[Nagiosplug-devel] [ nagiosplug-Bugs-1939529 ] check_tcp: Expiring SSL certs produce confusing messages.

SourceForge.net noreply at sourceforge.net
Thu Apr 10 18:11:49 CEST 2008


Bugs item #1939529, was opened at 2008-04-10 12:10
Message generated for change (Settings changed) made by gdrago23
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=1939529&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: Release (specify)
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Adam Buchbinder (gdrago23)
Assigned to: Nobody/Anonymous (nobody)
>Summary: check_tcp: Expiring SSL certs produce confusing messages.

Initial Comment:
I am running nagios-plugins 1.4.11, the version from Ubuntu Hardy, backported to Feisty.

$ /usr/lib/nagios/plugins/check_tcp -S -H www.google.com -p 443 -D 10; echo $?
OK - Certificate will expire on 05/14/2008 23:18.
TCP OK - 0.084 second response time on port 443|time=0.083917s;;;0.000000;10.000000
0
$ /usr/lib/nagios/plugins/check_tcp -S -H www.google.com -p 443 -D 295; echo $?
WARNING - Certificate expires in 34 day(s) (05/14/2008 23:18).
CRITICAL - Cannot retrieve server certificate.
1

The plugin only returns WARNING, as it should, but the second result line is wrong--the server certificate is indeed being retrieved, and the plugin isn't returning CRITICAL.

Looking through the check_tcp.c source, it appears that np_net_ssl_check_cert is returning CRITICAL when the certificate can't be retrieved or parsed, or when it's expired, and WARNING when it's going to expire within the interval specified by the "-D" option. check_tcp interprets any answer other than STATE_OK as a failure to retrieve the cert.

The root problem seems to be a conflation of Nagios return codes with function return codes; a plugin may interpret a failure to retrieve the certificate at all quite differently from the retrieval of an expired or soon-to-expire certificate.

Perhaps it would be a better idea to have np_net_ssl_check_cert return STATE_UNKNOWN when it can't retrieve the SSL cert information, and STATE_WARNING/STATE_CRITICAL when there's a problem with it, so that the calling program can differentiate between the two types of event. Failing that, check_tcp should check for (result != STATE_OK && result != STATE_WARNING) rather than just (result != STATE_OK).

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=1939529&group_id=29880




More information about the Devel mailing list