summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWilliam Leibzon <william@leibzon.org>2012-05-22 01:46:45 (GMT)
committerSven Nierlein <sven@nierlein.de>2012-06-25 10:05:16 (GMT)
commitfa3d2a4074e1bd8526e37ba5e1a214ae4a1774cf (patch)
tree1d0c780a61db8e719502aed2a7bd9311afd23ac4
parent88fdf3a8a8e17f9212e10befe1f24ff3fa1aa8e6 (diff)
downloadmonitoring-plugins-fa3d2a4074e1bd8526e37ba5e1a214ae4a1774cf.tar.gz
applied patch that adds both critical and warning thresholds to certificate expiration checks of check_tcp, check_http, check_smtp
-rw-r--r--plugins/check_http.c38
-rw-r--r--plugins/check_smtp.c37
-rw-r--r--plugins/check_tcp.c27
-rw-r--r--plugins/netutils.h2
-rw-r--r--plugins/sslutils.c18
5 files changed, 89 insertions, 33 deletions
diff --git a/plugins/check_http.c b/plugins/check_http.c
index 315848f..703e317 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -58,8 +58,8 @@ enum {
58 58
59#ifdef HAVE_SSL 59#ifdef HAVE_SSL
60int check_cert = FALSE; 60int check_cert = FALSE;
61int days_till_exp;
62int ssl_version; 61int ssl_version;
62int days_till_exp_warn, days_till_exp_crit;
63char *randbuff; 63char *randbuff;
64X509 *server_cert; 64X509 *server_cert;
65# define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) 65# define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
@@ -178,6 +178,7 @@ process_arguments (int argc, char **argv)
178{ 178{
179 int c = 1; 179 int c = 1;
180 char *p; 180 char *p;
181 char *temp;
181 182
182 enum { 183 enum {
183 INVERT_REGEX = CHAR_MAX + 1, 184 INVERT_REGEX = CHAR_MAX + 1,
@@ -282,13 +283,25 @@ process_arguments (int argc, char **argv)
282 break; 283 break;
283 case 'C': /* Check SSL cert validity */ 284 case 'C': /* Check SSL cert validity */
284#ifdef HAVE_SSL 285#ifdef HAVE_SSL
285 if (!is_intnonneg (optarg)) 286 if ((temp=strchr(optarg,','))!=NULL) {
286 usage2 (_("Invalid certificate expiration period"), optarg); 287 *temp='\0';
288 if (!is_intnonneg (temp))
289 usage2 (_("Invalid certificate expiration period"), optarg);
290 days_till_exp_warn = atoi(optarg);
291 *temp=',';
292 temp++;
293 if (!is_intnonneg (temp))
294 usage2 (_("Invalid certificate expiration period"), temp);
295 days_till_exp_crit = atoi (temp);
296 }
287 else { 297 else {
288 days_till_exp = atoi (optarg); 298 days_till_exp_crit=0;
289 check_cert = TRUE; 299 if (!is_intnonneg (optarg))
300 usage2 (_("Invalid certificate expiration period"), optarg);
301 days_till_exp_warn = atoi (optarg);
290 } 302 }
291 /* Fall through to -S option */ 303 check_cert = TRUE;
304 /* Fall through to -S option */
292#endif 305#endif
293 case 'S': /* use SSL */ 306 case 'S': /* use SSL */
294#ifndef HAVE_SSL 307#ifndef HAVE_SSL
@@ -810,7 +823,7 @@ check_http (void)
810 if (result != STATE_OK) 823 if (result != STATE_OK)
811 return result; 824 return result;
812 if (check_cert == TRUE) { 825 if (check_cert == TRUE) {
813 result = np_net_ssl_check_cert(days_till_exp); 826 result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
814 np_net_ssl_cleanup(); 827 np_net_ssl_cleanup();
815 if (sd) close(sd); 828 if (sd) close(sd);
816 return result; 829 return result;
@@ -1427,6 +1440,13 @@ print_help (void)
1427 printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than")); 1440 printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
1428 printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when")); 1441 printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when"));
1429 printf (" %s\n", _("the certificate is expired.")); 1442 printf (" %s\n", _("the certificate is expired."));
1443
1444 printf (" %s\n\n", "CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14");
1445 printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,"));
1446 printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
1447 printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned."));
1448 printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days"));
1449
1430#endif 1450#endif
1431 1451
1432 printf (UT_SUPPORT); 1452 printf (UT_SUPPORT);
@@ -1444,6 +1464,6 @@ print_usage (void)
1444 printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n"); 1464 printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n");
1445 printf (" [-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n"); 1465 printf (" [-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
1446 printf (" [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n"); 1466 printf (" [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");
1447 printf (" [-A string] [-k string] [-S <version>] [--sni] [-C <age>] [-T <content-type>]\n"); 1467 printf (" [-A string] [-k string] [-S <version>] [--sni] [-C <warn_age>[,<crit_age>]]\n");
1448 printf (" [-j method]\n"); 1468 printf (" [-T <content-type>] [-j method]\n");
1449} 1469}
diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c
index 494bc2c..0af50e3 100644
--- a/plugins/check_smtp.c
+++ b/plugins/check_smtp.c
@@ -41,7 +41,7 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net";
41 41
42#ifdef HAVE_SSL 42#ifdef HAVE_SSL
43int check_cert = FALSE; 43int check_cert = FALSE;
44int days_till_exp; 44int days_till_exp_warn, days_till_exp_crit;
45# define my_recv(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) 45# define my_recv(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
46# define my_send(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) 46# define my_send(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
47#else /* ifndef HAVE_SSL */ 47#else /* ifndef HAVE_SSL */
@@ -275,7 +275,7 @@ main (int argc, char **argv)
275 275
276# ifdef USE_OPENSSL 276# ifdef USE_OPENSSL
277 if ( check_cert ) { 277 if ( check_cert ) {
278 result = np_net_ssl_check_cert(days_till_exp); 278 result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
279 my_close(); 279 my_close();
280 return result; 280 return result;
281 } 281 }
@@ -454,6 +454,7 @@ int
454process_arguments (int argc, char **argv) 454process_arguments (int argc, char **argv)
455{ 455{
456 int c; 456 int c;
457 char* temp;
457 458
458 int option = 0; 459 int option = 0;
459 static struct option longopts[] = { 460 static struct option longopts[] = {
@@ -600,12 +601,26 @@ process_arguments (int argc, char **argv)
600 case 'D': 601 case 'D':
601 /* Check SSL cert validity */ 602 /* Check SSL cert validity */
602#ifdef USE_OPENSSL 603#ifdef USE_OPENSSL
603 if (!is_intnonneg (optarg)) 604 if ((temp=strchr(optarg,','))!=NULL) {
604 usage2 ("Invalid certificate expiration period",optarg); 605 *temp='\0';
605 days_till_exp = atoi (optarg); 606 if (!is_intnonneg (temp))
606 check_cert = TRUE; 607 usage2 ("Invalid certificate expiration period", optarg);
608 days_till_exp_warn = atoi(optarg);
609 *temp=',';
610 temp++;
611 if (!is_intnonneg (temp))
612 usage2 (_("Invalid certificate expiration period"), temp);
613 days_till_exp_crit = atoi (temp);
614 }
615 else {
616 days_till_exp_crit=0;
617 if (!is_intnonneg (optarg))
618 usage2 ("Invalid certificate expiration period", optarg);
619 days_till_exp_warn = atoi (optarg);
620 }
621 check_cert = TRUE;
607#else 622#else
608 usage (_("SSL support not available - install OpenSSL and recompile")); 623 usage (_("SSL support not available - install OpenSSL and recompile"));
609#endif 624#endif
610 break; 625 break;
611 case '4': 626 case '4':
@@ -802,7 +817,7 @@ print_help (void)
802 printf (" %s\n", "-F, --fqdn=STRING"); 817 printf (" %s\n", "-F, --fqdn=STRING");
803 printf (" %s\n", _("FQDN used for HELO")); 818 printf (" %s\n", _("FQDN used for HELO"));
804#ifdef HAVE_SSL 819#ifdef HAVE_SSL
805 printf (" %s\n", "-D, --certificate=INTEGER"); 820 printf (" %s\n", "-D, --certificate=INTEGER[,INTEGER]");
806 printf (" %s\n", _("Minimum number of days a certificate has to be valid.")); 821 printf (" %s\n", _("Minimum number of days a certificate has to be valid."));
