[Nagiosplug-devel] Anybody interested in a plugin that checks SSL certificate validity or has it already been done?

[Voon, Ton]

Naoki,

This looks very interesting. Is it possible to roll it within check_http as
a different option?

We would be not be adding it to the 1.4 release at this stage, but it is
definitely a candidate for 1.5.

Ton

-----Original Message-----
From: Naoki [mailto:naoki at valuecommerce.com] 
Sent: 21 January 2005 09:48
To: nagiosplug-devel at lists.sourceforge.net
Subject: [Nagiosplug-devel] Anybody interested in a plugin that checks SSL
certificate validity or has it already been done?



The "check_http -S" plugin call will check for cert expiry but that's not
good enough for me. I've created a plugin that will check for self signed,
bad intermediate CAs etc. If there is some interest I'll clean it up ( move
to getopt and add '--help' mainly ) and submit it properly.


$ ./check_ssl_cert www.verisign.com 443 vcCA/verisign_ca 
OK: ok 
$ ./check_ssl_cert myfakebox.com 443 vcCA/verisign_ca 
Verifcation Error: unable to get local issuer certificate 
$ ./check_ssl_cert localhost 443 vcCA/verisign_ca 
Verifcation Error: self signed certificate 
$ ./check_ssl_cert localhost 4433 vcCA/verisign_ca 
connect: Connection refused 
$ ./check_ssl_cert www.bogusdomain 443 vcCA/verisign_ca 
ERROR: No valid host


//Naoki's Code to Verifiy an SSL certificate using optional intermediate
CAs. 
//2005/01/21 - v0.1 

#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
#include <sys/types.h> 
#include <sys/socket.h> 
#include <netinet/in.h> 
#include <arpa/inet.h> 
#include <netdb.h> 

#include <openssl/bio.h> 
#include <openssl/err.h> 
#include <openssl/rand.h> 
#include <openssl/ssl.h> 
#include <openssl/x509v3.h> 

#define CHK_NULL(x) if ((x)==NULL) exit (1) 
#define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); } 
#define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); exit (2);
} 

int main ( int argc, char *argv[] ) { 

//    Counters 
   int    i,j,port,err; 
   int   debug_mode = 0; 
   int   return_code = 0; 
   long   l; 
   char*     cert_name; 
   char*   cert_issuer; 
   char    *trusted_ca_file=NULL; 
   char    *trusted_ca_path=NULL; 
//   TCP Structures 
   int    sd; 
   struct    hostent *host; 
   struct    sockaddr_in addr; 

//   SSL Structures 
   SSL_METHOD *method; 
   SSL_CTX *ctx; 
   SSL*   ssl; 
   X509*    server_cert; 

//   Setup SSL 
   OpenSSL_add_all_algorithms();    
   SSL_load_error_strings();      
   method = SSLv23_client_method(); 
   ctx = SSL_CTX_new(method); 
   CHK_SSL(err); 

//   The first argument is our host, the second our port. The third is
the path to trusted CA. The fourth is optional debug. 
   host = gethostbyname(argv[1]); 
   if (host == NULL) { printf ("ERROR: No valid host\n"); exit (2); } 
   port = atoi (argv[2]); 
   trusted_ca_file = (argv[3]); 

   if (argv[4] != NULL) {    
      if ( strncmp(argv[4],"debug",5) == 0 ) {debug_mode = 1; ;printf ("set
to %d, %s\n", debug_mode, argv[4]); } 
   } 

//   Create a socket 
   sd = socket(PF_INET, SOCK_STREAM, 0); CHK_ERR(sd, "socket"); 
   memset(&addr, 0, sizeof(addr)); 
   addr.sin_family = AF_INET; 
   addr.sin_port = htons(port); 
   addr.sin_addr.s_addr = *(long*)(host->h_addr); 
   err = connect(sd, (struct sockaddr*)&addr, sizeof(addr)); CHK_ERR (err,
"connect"); 
if (debug_mode) printf("TCP Connection opened.. Starting SSL negotiation
\n"); 

