check_http, SSL, and DoD

[John Oliver]

Does anyone have a hack to let check_http -S work on DoD hosts?

[joliver at services4 ~]$ openssl s_client -connect
infosec.navy.mil:443      CONNECTED(00000003)
depth=0 /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USN/CN=infosec.navy.mil
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USN/CN=infosec.navy.mil
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USN/CN=infosec.navy.mil
verify error:num=21:unable to verify the first certificate
verify return:1
12244:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1053:SSL alert number 40
12244:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:

It would need to be trust DoD root and intermediate certs, and probably
to present a client certificate as well.

I suppose getting it to accept the "handshake failure" as success would
be a stopgap.

-- 
***********************************************************************
* John Oliver                             http://www.john-oliver.net/ *
*                                                                     *
***********************************************************************

------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null