check_httpd v2.1.2 -S confusion

[jlwilkinson]

I've been running v3.x for some time now, upgrading to v4.2.0 last week along w/ the commensurate plugins. I have multiple cases where I've used the -S parameter on check_http plugins, and I'm seeing a different response to what I'm expecting:

check_http v2.0.3:
check_http!-S outputs "HTTP OK: HTTP/1.1 302 Found - 529 bytes in 0.096 second response time"
check_http!-S -C outputs "OK - Certificate 'xxxxxxxx' will expire on Mon Nov 20 23:59:00 2017. "

check_http v2.1.2:
check_http!-S outputs "SSL Version: TLSv1.2 "
check_http!-S -C outputs "SSL Version: TLSv1.2 "

Is there some different variation of parameters I need to use now?

[mcapra]

The parameters should still, on a basic level, function the same way. The outputs for the checking over SSL have changed to include the protocol used in the first line of the output.

If you look at the specific service check, the full output can be viewed:

[jlwilkinson]

Ack. And there's no way to prevent that excess? Makes the one-liner in the web display totally useless.

[mcapra]

I agree, important bits like expiration should come first.

Easy way to fix this, if you don't care about the SSL Version used in your output and want to remove it entirely, is to modify the plugins/sslutils.c file like so (on line ~160):

Code: Select all

//printf("SSL Version: %s\n", SSL_get_version(s));

Commenting that line should remove the SSL Version output completely. Afterwards, recompile and install the nagios-plugins package:

Code: Select all

./configure --with-nagios-user=nagios --with-nagios-group=nagios
make
make install 

Or if you're not too keen on modifying C code, best way to get long-term changes applied is via the gitub page for nagios-plugins:
https://github.com/nagios-plugins/nagios-plugins

[jlwilkinson]

Hmm... I actually have check_http v2.1.2, which is the same version as running under Nagios Core v4.2.0, running on my v3.5.1 production system. The service owner required special features not in the standard check_http. But its use doesn't include the -S argument.

There has to be some way to suppress that "SSL Version: TLSv1.2 " if it's not relevant to your check (I don't care what version of TLS is being used; I care that it BE used in the check is all).

It seems to me such a significant difference in the display output is rather critical.

[jlwilkinson]

Well, I'm not too keen on changing code that'll then be replaced and need to be retrofitted again with a later release.
Also not keen on changing code on the git repository.

Is there a way to incorporate this thread into whatever discussion might be going on against the core plugins, so that somebody who IS keen on git and C code changes can incorporate changes? Because by now, just as surely as this breaks MY installation, changing it back will break somebody else's -- meaning it needs to be parameterized in some manner.

Hmmm.... emailed a suggestion to <[email protected]>

[mcapra]

Also not keen on changing code on the git repository.

I should have clarified, my intention was to say that raising an issue on the github page is the best way to get this sort of thing resolved if you're not comfortable modifying the source yourself.

I went ahead and raised an issue on github about this:
https://github.com/nagios-plugins/nagio ... issues/166

[jlwilkinson]

Thanks for the github posting. To further clarify, the current output of the SSL protocol as the first line seems worthess for the simple -S output, too. Maybe if it were a --SSL_version parameter, maybe, but otherwise I'd think the more useful output would be the typical output showing the HTTP status, which presumably was over SSL of some sort since -S was specified and thus https rather than http was attempted as the protocol for communication.

[mcapra]

I referenced this thread in the github issue, so all of that should makes it way to the developer

Is it alright if I lock this thread since an issue was raised on github?