On Fri, Nov 20, 2015 at 04:53:18PM +0100, Daniel Pocock wrote: > Package: nagios-check-xmppng > Version: 0.1.2-1~bpo8+1 > Severity: important > > It doesn't seem to work if no CA root argument is specified. It should > automatically use the correct location for a Debian system (based on > SSLContext.set_default_verify_paths()): > > > # /usr/lib/nagios/plugins/check_xmppng \ > -H thp003 --servername pocock.pro > XMPP CRITICAL - time is unknown (no CA certificates found) | time=unknown > > > If I tell it to use a directory (capath) it fails too: > > > # /usr/lib/nagios/plugins/check_xmppng \ > -H thp003 --servername pocock.pro \ > -r /etc/ssl/certs > XMPP CRITICAL - time is unknown (no CA certificates found) | time=unknown > > > > If I give it a bundle filename it works: > > > # /usr/lib/nagios/plugins/check_xmppng \ > -H thp003 --servername pocock.pro \ > -r /etc/ssl/certs/ca-certificates.crt > XMPP OK - time is 0.4267s | daysvalid=152d time=0.426693s;;;0
This seems to be a more general issue with the Python 3 interpreter.
check_xmppng already uses ssl.SSLContext.load_default_certs() which calls
set_default_verify_paths() internaly. Unfortunately
/etc/ssl/certs/ca-certificates.crt is not considered by
set_default_verify_paths by default. I tried the following to check the
behaviour:
1.) Find out where set_default_verify_paths is looking for certificates:
$ python3
>>> import ssl
>>> ssl.get_default_verify_paths()
DefaultVerifyPaths(cafile=None, capath='/usr/lib/ssl/certs',
openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/lib/ssl/cert.pem',
openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/lib/ssl/certs')
2.) Try whether load_default_certs/set_default_verify_paths works:
$ python3
>>> import ssl
>>> context = ssl.create_default_context()
>>> context.load_default_certs()
>>> context.cert_store_stats()
{'x509_ca': 0, 'x509': 0, 'crl': 0}
this is obviously not loading any certificate and is the same sequence used
in check_xmppng.
3.) Try setting SSL_CERT_DIR (guessed from the result of
get_default_verify_paths()):
$ SSL_CERT_DIR=/etc/ssl/certs/ python3
>>> import ssl
>>> context = ssl.create_default_context()
>>> context.load_default_certs()
>>> context.cert_store_stats()
{'crl': 0, 'x509': 0, 'x509_ca': 0}
still no certificates loaded. I expected that the certificates from
/etc/ssl/certs should be loaded, this is not the case though.
4.) Try setting SSL_CERT_FILE (again guessed from the result of
get_default_verify_paths()):
$ SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt python3
>>> import ssl
>>> context = ssl.create_default_context()
>>> context.load_default_certs()
>>> context.cert_store_stats()
{'x509': 175, 'crl': 0, 'x509_ca': 175}
In this case the certificates are loaded. Now back to check_xmppng:
$ SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
/usr/lib/nagios/plugins/check_xmppng -H xmpp.gnuviech-server.de --servername
dittberner.info --starttls
XMPP OK - request took 0.406091s, certificate valid for 34 days |
daysvalid=34d time=0.406091s;;;0
seems to work. From my point of view this is an issue with how the Python
interpreter handles the default paths and not an issue with check_xmppng
itself.
Daniel what do you think?
Best regards
Jan
--
Jan Dittberner - Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
B2FF 1D95 CE8F 7A22 DF4C F09B A73E 0055 558F B8DD
https://portfolio.debian.net/ - https://people.debian.org/~jandd/
signature.asc
Description: Digital signature
