diff options
| author | Lorenz Kästle <12514511+RincewindsHat@users.noreply.github.com> | 2025-09-15 10:13:33 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-09-15 10:13:33 +0200 |
| commit | a3cf9041af810770daf5d9b83f1906fa9bb0dd11 (patch) | |
| tree | 9b9b45a6a611c4f37cf5dd447b37f74e48d56c14 /plugins/sslutils.c | |
| parent | f69aba3129d672b88f5bae187fb971fc0ac228ed (diff) | |
| parent | 5a2c1b2c3aeb99e7a703b0c5f6fe1a21d29b3be4 (diff) | |
| download | monitoring-plugins-a3cf9041af810770daf5d9b83f1906fa9bb0dd11.tar.gz | |
Merge pull request #2085 from RincewindsHat/refactor/check_curl
Refactor/check curl and introduce new output formatting
Diffstat (limited to 'plugins/sslutils.c')
| -rw-r--r-- | plugins/sslutils.c | 255 |
1 files changed, 200 insertions, 55 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 96740b3a..3ce6afed 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
| @@ -26,10 +26,12 @@ | |||
| 26 | * | 26 | * |
| 27 | *****************************************************************************/ | 27 | *****************************************************************************/ |
| 28 | 28 | ||
| 29 | #include "output.h" | ||
| 29 | #define MAX_CN_LENGTH 256 | 30 | #define MAX_CN_LENGTH 256 |
| 30 | #include "common.h" | 31 | #include "common.h" |
| 31 | #include "netutils.h" | 32 | #include "netutils.h" |
| 32 | #include "../lib/monitoringplug.h" | 33 | #include "../lib/monitoringplug.h" |
| 34 | #include "states.h" | ||
| 33 | 35 | ||
| 34 | #ifdef HAVE_SSL | 36 | #ifdef HAVE_SSL |
| 35 | static SSL_CTX *ctx = NULL; | 37 | static SSL_CTX *ctx = NULL; |
| @@ -37,13 +39,16 @@ static SSL *s = NULL; | |||
| 37 | 39 | ||
| 38 | int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); } | 40 | int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); } |
| 39 | 41 | ||
| 40 | int np_net_ssl_init_with_hostname(int sd, char *host_name) { return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); } | 42 | int np_net_ssl_init_with_hostname(int sd, char *host_name) { |
| 43 | return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); | ||
| 44 | } | ||
| 41 | 45 | ||
| 42 | int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) { | 46 | int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) { |
| 43 | return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL); | 47 | return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL); |
| 44 | } | 48 | } |
| 45 | 49 | ||
| 46 | int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { | 50 | int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, |
| 51 | char *privkey) { | ||
| 47 | long options = 0; | 52 | long options = 0; |
| 48 | 53 | ||
| 49 | if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) { | 54 | if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) { |
| @@ -75,7 +80,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
| 75 | # endif | 80 | # endif |
| 76 | case MP_TLSv1_1: /* TLSv1.1 protocol */ | 81 | case MP_TLSv1_1: /* TLSv1.1 protocol */ |
| 77 | # if !defined(SSL_OP_NO_TLSv1_1) | 82 | # if !defined(SSL_OP_NO_TLSv1_1) |
| 78 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); | 83 | printf("%s\n", |
| 84 | _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); | ||
| 79 | return STATE_UNKNOWN; | 85 | return STATE_UNKNOWN; |
| 80 | # else | 86 | # else |
| 81 | SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); | 87 | SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); |
| @@ -84,7 +90,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
| 84 | # endif | 90 | # endif |
| 85 | case MP_TLSv1_2: /* TLSv1.2 protocol */ | 91 | case MP_TLSv1_2: /* TLSv1.2 protocol */ |
| 86 | # if !defined(SSL_OP_NO_TLSv1_2) | 92 | # if !defined(SSL_OP_NO_TLSv1_2) |
| 87 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); | 93 | printf("%s\n", |
