From bd7cb0518bbf908411114ee02a9881049a874cbb Mon Sep 17 00:00:00 2001
From: Patrick Cernko <pcernko@mpi-klsb.mpg.de>
Date: Mon, 18 Mar 2024 10:27:19 +0100
Subject: [PATCH] option to resolve IPs (from dovecot) to hostnames to fix
hostname validation in IO::Socket::SSL if IPs not included in certificates
---
poolmon | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/poolmon b/poolmon
index afdbd94..9b434c7 100755
--- a/poolmon
+++ b/poolmon
@@ -29,12 +29,14 @@ use IO::Socket::UNIX;
use IO::Socket::INET6;
use POSIX qw(setsid strftime);
use Sys::Syslog qw( :DEFAULT setlogsock);
+use Socket;
$SIG{'PIPE'} = 'IGNORE';
my @PORTS;
my @SSL_PORTS;
my $NO_HOSTNAME_VERIFY = 0;
+my $RESOLVE_HOSTNAME = 0;
my $DEBUG = 0;
my $NOFORK = 0;
my $DRY_RUN = 0;
@@ -57,6 +59,7 @@ Getopt::Long::Configure("bundling");
GetOptions('p|port=s' => \@PORTS,
's|ssl=s' => \@SSL_PORTS,
'no-hostname-verify' => \$NO_HOSTNAME_VERIFY,
+ 'resolve-hostname' => \$RESOLVE_HOSTNAME,
'd|debug' => \$DEBUG,
't|timeout=i' => \$TIMEOUT,
'l|logfile=s' => \$LOGFILE,
@@ -129,6 +132,8 @@ Arguments:
--port POP3:110 --ssl IMAP:993
--no-hostname-verify Instruct IO::Socket::SSL to skip verifying given
hostname in certificate (default: false)
+ --resolve-hostname Resolve backend IPs to hostnames and use them to connect
+ to allow SSL to verify hostname in certificate (default: false)
-c --credfile=PATH File with credentials to authenticate as, mode 0600.
- Username on 1st line.
- Password on 2nd line.
@@ -208,6 +213,9 @@ sub director_connect {
sub scan_host {
my ($host, $updown) = @_;
my $OK = 1;
+ if ($RESOLVE_HOSTNAME) {
+ $host = gethostbyaddr(inet_aton($host), AF_INET);
+ }
# Check non-SSL ports first
foreach my $port (@PORTS){
if (! scan_port($host, $port, 0)){
--
GitLab