Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possibility to add ldap for starttls ? #31

Open
jothoma1 opened this issue Jul 25, 2017 · 9 comments · May be fixed by #72
Open

Possibility to add ldap for starttls ? #31

jothoma1 opened this issue Jul 25, 2017 · 9 comments · May be fixed by #72

Comments

@jothoma1
Copy link

Hi,
i'm using check-ssl-host.rb with --starttls option. This option only work for imap and smtp. Is there a possibility to add ldap ?
Thanks in advance

@majormoses
Copy link
Member

I believe it is possible though I am not sure if it is without including https://github.com/ruby-ldap/ruby-net-ldap which I think that should go under another plugin for LDAP specific.

@majormoses
Copy link
Member

If you can give me the output of this in something like an irb session I might be able to help more: https://github.com/sensu-plugins/sensu-plugins-ssl/blob/1.4.0/bin/check-ssl-host.rb#L146 it might end up being quite simple.

@jothoma1
Copy link
Author

Hi, thanks for your help
sorry, i'm not good with ruby... can you explain me how to do the irb session ?

@majormoses
Copy link
Member

majormoses commented Jul 26, 2017

assuming you have ruby setup you just type irb this drops you into an interactive ruby shell, from here you can start copying and pasting code from the plugin and it should spit back results. Basically I just need to see what the socket returns when you try hitting it so we can see if there is something that we can determine if we are ok or if there is an issue.

@majormoses
Copy link
Member

feel free to join us in the community slack:

@jhoblitt
Copy link

The manpage for s_client from openssl-1.1.0g-1.fc27.x86_64, which is what fedora 27 is shipping with, lists:

   -starttls protocol
       send the protocol-specific message(s) to switch to TLS for
       communication.  protocol is a keyword for the intended protocol.
       Currently, the only supported keywords are "smtp", "pop3", "imap",
       "ftp", "xmpp", "xmpp-server", and "irc."

So starttls for ldap isn't going to work with 1.1.0g.

It looks like ldap support has been merged into openssl, and includes a manpage update:

openssl/openssl#2293

I don't know if that is part of 1.1.1 or not.

@jhoblitt
Copy link

It is part of the 1.1.1 pre releases: openssl/openssl@398b0bb#diff-7f3b79983f6d53c047c90a62813cc11f

@majormoses
Copy link
Member

ok when there is a stable release we can consider bringing it in but as @jothoma1 we may need to wait until distributions catch up with it.

@jhoblitt
Copy link

Considering that EL7/etc. are still largely using 1.0.2, it will likely be awhile. On the other hand, I think 1.1.1 is supposed to include TLS1.3, which is probably a strong selling point.

@elfranne elfranne linked a pull request Jul 6, 2020 that will close this issue
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants