probing for SSL library used by libcurl and started improving the certificate check -C

author: Andreas Baumann <mail@andreasbaumann.cc> 2017-04-20 16:37:16 (GMT)
committer: Sven Nierlein <sven@nierlein.de> 2018-10-22 14:30:31 (GMT)
commit: c0be97f1541ee71a6414e3ad05f9d5a5fe480c98 (patch)
tree: d3240293a4841c9f384ef987ace978bcb9e733a6
parent: 995ab6572f7ace6688ea9df7534b4dae8f7cb31d (diff)
download: monitoring-plugins-c0be97f1541ee71a6414e3ad05f9d5a5fe480c98.tar.gz
1 files changed, 147 insertions, 39 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index b002637..d3f3930 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -91,6 +91,14 @@ typedef struct {
  char *first_line; /* a copy of the first line */
 } curlhelp_statusline;
+typedef enum curlhelp_ssl_library {
+  CURLHELP_SSL_LIBRARY_UNKNOWN,
+  CURLHELP_SSL_LIBRARY_OPENSSL,
+  CURLHELP_SSL_LIBRARY_LIBRESSL,
+  CURLHELP_SSL_LIBRARY_GNUTLS,
+  CURLHELP_SSL_LIBRARY_NSS
+} curlhelp_ssl_library;
 enum {
  REGS = 2,
  MAX_RE_SIZE = 256
@@ -160,12 +168,14 @@ int ssl_version = CURL_SSLVERSION_DEFAULT;
 char *client_cert = NULL;
 char *client_privkey = NULL;
 char *ca_cert = NULL;
+int is_openssl_callback = FALSE;
 #ifdef HAVE_SSL
 X509 *cert = NULL;
 #endif
 int no_body = FALSE;
 int maximum_age = -1;
 int address_family = AF_UNSPEC;
+curlhelp_ssl_library ssl_library = CURLHELP_SSL_LIBRARY_UNKNOWN;
 int process_arguments (int, char**);
 void handle_curl_option_return_code (CURLcode res, const char* option);
@@ -179,6 +189,8 @@ void curlhelp_freewritebuffer (curlhelp_write_curlbuf*);
 int curlhelp_initreadbuffer (curlhelp_read_curlbuf *, const char *, size_t);
 int curlhelp_buffer_read_callback (void *, size_t , size_t , void *);
 void curlhelp_freereadbuffer (curlhelp_read_curlbuf *);
+curlhelp_ssl_library curlhelp_get_ssl_library (CURL*);
+const char* curlhelp_get_ssl_library_string (curlhelp_ssl_library);
 int curlhelp_parse_statusline (const char*, curlhelp_statusline *);
 void curlhelp_free_statusline (curlhelp_statusline *);
@@ -368,25 +380,59 @@ check_http (void)
    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0), "CURLOPT_SSL_VERIFYPEER");
    handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0), "CURLOPT_SSL_VERIFYHOST");
  }
+  
+  /* detect SSL library used by libcurl */
+  ssl_library = curlhelp_get_ssl_library (curl);
  /* try hard to get a stack of certificates to verify against */
  if (check_cert)
 #if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1)
-    /* inform curl to report back certificates (this works for OpenSSL, NSS at least) */
+    /* inform curl to report back certificates */
-    curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L);
+    switch (ssl_library) {
-#ifdef LIBCURL_USES_OPENSSL
+      case CURLHELP_SSL_LIBRARY_OPENSSL:
-    /* set callback to extract certificate with OpenSSL context function (works with
+      case CURLHELP_SSL_LIBRARY_LIBRESSL:
-     * OpenSSL only!)
+        /* set callback to extract certificate with OpenSSL context function (works with
-     */
+         * OpenSSL-style libraries only!) */
-    handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
+#ifdef USE_OPENSSL
+        /* libcurl and monitoring plugins built with OpenSSL, good */
+        handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
+        is_openssl_callback = TRUE;
+#else /* USE_OPENSSL */
 #endif /* USE_OPENSSL */
+        /* libcurl is built with OpenSSL, monitoring plugins, so falling
+         * back to manually extracting certificate information */
+        handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO"); 
+        break;
+      case CURLHELP_SSL_LIBRARY_NSS:
+#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
+        /* NSS: support for CERTINFO is implemented since 7.34.0 */
+        handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
+#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
+        die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library '%s' is too old)\n", curlhelp_get_ssl_library_string (ssl_library));
+#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
+        break;
+      
+      case CURLHELP_SSL_LIBRARY_GNUTLS:
+#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0)
+        /* GnuTLS: support for CERTINFO is implemented since 7.42.0 */
+        handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
+#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */
+        die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library '%s' is too old)\n", curlhelp_get_ssl_library_string (ssl_library));
+#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */
+        break;
+      
+      case CURLHELP_SSL_LIBRARY_UNKNOWN:
+      default:
+        die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (unknown SSL library '%s', must implement first)\n", curlhelp_get_ssl_library_string (ssl_library));
+        break;
+    }
 #else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
-#ifdef LIBCURL_USES_OPENSSL
+    /* old libcurl, our only hope is OpenSSL, otherwise we are out of luck */
-    /* Too old curl library, hope we have OpenSSL */
+    if (ssl_library == CURLHELP_SSL_LIBRARY_OPENSSL || ssl_library == CURLHELP_SSL_LIBRARY_LIBRESSL)
-    handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
+      handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
-#else
+    else
-    die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (no CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library)\n");
+      die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (no CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library or libcurl too old and has no CURLOPT_CERTINFO)\n");
-#endif /* LIBCURL_USES_OPENSSL */
 #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
 #endif /* LIBCURL_FEATURE_SSL */
@@ -480,35 +526,44 @@ check_http (void)
 #ifdef LIBCURL_FEATURE_SSL
  if (use_ssl == TRUE) {
    if (check_cert == TRUE) {
-      if (verbose >= 2)
+      if (is_openssl_callback) {
-        printf ("**** REQUEST CERTIFICATES ****\n");
+#ifdef HAVE_SSL
-      cert_ptr.to_info = NULL;
+        /* check certificate with OpenSSL functions, curl has been built against OpenSSL
-      res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info);
+         * and we actually have OpenSSL in the monitoring tools
-      if (!res && cert_ptr.to_info) {
+         */
-        int i;
+        result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
-        for (i = 0; i < cert_ptr.to_certinfo->num_of_certs; i++) {
+        return result;
-          struct curl_slist *slist;
+#else /* HAVE_SSL */
-          for (slist = cert_ptr.to_certinfo->certinfo[i]; slist; slist = slist->next) {
+        die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n");
-            if (verbose >= 2)
+#endif /* HAVE_SSL */
-              printf ("%d ** %s\n", i, slist->data);
+      } else {
+        /* going with the libcurl CURLINFO data */
+        if (verbose >= 2)
+          printf ("**** REQUEST CERTIFICATES ****\n");
+        cert_ptr.to_info = NULL;
+        res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info);
+        if (!res && cert_ptr.to_info) {
+          int i;
+          for (i = 0; i < cert_ptr.to_certinfo->num_of_certs; i++) {
+            struct curl_slist *slist;
+            for (slist = cert_ptr.to_certinfo->certinfo[i]; slist; slist = slist->next) {
+              if (verbose >= 2)
+                printf ("%d ** %s\n", i, slist->data);
+            }
          }
+        } else {
+          snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"),
+            res, curl_easy_strerror(res));
+          die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
        }
-      } else {
+        if (verbose >= 2)
-        snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"),
+          printf ("**** REQUEST CERTIFICATES ****\n");
-          res, curl_easy_strerror(res));
+        // TODO: either convert data to X509 certs we can check with np_net_ssl_check_certificate
-        die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
+        // or do something on our own..
