diff options
| author | Barak Shohat <barak@bazzisoft.com> | 2021-04-07 09:34:46 (GMT) |
|---|---|---|
| committer | Barak Shohat <barak@bazzisoft.com> | 2021-04-07 12:38:47 (GMT) |
| commit | 6993c216955a54845d98dc568534613334c0b545 (patch) | |
| tree | 5c69050db7d0407f7fb668a40fdc8d5620527596 | |
| parent | 57b4dc0f2307cd49bedeed01ee56bc6077d428f5 (diff) | |
| download | monitoring-plugins-6993c21.tar.gz | |
Add an option to check_curl to verify the peer certificate & host using the system CA'srefs/pull/1669/head
| -rw-r--r-- | plugins/check_curl.c | 17 | ||||
| -rw-r--r-- | plugins/t/check_curl.t | 5 |
2 files changed, 18 insertions, 4 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c index 8f274c2..19f80b7 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c | |||
| @@ -195,6 +195,7 @@ int ssl_version = CURL_SSLVERSION_DEFAULT; | |||
| 195 | char *client_cert = NULL; | 195 | char *client_cert = NULL; |
| 196 | char *client_privkey = NULL; | 196 | char *client_privkey = NULL; |
| 197 | char *ca_cert = NULL; | 197 | char *ca_cert = NULL; |
| 198 | int verify_peer_and_host = FALSE; | ||
| 198 | int is_openssl_callback = FALSE; | 199 | int is_openssl_callback = FALSE; |
| 199 | #if defined(HAVE_SSL) && defined(USE_OPENSSL) | 200 | #if defined(HAVE_SSL) && defined(USE_OPENSSL) |
| 200 | X509 *cert = NULL; | 201 | X509 *cert = NULL; |
| @@ -489,9 +490,11 @@ check_http (void) | |||
| 489 | if (client_privkey) | 490 | if (client_privkey) |
| 490 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLKEY, client_privkey), "CURLOPT_SSLKEY"); | 491 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLKEY, client_privkey), "CURLOPT_SSLKEY"); |
| 491 | if (ca_cert) { | 492 | if (ca_cert) { |
| 493 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CAINFO, ca_cert), "CURLOPT_CAINFO"); | ||
| 494 | } | ||
| 495 | if (ca_cert || verify_peer_and_host) { | ||
| 492 | /* per default if we have a CA verify both the peer and the | 496 | /* per default if we have a CA verify both the peer and the |
| 493 | * hostname in the certificate, can be switched off later */ | 497 | * hostname in the certificate, can be switched off later */ |
| 494 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CAINFO, ca_cert), "CURLOPT_CAINFO"); | ||
| 495 | handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1), "CURLOPT_SSL_VERIFYPEER"); | 498 | handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1), "CURLOPT_SSL_VERIFYPEER"); |
| 496 | handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2), "CURLOPT_SSL_VERIFYHOST"); | 499 | handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2), "CURLOPT_SSL_VERIFYHOST"); |
| 497 | } else { | 500 | } else { |
| @@ -1159,6 +1162,7 @@ process_arguments (int argc, char **argv) | |||
| 1159 | {"client-cert", required_argument, 0, 'J'}, | 1162 | {"client-cert", required_argument, 0, 'J'}, |
| 1160 | {"private-key", required_argument, 0, 'K'}, | 1163 | {"private-key", required_argument, 0, 'K'}, |
| 1161 | {"ca-cert", required_argument, 0, CA_CERT_OPTION}, | 1164 | {"ca-cert", required_argument, 0, CA_CERT_OPTION}, |
| 1165 | {"verify-cert", no_argument, 0, 'D'}, | ||
| 1162 | {"useragent", required_argument, 0, 'A'}, | 1166 | {"useragent", required_argument, 0, 'A'}, |
| 1163 | {"header", required_argument, 0, 'k'}, | 1167 | {"header", required_argument, 0, 'k'}, |
| 1164 | {"no-body", no_argument, 0, 'N'}, | 1168 | {"no-body", no_argument, 0, 'N'}, |
| @@ -1193,7 +1197,7 @@ process_arguments (int argc, char **argv) | |||
| 1193 | server_url = strdup(DEFAULT_SERVER_URL); | 1197 | server_url = strdup(DEFAULT_SERVER_URL); |
| 1194 | 1198 | ||
| 1195 | while (1) { | 1199 | while (1) { |
