Closed Auz closed 7 years ago
regilero
commented
7 years ago OK, I definitively need to take some time to check that and think about it (like maybe allow to overwrite the list of protocols). Thanks for this noce PR. Hope it wont be long before review.
regilero
commented
7 years ago I reworked the SSL part, taking parts of what you made on this branch. But also rewriting the thing a lot.
So instead of adding a -t TLS option, the --ssl option can take parameters (default is now 'TLSV1' if you just use --ssl). You can use --ssl TLSV1_1 or --ssl 'SSLv23:!SSLv2:!SSLv3'.
I think this new code should fix your problem, do not hesitate to test it (it's now on the master branch).
I will close this PR, but I've added your name on the CHANGELOG because I have reused the IO::Socket::SSL::set_default_context() tricks.
I was getting certificate errors with the nagios check, and realized it was because my site restricts the SSL protocols to a secure subset. I adjusted the code to be able to connect to SSL sites with more modern SSL protocols. I also added a flag to be able to force it to use TLS, incase of sites where that is required. I'm not able to test beyond the few machines I have access to, and my perl skills are not up to figuring out which SSL versions the client machine supports at run time, so I added them as variables at the top of the file.