+        //~ result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
+        //~ return result;
+        die (STATE_UNKNOWN, "HTTP UNKNOWN - CERTINFO certificate checks not implemented yet\n");
      }
-      if (verbose >= 2)
-        printf ("**** REQUEST CERTIFICATES ****\n");
-      /* check certificate with OpenSSL functions, curl has been built against OpenSSL
-       * and we actually have OpenSSL in the monitoring tools
-       */
-#ifdef HAVE_SSL
-#ifdef LIBCURL_USES_OPENSSL
-      result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
-#endif /* LIBCURL_USES_OPENSSL */
-#endif /* HAVE_SSL */
-      return result;
    }
  }
 #endif /* LIBCURL_FEATURE_SSL */
@@ -1617,3 +1672,56 @@ check_document_dates (const curlhelp_write_curlbuf *header_buf, char (*msg)[DEFA
  return date_result;
 }
+/* TODO: is there a better way in libcurl to check for the SSL library? */
+curlhelp_ssl_library
+curlhelp_get_ssl_library (CURL* curl)
+{
+  curl_version_info_data* version_data;
+  char *ssl_version;
+  char *library;
+  curlhelp_ssl_library ssl_library = CURLHELP_SSL_LIBRARY_UNKNOWN;
+  version_data = curl_version_info (CURLVERSION_NOW);
+  if (version_data == NULL) return CURLHELP_SSL_LIBRARY_UNKNOWN;
+  ssl_version = strdup (version_data->ssl_version);
+  if (ssl_version == NULL ) return CURLHELP_SSL_LIBRARY_UNKNOWN;
+  
+  library = strtok (ssl_version, "/");
+  if (library == NULL) return CURLHELP_SSL_LIBRARY_UNKNOWN;
+  
+  if (strcmp (library, "OpenSSL") == 0)
+    ssl_library = CURLHELP_SSL_LIBRARY_OPENSSL;
+  else if (strcmp (library, "LibreSSL") == 0)
+    ssl_library = CURLHELP_SSL_LIBRARY_LIBRESSL;
+  else if (strcmp (library, "GnuTLS") == 0)
+    ssl_library = CURLHELP_SSL_LIBRARY_GNUTLS;
+  else if (strcmp (library, "NSS") == 0)
+    ssl_library = CURLHELP_SSL_LIBRARY_NSS;
+  if (verbose >= 2)
+    printf ("* SSL library string is : %s %s (%d)\n", version_data->ssl_version, library, ssl_library);
+  
+  free (ssl_version);
+    
+  return ssl_library;
+}
+const char*
+curlhelp_get_ssl_library_string (curlhelp_ssl_library ssl_library)
+{
+  switch (ssl_library) {
+    case CURLHELP_SSL_LIBRARY_OPENSSL:
+      return "OpenSSL";
+    case CURLHELP_SSL_LIBRARY_LIBRESSL:
+      return "LibreSSL";
+    case CURLHELP_SSL_LIBRARY_GNUTLS:
+      return "GnuTLS";
+    case CURLHELP_SSL_LIBRARY_NSS:
+      return "NSS";
+    case CURLHELP_SSL_LIBRARY_UNKNOWN:
+    default:
+      return "unknown";
+  }
+}
author	Andreas Baumann <mail@andreasbaumann.cc>	2017-04-20 16:37:16 (GMT)
committer	Sven Nierlein <sven@nierlein.de>	2018-10-22 14:30:31 (GMT)
commit	c0be97f1541ee71a6414e3ad05f9d5a5fe480c98 (patch)
tree	d3240293a4841c9f384ef987ace978bcb9e733a6
parent	995ab6572f7ace6688ea9df7534b4dae8f7cb31d (diff)
download	monitoring-plugins-c0be97f1541ee71a6414e3ad05f9d5a5fe480c98.tar.gz

diff --git a/plugins/check_curl.c b/plugins/check_curl.c index b002637..d3f3930 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c
@@ -91,6 +91,14 @@ typedef struct {
91	char first_line; / a copy of the first line */	91	char first_line; / a copy of the first line */
92	} curlhelp_statusline;	92	} curlhelp_statusline;
93		93
		94	typedef enum curlhelp_ssl_library {
		95	CURLHELP_SSL_LIBRARY_UNKNOWN,
		96	CURLHELP_SSL_LIBRARY_OPENSSL,
		97	CURLHELP_SSL_LIBRARY_LIBRESSL,
		98	CURLHELP_SSL_LIBRARY_GNUTLS,
		99	CURLHELP_SSL_LIBRARY_NSS
		100	} curlhelp_ssl_library;
		101
94	enum {	102	enum {
95	REGS = 2,	103	REGS = 2,
96	MAX_RE_SIZE = 256	104	MAX_RE_SIZE = 256
@@ -160,12 +168,14 @@ int ssl_version = CURL_SSLVERSION_DEFAULT;
160	char *client_cert = NULL;	168	char *client_cert = NULL;
161	char *client_privkey = NULL;	169	char *client_privkey = NULL;
162	char *ca_cert = NULL;	170	char *ca_cert = NULL;
		171	int is_openssl_callback = FALSE;
163	#ifdef HAVE_SSL	172	#ifdef HAVE_SSL
164	X509 *cert = NULL;	173	X509 *cert = NULL;
165	#endif	174	#endif
166	int no_body = FALSE;	175	int no_body = FALSE;
