handling the -C check now when compiled with OpenSSL but libcurl is not compiled with OpenSSL

author: Andreas Baumann <mail@andreasbaumann.cc> 2017-04-21 13:07:51 +0000
committer: Andreas Baumann <mail@andreasbaumann.cc> 2017-04-21 13:07:51 +0000
commit: 65d1d2ca3c617240142736a6316504f8a7e13ca9 (patch)
tree: f7131b0828fc203422672cffb0a735d14fb323dd
parent: f8a184c2d32198b4da3d4e626ec8500c2f23f9f6 (diff)
download: monitoring-plugins-65d1d2c.tar.gz
1 files changed, 41 insertions, 6 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index 6575af71..878276e6 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -531,24 +531,59 @@ check_http (void)
  if (use_ssl == TRUE) {
    if (check_cert == TRUE) {
      if (is_openssl_callback) {
-#ifdef HAVE_SSL
+#ifdef USE_OPENSSL
        /* check certificate with OpenSSL functions, curl has been built against OpenSSL
         * and we actually have OpenSSL in the monitoring tools
         */
        result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
        return result;
-#else /* HAVE_SSL */
+#else /* USE_OPENSSL */
        die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n");
-#endif /* HAVE_SSL */
+#endif /* USE_OPENSSL */
      } else {
-        /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal,
+        int i;
-         * so we use the libcurl CURLINFO data
+        struct curl_slist *slist;
-         */
        cert_ptr.to_info = NULL;
        res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info);
        if (!res && cert_ptr.to_info) {
+#ifdef USE_OPENSSL          
+          /* We have no OpenSSL in libcurl, but we can use OpenSSL for X509 cert parsing
+           * We only check the first certificate and assume it's the one of the server
+           */
+          const char* raw_cert = NULL;
+          for (i = 0; i < cert_ptr.to_certinfo->num_of_certs; i++) {
+            for (slist = cert_ptr.to_certinfo->certinfo[i]; slist; slist = slist->next) {
+              if (verbose >= 2)
+                printf ("%d ** %s\n", i, slist->data);
+              if (strncmp (slist->data, "Cert:", 5) == 0) {
+                raw_cert = &slist->data[5];
+                goto GOT_FIRST_CERT;
+              }
+            }
+          }
+GOT_FIRST_CERT:
+          if (!raw_cert) {
+            snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates from CERTINFO information - certificate data was empty"));
+            die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
+          }
+          BIO* cert_BIO = BIO_new (BIO_s_mem());
+          BIO_write (cert_BIO, raw_cert, strlen(raw_cert));
+          cert = PEM_read_bio_X509 (cert_BIO, NULL, NULL, NULL);
+          if (!cert) {
+            snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot read certificate from CERTINFO information - BIO error"));
+            die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
+          }
+          BIO_free (cert_BIO);
+          result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
+          return result;        
+#else /* USE_OPENSSL */
+          /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal,
+           * so we use the libcurl CURLINFO data
+           */
          result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit);
          return result;
+#endif /* USE_OPENSSL */
        } else {
          snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"),
            res, curl_easy_strerror(res));
author	Andreas Baumann <mail@andreasbaumann.cc>	2017-04-21 13:07:51 +0000
committer	Andreas Baumann <mail@andreasbaumann.cc>	2017-04-21 13:07:51 +0000
commit	65d1d2ca3c617240142736a6316504f8a7e13ca9 (patch)
tree	f7131b0828fc203422672cffb0a735d14fb323dd
parent	f8a184c2d32198b4da3d4e626ec8500c2f23f9f6 (diff)
download	monitoring-plugins-65d1d2c.tar.gz

diff --git a/plugins/check_curl.c b/plugins/check_curl.c index 6575af71..878276e6 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c
@@ -531,24 +531,59 @@ check_http (void)
531	if (use_ssl == TRUE) {	531	if (use_ssl == TRUE) {
532	if (check_cert == TRUE) {	532	if (check_cert == TRUE) {
533	if (is_openssl_callback) {	533	if (is_openssl_callback) {
534	#ifdef HAVE_SSL	534	#ifdef USE_OPENSSL
535	/* check certificate with OpenSSL functions, curl has been built against OpenSSL	535	/* check certificate with OpenSSL functions, curl has been built against OpenSSL
536	* and we actually have OpenSSL in the monitoring tools	536	* and we actually have OpenSSL in the monitoring tools
537	*/	537	*/
538	result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);	538	result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
539	return result;	539	return result;
540	#else /* HAVE_SSL */	540	#else /* USE_OPENSSL */
541	die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n");	541	die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n");
542	#endif /* HAVE_SSL */	542	#endif /* USE_OPENSSL */
543	} else {	543	} else {
544	/* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal,	544	int i;
545	* so we use the libcurl CURLINFO data	545	struct curl_slist *slist;
546	*/	546
547	cert_ptr.to_info = NULL;	547	cert_ptr.to_info = NULL;
548	res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info);	548	res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info);
549	if (!res && cert_ptr.to_info) {	549	if (!res && cert_ptr.to_info) {
		550	#ifdef USE_OPENSSL
		551	/* We have no OpenSSL in libcurl, but we can use OpenSSL for X509 cert parsing
		552	* We only check the first certificate and assume it's the one of the server
		553	*/
		554	const char* raw_cert = NULL;
		555	for (i = 0; i < cert_ptr.to_certinfo->num_of_certs; i++) {
		556	for (slist = cert_ptr.to_certinfo->certinfo[i]; slist; slist = slist->next) {
		557	if (verbose >= 2)
		558	printf ("%d ** %s\n", i, slist->data);
		559	if (strncmp (slist->data, "Cert:", 5) == 0) {
		560	raw_cert = &slist->data[5];
		561	goto GOT_FIRST_CERT;
		562	}
		563	}
		564	}
		565	GOT_FIRST_CERT:
		566	if (!raw_cert) {
		567	snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates from CERTINFO information - certificate data was empty"));
		568	die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
		569	}
		570	BIO* cert_BIO = BIO_new (BIO_s_mem());
		571	BIO_write (cert_BIO, raw_cert, strlen(raw_cert));
		572	cert = PEM_read_bio_X509 (cert_BIO, NULL, NULL, NULL);
		573	if (!cert) {
		574	snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot read certificate from CERTINFO information - BIO error"));
		575	die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
		576	}
		577	BIO_free (cert_BIO);
		578	result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
		579	return result;
		580	#else /* USE_OPENSSL */
		581	/* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal,
		582	* so we use the libcurl CURLINFO data
		583	*/
550	result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit);	584	result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit);
551	return result;	585	return result;
		586	#endif /* USE_OPENSSL */
552	} else {	587	} else {
553	snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"),	588	snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"),
554	res, curl_easy_strerror(res));	589	res, curl_easy_strerror(res));