        //SSL_CTX_set_verify_depth(ctx, 10); 
   //SSL_CTX_set_verify(ctx,verify,verify_callback); 
        SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file
(trusted_ca_file)); 
        if (SSL_CTX_load_verify_locations(ctx, trusted_ca_file,
trusted_ca_path)) {   l = SSL_CTX_set_default_verify_paths(ctx); } 
if (debug_mode)   printf("Set Trusted CA location: %d\n",l); 

   ssl = SSL_new(ctx);  CHK_NULL(ssl);  

   SSL_set_fd(ssl, sd); 
   err = SSL_connect(ssl); CHK_SSL(err); 

if (debug_mode) printf("SSL Connection Established.. Checking server
CERT\n");    

   SSL_get_peer_cert_chain(ssl); 

   server_cert = SSL_get_peer_certificate (ssl);        
   CHK_NULL(server_cert); 

     cert_name = X509_NAME_oneline (X509_get_subject_name
(server_cert),0,0); 
     CHK_NULL(cert_name); 

     cert_issuer = X509_NAME_oneline (X509_get_issuer_name
(server_cert),0,0); 
     CHK_NULL(cert_issuer); 

        l = SSL_get_verify_result( ssl ); 

if (debug_mode) { 
   printf ("Cert issuer: %s\n", cert_issuer); 
     printf ("Cert subject: %s\n", cert_name); 
   printf("Verifcation Code: %d\n",l); 
} 

   if (l != X509_V_OK ) { 
      printf("Verifcation Error: %s\n",X509_verify_cert_error_string
(l)); 
      return_code = 1;    
   } else { 
      printf ("OK: %s\n", X509_verify_cert_error_string(l) ); 
      return_code = 0; 
   } 
    

//   If all good, cleanup and leave 
   OPENSSL_free (cert_name); 
   OPENSSL_free (cert_issuer); 
     X509_free (server_cert); 
     close (sd); 
     SSL_free (ssl); 
    SSL_CTX_free (ctx); 

   return return_code; 
}

Mark "Naoki" Rogers 
----------------------------------------
Vice President - Systems and Engineering
ValueCommerce



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool
for open source databases. Create drag-&-drop reports. Save time by over
75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a
FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________________
Nagios Plugin Development Mailing List
Nagiosplug-devel at lists.sourceforge.net
Unsubscribe at https://lists.sourceforge.net/lists/listinfo/nagiosplug-devel
::: Please include plugins version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

-----------------------------------------
Egg is a trading name of the Egg group of companies which includes: Egg plc
(reg no 2448340), Egg Financial Products ltd (reg no 3319027), Egg
International ltd (reg no 4059266), Egg Financial Intermediation ltd (reg
no 382828), Egg Investments ltd (reg no 3403963) and Egg Banking plc (reg
no 2999842.  Egg Investments Ltd, Egg Banking plc and Egg Financial
Intermediation Ltd are authorised and regulated by the Financial Services
Authority (FSA) and are entered in the FSA register under numbers 190518,
205621 and 309551 respectively. These members of the Egg group are
registered in England and Wales. Registered offices: 1 Waterhouse Square,
138-142 Holborn, London EC1N 2NA.    This e-mail is confidential and for
use by the addressee only.  If you are not the intended recipient of this
e-mail and have received it in error, please return the message to the
sender by replying to it and then delete it from your mailbox.  Internet
e-mails are not necessarily secure. The Egg group of companies do not
accept responsibility for changes made to this message after it was sent.
Whilst all reasonable care has been taken to avoid the transmission of
viruses, it is the responsibility of the recipient to ensure that the
onward transmission, opening or use of this message and any attachments
will not adversely affect its systems or data. No responsibility is
accepted by the Egg group of companies in this regard and the recipient
should carry out such virus and other checks as it considers appropriate.
This communication does not create or modify any contract.