| 1196 | c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:nlLS::m:M:NE", longopts, &option); | 1200 | c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:DnlLS::m:M:NE", longopts, &option); |
| 1197 | if (c == -1 || c == EOF || c == 1) | 1201 | if (c == -1 || c == EOF || c == 1) |
| 1198 | break; | 1202 | break; |
| 1199 | 1203 | ||
| @@ -1333,6 +1337,11 @@ process_arguments (int argc, char **argv) | |||
| 1333 | ca_cert = optarg; | 1337 | ca_cert = optarg; |
| 1334 | goto enable_ssl; | 1338 | goto enable_ssl; |
| 1335 | #endif | 1339 | #endif |
| 1340 | #ifdef LIBCURL_FEATURE_SSL | ||
| 1341 | case 'D': /* verify peer certificate & host */ | ||
| 1342 | verify_peer_and_host = TRUE; | ||
| 1343 | goto enable_ssl; | ||
| 1344 | #endif | ||
| 1336 | case 'S': /* use SSL */ | 1345 | case 'S': /* use SSL */ |
| 1337 | #ifdef LIBCURL_FEATURE_SSL | 1346 | #ifdef LIBCURL_FEATURE_SSL |
| 1338 | enable_ssl: | 1347 | enable_ssl: |
| @@ -1703,6 +1712,8 @@ print_help (void) | |||
| 1703 | printf (" %s\n", _("matching the client certificate")); | 1712 | printf (" %s\n", _("matching the client certificate")); |
| 1704 | printf (" %s\n", "--ca-cert=FILE"); | 1713 | printf (" %s\n", "--ca-cert=FILE"); |
| 1705 | printf (" %s\n", _("CA certificate file to verify peer against")); | 1714 | printf (" %s\n", _("CA certificate file to verify peer against")); |
| 1715 | printf (" %s\n", "-D, --verify-cert"); | ||
| 1716 | printf (" %s\n", _("Verify the peer's SSL certificate and hostname")); | ||
| 1706 | #endif | 1717 | #endif |
| 1707 | 1718 | ||
| 1708 | printf (" %s\n", "-e, --expect=STRING"); | 1719 | printf (" %s\n", "-e, --expect=STRING"); |
| @@ -1836,7 +1847,7 @@ print_usage (void) | |||
| 1836 | { | 1847 | { |
| 1837 | printf ("%s\n", _("Usage:")); | 1848 | printf ("%s\n", _("Usage:")); |
| 1838 | printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname); | 1849 | printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname); |
| 1839 | printf (" [-J <client certificate file>] [-K <private key>] [--ca-cert <CA certificate file>]\n"); | 1850 | printf (" [-J <client certificate file>] [-K <private key>] [--ca-cert <CA certificate file>] [-D]\n"); |
| 1840 | printf (" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-E] [-a auth]\n"); | 1851 | printf (" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-E] [-a auth]\n"); |
| 1841 | printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport|curl>]\n"); | 1852 | printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport|curl>]\n"); |
| 1842 | printf (" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n"); | 1853 | printf (" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n"); |
diff --git a/plugins/t/check_curl.t b/plugins/t/check_curl.t index 4bff538..55577ad 100644 --- a/plugins/t/check_curl.t +++ b/plugins/t/check_curl.t | |||
| @@ -9,7 +9,7 @@ use Test::More; | |||
| 9 | use POSIX qw/mktime strftime/; | 9 | use POSIX qw/mktime strftime/; |
| 10 | use NPTest; | 10 | use NPTest; |
| 11 | 11 | ||
| 12 | plan tests => 57; | 12 | plan tests => 58; |
| 13 | 13 | ||
| 14 | my $successOutput = '/OK.*HTTP.*second/'; | 14 | my $successOutput = '/OK.*HTTP.*second/'; |
| 15 | 15 | ||
| @@ -94,6 +94,9 @@ SKIP: { | |||
| 94 | 94 | ||
| 95 | $res = NPTest->testCmd("./$plugin -v -H $host_tls_http:443 -S -p 443"); | 95 | $res = NPTest->testCmd("./$plugin -v -H $host_tls_http:443 -S -p 443"); |
| 96 | like( $res->output, '/^Host: '.$host_tls_http.'\s*$/ms', "Host Header OK" ); | 96 | like( $res->output, '/^Host: '.$host_tls_http.'\s*$/ms', "Host Header OK" ); |
| 97 | |||
| 98 | $res = NPTest->testCmd("./$plugin -v -H $host_tls_http -D -p 443"); | ||
| 99 | like( $res->output, '/(^Host: '.$host_tls_http.'\s*$)|(cURL returned 60)/ms', "Host Header OK" ); | ||
| 97 | }; | 100 | }; |
| 98 | 101 | ||
| 99 | SKIP: { | 102 | SKIP: { |