ITL: Add additional http check command parameters for SSL version enforcement

refs #10358
2025-07-23 13:45:04 +02:00 · 2016-03-15 15:26:22 +01:00 · 2016-03-15 15:26:22 +01:00 · d8b70f8ae1
commit d8b70f8ae1
parent 67b7df3189
2 changed files with 66 additions and 38 deletions
--- a/doc/7-icinga-template-library.md
+++ b/doc/7-icinga-template-library.md
@ -440,15 +440,22 @@ Check command object for the `check_http` plugin.
 Custom attributes passed as [command parameters](3-monitoring-basics.md#command-passing-parameters):

 Name                             | Description
-------------------------|--------------
+---------------------------------|---------------------------------
 http_address                     | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
 http_vhost                       | **Optional.** The virtual host that should be sent in the "Host" header.
 http_uri                         | **Optional.** The request URI for GET or POST. Defaults to `/`.
 http_port                        | **Optional.** The TCP port. Defaults to 80 when not using SSL, 443 otherwise.
 http_ssl                         | **Optional.** Whether to use SSL. Defaults to false.
 http_ssl_force_tlsv1             | **Optional.** Whether to force TLSv1.
+http_ssl_force_tlsv1_1           | **Optional.** Whether to force TLSv1.1.
+http_ssl_force_tlsv1_2           | **Optional.** Whether to force TLSv1.2.
 http_ssl_force_sslv2             | **Optional.** Whether to force SSLv2.
 http_ssl_force_sslv3             | **Optional.** Whether to force SSLv3.
+http_ssl_force_tlsv1_or_higher   | **Optional.** Whether to force TLSv1 or higher.
+http_ssl_force_tlsv1_1_or_higher | **Optional.** Whether to force TLSv1.1 or higher.
+http_ssl_force_tlsv1_2_or_higher | **Optional.** Whether to force TLSv1.2 or higher.
+http_ssl_force_sslv2_or_higher   | **Optional.** Whether to force SSLv2 or higher.
+http_ssl_force_sslv3_or_higher   | **Optional.** Whether to force SSLv3 or higher.
 http_sni                         | **Optional.** Whether to use SNI. Defaults to false.
 http_auth_pair                   | **Optional.** Add 'username:password' authorization pair.
 http_proxy_auth_pair             | **Optional.** Add 'username:password' authorization pair for proxy.
--- a/itl/command-plugins.conf
+++ b/itl/command-plugins.conf
@ -334,12 +334,33 @@ object CheckCommand "http" {
 		"-S1" = {
 			set_if = "$http_ssl_force_tlsv1$"
 		}
+		"-S1.1" = {
+			set_if = "$http_ssl_force_tlsv1_1$"
+		}
+		"-S1.2" = {
+			set_if = "$http_ssl_force_tlsv1_2$"
+		}
 		"-S2" = {
 			set_if = "$http_ssl_force_sslv2$"
 		}
 		"-S3" = {
 			set_if = "$http_ssl_force_sslv3$"
 		}
+		"-S1+" = {
+			set_if = "$http_ssl_force_tlsv1_or_higher$"
+		}
+		"-S1.1+" = {
+			set_if = "$http_ssl_force_tlsv1_1_or_higher$"
+		}
+		"-S1.2+" = {
+			set_if = "$http_ssl_force_tlsv1_2_or_higher$"
+		}
+		"-S2+" = {
+			set_if = "$http_ssl_force_sslv2_or_higher$"
+		}
+		"-S3+" = {
+			set_if = "$http_ssl_force_sslv3_or_higher$"
+		}
 		"--sni" = {
 			set_if = "$http_sni$"
 		}