Hi waja,

You know, i'm not really against this patch, but one weird thing I noticed is that for straight up SSL services, check_http certificate check works! Makes me think the check should actually be implemented in check_tcp for all SSL protocols.

Then once we get there, what prevent us form adding just the required logic in check_tcp to implement the STARTTLS certificate checks for every other STARTTLS-cabaple protocol?

So I don't really mind this merge gets in, but I think the check_tcp suggestion is still worth it and would make this patch obsolete. It's just a mater of which one can get in first I guess...

On 29.01.2014 04:58, Thomas Guyot-Sionnest wrote:

one weird thing I noticed is that for straight up SSL services,
check_http certificate check works!

That's because - as far as I can tell without examining the code -
having check_http do a cert check terminates/ignores/whatever all
communication following the server cert presentation, and thus the HTTP
part of HTTPS. In other words, it does behave like a check_tcp plus
cert check; if I remember correctly, it will even happily ignore all
additional limits etc. specified for time, size, string match, etc. from
the command line. Note that that might very well not be what we want
check__http_ to do in the long run.

Then once we get there, what prevent us form adding just the required
logic in check_tcp to implement the STARTTLS certificate checks for
every other STARTTLS-cabaple protocol?

The fact that STARTTLS, more precisely the proper point at which to
issue that command, is embedded into said STARTTLS-enabled protocol.
Hence OpenSSL's requirement of specifying said protocol (out of two
currently supported) when you do an "openssl s_client -connect
foo.bar.org:baz -starttls $HERES_DA_MAGIC_KEYWORD".

Kind regards,

J. Bern

NEU - NEC IT-Infrastruktur-Produkte im http://www.linworks-shop.de/:
Server--Storage--Virtualisierung--Management SW--Passion for Performance
Jochen Bern, Systemingenieur --- LINworks GmbH http://www.LINworks.de/
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel

@weiss assigned that to you as you assigned the origin bug to yourself. Maybe you want to have a look again when you have a timeslot.