167	int maximum_age = -1;	176	int maximum_age = -1;
168	int address_family = AF_UNSPEC;	177	int address_family = AF_UNSPEC;
		178	curlhelp_ssl_library ssl_library = CURLHELP_SSL_LIBRARY_UNKNOWN;
169		179
170	int process_arguments (int, char**);	180	int process_arguments (int, char**);
171	void handle_curl_option_return_code (CURLcode res, const char* option);	181	void handle_curl_option_return_code (CURLcode res, const char* option);
@@ -179,6 +189,8 @@ void curlhelp_freewritebuffer (curlhelp_write_curlbuf*);
179	int curlhelp_initreadbuffer (curlhelp_read_curlbuf , const char , size_t);	189	int curlhelp_initreadbuffer (curlhelp_read_curlbuf , const char , size_t);
180	int curlhelp_buffer_read_callback (void , size_t , size_t , void );	190	int curlhelp_buffer_read_callback (void , size_t , size_t , void );
181	void curlhelp_freereadbuffer (curlhelp_read_curlbuf *);	191	void curlhelp_freereadbuffer (curlhelp_read_curlbuf *);
		192	curlhelp_ssl_library curlhelp_get_ssl_library (CURL*);
		193	const char* curlhelp_get_ssl_library_string (curlhelp_ssl_library);
182		194
183	int curlhelp_parse_statusline (const char, curlhelp_statusline );	195	int curlhelp_parse_statusline (const char, curlhelp_statusline );
184	void curlhelp_free_statusline (curlhelp_statusline *);	196	void curlhelp_free_statusline (curlhelp_statusline *);
@@ -368,25 +380,59 @@ check_http (void)
368	handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0), "CURLOPT_SSL_VERIFYPEER");	380	handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0), "CURLOPT_SSL_VERIFYPEER");
369	handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0), "CURLOPT_SSL_VERIFYHOST");	381	handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0), "CURLOPT_SSL_VERIFYHOST");
370	}	382	}
		383
		384	/* detect SSL library used by libcurl */
		385	ssl_library = curlhelp_get_ssl_library (curl);
371		386
372	/* try hard to get a stack of certificates to verify against */	387	/* try hard to get a stack of certificates to verify against */
373	if (check_cert)	388	if (check_cert)
374	#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1)	389	#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1)
375	/* inform curl to report back certificates (this works for OpenSSL, NSS at least) */	390	/* inform curl to report back certificates */
376	curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L);	391	switch (ssl_library) {
377	#ifdef LIBCURL_USES_OPENSSL	392	case CURLHELP_SSL_LIBRARY_OPENSSL:
378	/* set callback to extract certificate with OpenSSL context function (works with	393	case CURLHELP_SSL_LIBRARY_LIBRESSL:
379	* OpenSSL only!)	394	/* set callback to extract certificate with OpenSSL context function (works with
380	*/	395	* OpenSSL-style libraries only!) */
381	handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");	396	#ifdef USE_OPENSSL
		397	/* libcurl and monitoring plugins built with OpenSSL, good */
		398	handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
		399	is_openssl_callback = TRUE;
		400	#else /* USE_OPENSSL */
382	#endif /* USE_OPENSSL */	401	#endif /* USE_OPENSSL */
		402	/* libcurl is built with OpenSSL, monitoring plugins, so falling
		403	* back to manually extracting certificate information */
		404	handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
		405	break;
		406
		407	case CURLHELP_SSL_LIBRARY_NSS:
		408	#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
		409	/* NSS: support for CERTINFO is implemented since 7.34.0 */
		410	handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
		411	#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
		412	die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library '%s' is too old)\n", curlhelp_get_ssl_library_string (ssl_library));
		413	#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
		414	break;
		415
		416	case CURLHELP_SSL_LIBRARY_GNUTLS:
		417	#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0)
