Build with OpenSSL without SSLv3 support

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
chrullrich
Posts: 1
Joined: Sat Jan 16, 2016 8:52 am

Build with OpenSSL without SSLv3 support

Post by chrullrich »

Hello,

it is currently impossible to build nagios-plugins against an OpenSSL installation without SSLv3 support because plugins/sslutils.c uses SSLv3 functions without checking whether they even exist. Such a check is present for the SSLv2 support, but as SSLv3 is also ancient and has known weaknesses, it is getting more likely to encounter OpenSSL installations that have SSLv3 support disabled.

The FreeBSD port of nagios-plugins is currently using the following patch to allow the build to succeed; I think it can be used verbatim here, too:

Code: Select all

--- plugins/sslutils.c.orig	2016-01-14 20:02:06.419867000 +0100
+++ plugins/sslutils.c	2016-01-14 20:01:36.091492000 +0100
@@ -70,8 +70,13 @@
 #endif
 		break;
 	case 3: /* SSLv3 protocol */
+#if defined(OPENSSL_NO_SSL3)
+		printf(("%s\n", _("CRITICAL - SSL protocol version 3 is not supported by your SSL library.")));
+		return STATE_CRITICAL;
+#else
 		method = SSLv3_client_method();
 		ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1;
+#endif
 		break;
 	default: /* Unsupported */
 		printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));
tmcdonald
Posts: 9117
Joined: Mon Sep 23, 2013 8:40 am

Re: Build with OpenSSL without SSLv3 support

Post by tmcdonald »

Thanks for the patch! Mind if I move this to the GitHub? https://github.com/nagios-plugins/nagios-plugins/

It will get more traction there. Otherwise if you have an account already a pull request will improve the response time.
Former Nagios employee
Locked