mirror of
https://github.com/drewkerrigan/nagios-http-json.git
synced 2024-12-22 17:13:55 +01:00
refine ssl insecure and client certificate options
* default TLS Protocols are now set to >= TLS1 * --cacert and --cert are no longer mandatory if option -s is used * proper error messages if parsing of cert or key files fails
This commit is contained in:
parent
df2bbdbf51
commit
8437c464e5
@ -390,12 +390,8 @@ def parseArgs():
|
||||
parser.add_argument('-k', '--insecure', action='store_true',
|
||||
help='do not check server SSL certificate')
|
||||
parser.add_argument('--cacert',
|
||||
required=('-s' in sys.argv or '--ssl' in sys.argv)
|
||||
and not ('-k' in sys.argv or '--insecure' in sys.argv),
|
||||
dest='cacert', help='SSL CA certificate')
|
||||
parser.add_argument('--cert',
|
||||
required=('-s' in sys.argv or '--ssl' in sys.argv)
|
||||
and not ('-k' in sys.argv or '--insecure' in sys.argv),
|
||||
dest='cert', help='SSL client certificate')
|
||||
parser.add_argument('--key', dest='key',
|
||||
help='SSL client key ( if not bundled into the cert )')
|
||||
@ -680,13 +676,40 @@ if __name__ == "__main__":
|
||||
nagios = NagiosHelper()
|
||||
if args.ssl:
|
||||
url = "https://%s" % args.host
|
||||
|
||||
context = ssl.SSLContext(ssl.PROTOCOL_TLS)
|
||||
context.options |= ssl.OP_NO_SSLv2
|
||||
context.options |= ssl.OP_NO_SSLv3
|
||||
|
||||
if args.insecure:
|
||||
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
|
||||
context.verify_mode = ssl.CERT_NONE
|
||||
else:
|
||||
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
|
||||
context.verify_mode = ssl.CERT_OPTIONAL
|
||||
context.load_verify_locations(args.cacert)
|
||||
context.load_cert_chain(args.cert,keyfile=args.key)
|
||||
if args.cacert:
|
||||
try:
|
||||
context.load_verify_locations(args.cacert)
|
||||
except ssl.SSLError:
|
||||
nagios.append_unknown(
|
||||
''' Error loading SSL CA cert "%s"!'''
|
||||
% args.cacert)
|
||||
|
||||
if args.cert:
|
||||
try:
|
||||
context.load_cert_chain(args.cert,keyfile=args.key)
|
||||
except ssl.SSLError:
|
||||
if args.key:
|
||||
nagios.append_unknown(
|
||||
''' Error loading SSL cert. Make sure key "%s" belongs to cert "%s"!'''
|
||||
% (args.key, args.cert))
|
||||
else:
|
||||
nagios.append_unknown(
|
||||
''' Error loading SSL cert. Make sure "%s" contains the key as well!'''
|
||||
% (args.cert))
|
||||
|
||||
if nagios.getCode() != OK_CODE:
|
||||
print(nagios.getMessage())
|
||||
exit(nagios.getCode())
|
||||
|
||||
else:
|
||||
url = "http://%s" % args.host
|
||||
if args.port:
|
||||
|
Loading…
Reference in New Issue
Block a user