises, parse the configuration, give up file access,
and proceed with the actual check.
This library is glibc-only and not necessary at this point. The
getopt_long function is provided by "getopt.h", included via "common.h".
Similar to #2159.
This is a breaking change.
Testing whether a TLS certificate is still valid (expiration wise)
is now the default in check_smtp.
The reasoning is, that in most scenarios an expired certificate
will effectively mean that the service is not working anymore due to
the refusal of other software to talk to it.
There is a new cli parameter though to explicitly ignore that.
Otherwise -s/--ssl would overwrite a port given with -p if it comes
after it, e. g.
check_smtp -H mailhost.example.com -p 4465 --ssl
Found-By: Lorenz Kästle
This enables checks of SMTP servers that expect the haproxy
PROXY protocol: -o smtpd_upstream_proxy_protocol=haproxy.
Backported from nagios-plugins:
3246efe923
When SSL is enabled, n is assigned the size of the server's second EHLO
response (I think in bytes), which will usually be significantly higher
than the command passed. As such, no commands are executed and no responses
are checked, which - silently - defeats the desired checks and results in a
success value.
changes:
- CRYPTO_lock detection replaced in configure.ac. We don't use that
function anywhere, so just replace it with the suggested one from
https://wiki.openssl.org/index.php/Library_Initialization#Autoconf
- OPENSSL_NO_SSL2 is no longer defined while ssl2 is not included.
Set it ourself using the suggested openssl 1.1 version check from
https://wiki.openssl.org/index.php/1.1_API_Changes#Backward_compatibility
- openssl 1.1 sends a sigpipe if the connection is still open when
calling SSL_shutdown(), so move the close before the shutdown.
Signed-off-by: Sven Nierlein <sven@nierlein.de>
expect option (-e) supported only first response, so checking for
any other response like 250-xxx would never match. This fix stores
return of relevant buffer
closes#1381
- currently STARTTLS check does not work with -e if there's text
like '220 hostname ESMTP*'. This is caused by SMTP answer from
host. Postfix answer: 220 2.0.0 Ready to start TLS, Exchange
2010: 220 2.0.0 SMTP server ready. This fix checks against 220
closes#1093