		418	/* GnuTLS: support for CERTINFO is implemented since 7.42.0 */
		419	handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
		420	#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */
		421	die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library '%s' is too old)\n", curlhelp_get_ssl_library_string (ssl_library));
		422	#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */
		423	break;
		424
		425	case CURLHELP_SSL_LIBRARY_UNKNOWN:
		426	default:
		427	die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (unknown SSL library '%s', must implement first)\n", curlhelp_get_ssl_library_string (ssl_library));
		428	break;
		429	}
383	#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */	430	#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
384	#ifdef LIBCURL_USES_OPENSSL	431	/* old libcurl, our only hope is OpenSSL, otherwise we are out of luck */
385	/* Too old curl library, hope we have OpenSSL */	432	if (ssl_library == CURLHELP_SSL_LIBRARY_OPENSSL \|\| ssl_library == CURLHELP_SSL_LIBRARY_LIBRESSL)
386	handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");	433	handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
387	#else	434	else
388	die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (no CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library)\n");	435	die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (no CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library or libcurl too old and has no CURLOPT_CERTINFO)\n");
389	#endif /* LIBCURL_USES_OPENSSL */
390	#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */	436	#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
391		437
392	#endif /* LIBCURL_FEATURE_SSL */	438	#endif /* LIBCURL_FEATURE_SSL */
@@ -480,35 +526,44 @@ check_http (void)
480	#ifdef LIBCURL_FEATURE_SSL	526	#ifdef LIBCURL_FEATURE_SSL
481	if (use_ssl == TRUE) {	527	if (use_ssl == TRUE) {
482	if (check_cert == TRUE) {	528	if (check_cert == TRUE) {
483	if (verbose >= 2)	529	if (is_openssl_callback) {
484	printf ("** REQUEST CERTIFICATES **\n");	530	#ifdef HAVE_SSL
485	cert_ptr.to_info = NULL;	531	/* check certificate with OpenSSL functions, curl has been built against OpenSSL
486	res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info);	532	* and we actually have OpenSSL in the monitoring tools
487	if (!res && cert_ptr.to_info) {	533	*/
488	int i;	534	result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
489	for (i = 0; i < cert_ptr.to_certinfo->num_of_certs; i++) {	535	return result;
490	struct curl_slist *slist;	536	#else /* HAVE_SSL */
491	for (slist = cert_ptr.to_certinfo->certinfo[i]; slist; slist = slist->next) {	537	die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n");
492	if (verbose >= 2)	538	#endif /* HAVE_SSL */
493	printf ("%d ** %s\n", i, slist->data);	539	} else {
		540	/* going with the libcurl CURLINFO data */
		541	if (verbose >= 2)
		542	printf ("** REQUEST CERTIFICATES **\n");
		543	cert_ptr.to_info = NULL;
		544	res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info);
		545	if (!res && cert_ptr.to_info) {
		546	int i;
		547	for (i = 0; i < cert_ptr.to_certinfo->num_of_certs; i++) {
		548	struct curl_slist *slist;
		549	for (slist = cert_ptr.to_certinfo->certinfo[i]; slist; slist = slist->next) {
		550	if (verbose >= 2)
		551	printf ("%d ** %s\n", i, slist->data);
		552	}
494	}	553	}
		554	} else {
		555	snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"),
		556	res, curl_easy_strerror(res));
		557	die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
495	}	558	}
496	} else {	559	if (verbose >= 2)
497	snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"),	560	printf ("** REQUEST CERTIFICATES **\n");
498	res, curl_easy_strerror(res));	561	// TODO: either convert data to X509 certs we can check with np_net_ssl_check_certificate
499	die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);	562	// or do something on our own..