807 printf (" %s\n", "-S, --starttls"); 822 printf (" %s\n", "-S, --starttls");
808 printf (" %s\n", _("Use STARTTLS for the connection.")); 823 printf (" %s\n", _("Use STARTTLS for the connection."));
@@ -838,8 +853,8 @@ void
838print_usage (void) 853print_usage (void)
839{ 854{
840 printf ("%s\n", _("Usage:")); 855 printf ("%s\n", _("Usage:"));
841 printf ("%s -H host [-p port] [-e expect] [-C command] [-f from addr]", progname); 856 printf ("%s -H host [-p port] [-4|-6] [-e expect] [-C command] [-f from addr]", progname);
842 printf ("[-A authtype -U authuser -P authpass] [-w warn] [-c crit] [-t timeout]\n"); 857 printf ("[-A authtype -U authuser -P authpass] [-w warn] [-c crit] [-t timeout] [-q]\n");
843 printf ("[-F fqdn] [-S] [-D days] [-v] [-4|-6] [-q]\n"); 858 printf ("[-F fqdn] [-S] [-D warn days cert expire[,crit days cert expire]] [-v] \n");
844} 859}
845 860
diff --git a/plugins/check_tcp.c b/plugins/check_tcp.c
index d3c92a4..7b0f7f8 100644
--- a/plugins/check_tcp.c
+++ b/plugins/check_tcp.c
@@ -39,7 +39,7 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net";
39 39
40#ifdef HAVE_SSL 40#ifdef HAVE_SSL
41static int check_cert = FALSE; 41static int check_cert = FALSE;
42static int days_till_exp; 42static int days_till_exp_warn, days_till_exp_crit;
43# define my_recv(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) 43# define my_recv(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
44# define my_send(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) 44# define my_send(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
45#else 45#else
@@ -235,7 +235,7 @@ main (int argc, char **argv)
235 if (flags & FLAG_SSL){ 235 if (flags & FLAG_SSL){
236 result = np_net_ssl_init(sd); 236 result = np_net_ssl_init(sd);
237 if (result == STATE_OK && check_cert == TRUE) { 237 if (result == STATE_OK && check_cert == TRUE) {
238 result = np_net_ssl_check_cert(days_till_exp); 238 result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
239 } 239 }
240 } 240 }
241 if(result != STATE_OK || check_cert == TRUE){ 241 if(result != STATE_OK || check_cert == TRUE){
@@ -380,6 +380,7 @@ process_arguments (int argc, char **argv)
380{ 380{
381 int c; 381 int c;
382 int escape = 0; 382 int escape = 0;
383 char *temp;
383 384
384 int option = 0; 385 int option = 0;
385 static struct option longopts[] = { 386 static struct option longopts[] = {
@@ -552,9 +553,22 @@ process_arguments (int argc, char **argv)
552 case 'D': /* Check SSL cert validity - days 'til certificate expiration */ 553 case 'D': /* Check SSL cert validity - days 'til certificate expiration */
553#ifdef HAVE_SSL 554#ifdef HAVE_SSL
554# ifdef USE_OPENSSL /* XXX */ 555# ifdef USE_OPENSSL /* XXX */
555 if (!is_intnonneg (optarg)) 556 if ((temp=strchr(optarg,','))!=NULL) {
557 *temp='\0';
558 if (!is_intnonneg (temp))
559 usage2 (_("Invalid certificate expiration period"), optarg); days_till_exp_warn = atoi(optarg);
560 *temp=',';
561 temp++;
562 if (!is_intnonneg (temp))
563 usage2 (_("Invalid certificate expiration period"), temp);
564 days_till_exp_crit = atoi (temp);
565 }
566 else {
567 days_till_exp_crit=0;
568 if (!is_intnonneg (optarg))
556 usage2 (_("Invalid certificate expiration period"), optarg); 569 usage2 (_("Invalid certificate expiration period"), optarg);
557 days_till_exp = atoi (optarg); 570 days_till_exp_warn = atoi (optarg);
571 }
558 check_cert = TRUE; 572 check_cert = TRUE;
559 flags |= FLAG_SSL; 573 flags |= FLAG_SSL;
560 break; 574 break;
@@ -626,8 +640,9 @@ print_help (void)
626 printf (" %s\n", _("Seconds to wait between sending string and polling for response")); 640 printf (" %s\n", _("Seconds to wait between sending string and polling for response"));
627 641
628#ifdef HAVE_SSL 642#ifdef HAVE_SSL
629 printf (" %s\n", "-D, --certificate=INTEGER"); 643 printf (" %s\n", "-D, --certificate=INTEGER[,INTEGER]");
