<div dir="ltr"><p id="gmail-yui_3_10_3_1_1490956758554_1635" style="margin:0px 0px 1.2em;padding:0px;width:auto;max-width:45em;color:rgb(51,51,51);font-family:monospace;font-size:12px">Hi developers:<br>  Nowadays we made a large scale security static analysis on several open source projects, and found some mistakes in monitoring-<wbr>plugins-<wbr>2.1.2. In the @plugins/<wbr>sslutils.<wbr>c:164:<br> int np_net_<wbr>ssl_check_<wbr>cert(int days_till_exp_warn, int days_till_<wbr>exp_crit)<wbr>{<br> # ifdef USE_OPENSSL<br> [...]<br> certificate=<wbr>SSL_get_<wbr>peer_certificat<wbr>e(s);</p><p style="margin:0px 0px 1.2em;padding:0px;width:auto;max-width:45em;color:rgb(51,51,51);font-family:monospace;font-size:12px"> if (!certificate) {<br>  printf(<wbr>"%s\n",<wbr>_("CRITICAL - Cannot retrieve server certificate."));<br>  return STATE_CRITICAL;<br> }</p><p style="margin:0px 0px 1.2em;padding:0px;width:auto;max-width:45em;color:rgb(51,51,51);font-family:monospace;font-size:12px"> /* Extract CN from certificate subject */<br> subj=X509_<wbr>get_subject_<wbr>name(certificat<wbr>e);<br>       [...]<br>       }</p><p style="margin:0px 0px 1.2em;padding:0px;width:auto;max-width:45em;color:rgb(51,51,51);font-family:monospace;font-size:12px">  We find that you use SSL_get_<wbr>peer_certificat<wbr>e() to get the cert and verify some properties of it.But it still not secure enough and can lead to MITM attack. To guarantee the security,we recommand you add the judgement if(SSL_<wbr>get_verify_<wbr>result(<wbr>ssl)==X509_<wbr>V_OK) to make sure validation succeeds.We have send the bug report to Ubuntu launchpad,and also inform you of such news.Here are the link:</p><p style="margin:0px 0px 1.2em;padding:0px;width:auto;max-width:45em"><font color="#333333" face="monospace"><span style="font-size:12px"><a href="https://bugs.launchpad.net/ubuntu/+source/monitoring-plugins/+bug/1677951">https://bugs.launchpad.net/ubuntu/+source/monitoring-plugins/+bug/1677951</a></span></font><br></p></div>