		563	//~ result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
		564	//~ return result;
		565	die (STATE_UNKNOWN, "HTTP UNKNOWN - CERTINFO certificate checks not implemented yet\n");
500	}	566	}
501	if (verbose >= 2)
502	printf ("** REQUEST CERTIFICATES **\n");
503	/* check certificate with OpenSSL functions, curl has been built against OpenSSL
504	* and we actually have OpenSSL in the monitoring tools
505	*/
506	#ifdef HAVE_SSL
507	#ifdef LIBCURL_USES_OPENSSL
508	result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
509	#endif /* LIBCURL_USES_OPENSSL */
510	#endif /* HAVE_SSL */
511	return result;
512	}	567	}
513	}	568	}
514	#endif /* LIBCURL_FEATURE_SSL */	569	#endif /* LIBCURL_FEATURE_SSL */
@@ -1617,3 +1672,56 @@ check_document_dates (const curlhelp_write_curlbuf header_buf, char (msg)[DEFA
1617		1672
1618	return date_result;	1673	return date_result;
1619	}	1674	}
		1675
		1676	/* TODO: is there a better way in libcurl to check for the SSL library? */
		1677	curlhelp_ssl_library
		1678	curlhelp_get_ssl_library (CURL* curl)
		1679	{
		1680	curl_version_info_data* version_data;
		1681	char *ssl_version;
		1682	char *library;
		1683	curlhelp_ssl_library ssl_library = CURLHELP_SSL_LIBRARY_UNKNOWN;
		1684
		1685	version_data = curl_version_info (CURLVERSION_NOW);
		1686	if (version_data == NULL) return CURLHELP_SSL_LIBRARY_UNKNOWN;
		1687
		1688	ssl_version = strdup (version_data->ssl_version);
		1689	if (ssl_version == NULL ) return CURLHELP_SSL_LIBRARY_UNKNOWN;
		1690
		1691	library = strtok (ssl_version, "/");
		1692	if (library == NULL) return CURLHELP_SSL_LIBRARY_UNKNOWN;
		1693
		1694	if (strcmp (library, "OpenSSL") == 0)
		1695	ssl_library = CURLHELP_SSL_LIBRARY_OPENSSL;
		1696	else if (strcmp (library, "LibreSSL") == 0)
		1697	ssl_library = CURLHELP_SSL_LIBRARY_LIBRESSL;
		1698	else if (strcmp (library, "GnuTLS") == 0)
		1699	ssl_library = CURLHELP_SSL_LIBRARY_GNUTLS;
		1700	else if (strcmp (library, "NSS") == 0)
		1701	ssl_library = CURLHELP_SSL_LIBRARY_NSS;
		1702
		1703	if (verbose >= 2)
		1704	printf ("* SSL library string is : %s %s (%d)\n", version_data->ssl_version, library, ssl_library);
		1705
		1706	free (ssl_version);
		1707
		1708	return ssl_library;
		1709	}
		1710
		1711	const char*
		1712	curlhelp_get_ssl_library_string (curlhelp_ssl_library ssl_library)
		1713	{
		1714	switch (ssl_library) {
		1715	case CURLHELP_SSL_LIBRARY_OPENSSL:
		1716	return "OpenSSL";
		1717	case CURLHELP_SSL_LIBRARY_LIBRESSL:
		1718	return "LibreSSL";
		1719	case CURLHELP_SSL_LIBRARY_GNUTLS:
		1720	return "GnuTLS";
		1721	case CURLHELP_SSL_LIBRARY_NSS:
		1722	return "NSS";
		1723	case CURLHELP_SSL_LIBRARY_UNKNOWN:
		1724	default:
		1725	return "unknown";
		1726	}
		1727	}