630 printf (" %s\n", _("Minimum number of days a certificate has to be valid.")); 644 printf (" %s\n", _("Minimum number of days a certificate has to be valid."));
645 printf (" %s\n", _("1st is #days for warning, 2nd is critical (if not specified - 0)."));
631 printf (" %s\n", "-S, --ssl"); 646 printf (" %s\n", "-S, --ssl");
632 printf (" %s\n", _("Use SSL for the connection.")); 647 printf (" %s\n", _("Use SSL for the connection."));
633#endif 648#endif
@@ -649,6 +664,6 @@ print_usage (void)
649 printf ("%s -H host -p port [-w <warning time>] [-c <critical time>] [-s <send string>]\n",progname); 664 printf ("%s -H host -p port [-w <warning time>] [-c <critical time>] [-s <send string>]\n",progname);
650 printf ("[-e <expect string>] [-q <quit string>][-m <maximum bytes>] [-d <delay>]\n"); 665 printf ("[-e <expect string>] [-q <quit string>][-m <maximum bytes>] [-d <delay>]\n");
651 printf ("[-t <timeout seconds>] [-r <refuse state>] [-M <mismatch state>] [-v] [-4|-6] [-j]\n"); 666 printf ("[-t <timeout seconds>] [-r <refuse state>] [-M <mismatch state>] [-v] [-4|-6] [-j]\n");
652 printf ("[-D <days to cert expiry>] [-S <use SSL>] [-E]\n"); 667 printf ("[-D <warn days cert expire>[,<crit days cert expire>]] [-S <use SSL>] [-E]\n");
653} 668}
654 669
diff --git a/plugins/netutils.h b/plugins/netutils.h
index 572a3ae..21017f1 100644
--- a/plugins/netutils.h
+++ b/plugins/netutils.h
@@ -103,7 +103,7 @@ int np_net_ssl_init_with_hostname(int sd, char *host_name);
103void np_net_ssl_cleanup(); 103void np_net_ssl_cleanup();
104int np_net_ssl_write(const void *buf, int num); 104int np_net_ssl_write(const void *buf, int num);
105int np_net_ssl_read(void *buf, int num); 105int np_net_ssl_read(void *buf, int num);
106int np_net_ssl_check_cert(int days_till_exp); 106int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit);
107#endif /* HAVE_SSL */ 107#endif /* HAVE_SSL */
108 108
109#endif /* _NETUTILS_H_ */ 109#endif /* _NETUTILS_H_ */
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 5425bb2..fe31b56 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -126,7 +126,7 @@ int np_net_ssl_read(void *buf, int num) {
126 return SSL_read(s, buf, num); 126 return SSL_read(s, buf, num);
127} 127}
128 128
129int np_net_ssl_check_cert(int days_till_exp) { 129int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
130# ifdef USE_OPENSSL 130# ifdef USE_OPENSSL
131 X509 *certificate=NULL; 131 X509 *certificate=NULL;
132 X509_NAME *subj=NULL; 132 X509_NAME *subj=NULL;
@@ -202,15 +202,21 @@ int np_net_ssl_check_cert(int days_till_exp) {
202 stamp.tm_mon + 1, 202 stamp.tm_mon + 1,
203 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); 203 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
204 204
205 if (days_left > 0 && days_left <= days_till_exp) { 205 if (days_left > 0 && days_left <= days_till_exp_warn) {
206 printf(_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp); 206 printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"CRITICAL":"WARNING", cn, days_left, timestamp);
207 status=STATE_WARNING; 207 if (days_left > days_till_exp_crit)
208 return STATE_WARNING;
209 else
210 return STATE_CRITICAL;
208 } else if (time_left < 0) { 211 } else if (time_left < 0) {
209 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); 212 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
210 status=STATE_CRITICAL; 213 status=STATE_CRITICAL;
211 } else if (days_left == 0) { 214 } else if (days_left == 0) {
212 printf(_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp); 215 printf (_("%s - Certificate '%s' expires today (%s).\n"), (days_left>days_till_exp_crit)?"CRITICAL":"WARNING", cn, timestamp);
213 status=STATE_WARNING; 216 if (days_left > days_till_exp_crit)
217 return STATE_WARNING;
218 else
219 return STATE_CRITICAL;
214 } else { 220 } else {
215 printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); 221 printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
216 status=STATE_OK; 222 status=STATE_OK;