| 94 | _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); | ||
| 88 | return STATE_UNKNOWN; | 95 | return STATE_UNKNOWN; |
| 89 | # else | 96 | # else |
| 90 | SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); | 97 | SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); |
| @@ -145,8 +152,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
| 145 | SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); | 152 | SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); |
| 146 | if ((s = SSL_new(ctx)) != NULL) { | 153 | if ((s = SSL_new(ctx)) != NULL) { |
| 147 | # ifdef SSL_set_tlsext_host_name | 154 | # ifdef SSL_set_tlsext_host_name |
| 148 | if (host_name != NULL) | 155 | if (host_name != NULL) { |
| 149 | SSL_set_tlsext_host_name(s, host_name); | 156 | SSL_set_tlsext_host_name(s, host_name); |
| 157 | } | ||
| 150 | # endif | 158 | # endif |
| 151 | SSL_set_fd(s, sd); | 159 | SSL_set_fd(s, sd); |
| 152 | if (SSL_connect(s) == 1) { | 160 | if (SSL_connect(s) == 1) { |
| @@ -182,63 +190,54 @@ int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num); | |||
| 182 | 190 | ||
| 183 | int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); } | 191 | int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); } |
| 184 | 192 | ||
| 185 | int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit) { | 193 | mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, |
| 194 | int days_till_exp_crit) { | ||
| 186 | # ifdef USE_OPENSSL | 195 | # ifdef USE_OPENSSL |
| 187 | X509_NAME *subj = NULL; | ||
| 188 | char timestamp[50] = ""; | ||
| 189 | char cn[MAX_CN_LENGTH] = ""; | ||
| 190 | char *tz; | ||
| 191 | |||
| 192 | int cnlen = -1; | ||
| 193 | int status = STATE_UNKNOWN; | ||
| 194 | |||
| 195 | ASN1_STRING *tm; | ||
| 196 | int offset; | ||
| 197 | struct tm stamp; | ||
| 198 | float time_left; | ||
| 199 | int days_left; | ||
| 200 | int time_remaining; | ||
| 201 | time_t tm_t; | ||
| 202 | |||
| 203 | if (!certificate) { | 196 | if (!certificate) { |
| 204 | printf("%s\n", _("CRITICAL - No server certificate present to inspect.")); | 197 | printf("%s\n", _("CRITICAL - No server certificate present to inspect.")); |
| 205 | return STATE_CRITICAL; | 198 | return STATE_CRITICAL; |
| 206 | } | 199 | } |
| 207 | 200 | ||
| 208 | /* Extract CN from certificate subject */ | 201 | /* Extract CN from certificate subject */ |
| 209 | subj = X509_get_subject_name(certificate); | 202 | X509_NAME *subj = X509_get_subject_name(certificate); |
| 210 | 203 | ||
| 211 | if (!subj) { | 204 | if (!subj) { |
| 212 | printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject.")); | 205 | printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject.")); |
| 213 | return STATE_CRITICAL; | 206 | return STATE_CRITICAL; |
| 214 | } | 207 | } |
| 215 | cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn)); | 208 | |
| 216 | if (cnlen == -1) | 209 | char cn[MAX_CN_LENGTH] = ""; |
| 210 | int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn)); | ||
| 211 | if (cnlen == -1) { | ||
| 217 | strcpy(cn, _("Unknown CN")); | 212 | strcpy(cn, _("Unknown CN")); |
| 213 | } | ||
| 218 | 214 | ||
| 219 | /* Retrieve timestamp of certificate */ | 215 | /* Retrieve timestamp of certificate */ |
| 220 | tm = X509_get_notAfter(certificate); | 216 | ASN1_STRING *tm = X509_get_notAfter(certificate); |
| 221 | 217 | ||
| 218 | int offset = 0; | ||
| 219 | struct tm stamp = {}; | ||
| 222 | /* Generate tm structure to process timestamp */ | 220 | /* Generate tm structure to process timestamp */ |
| 223 | if (tm->type == V_ASN1_UTCTIME) { | 221 | if (tm->type == V_ASN1_UTCTIME) { |
| 224 | if (tm->length < 10) { | 222 | if (tm->length < 10) { |
| 225 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); | 223 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); |
| 226 | return STATE_CRITICAL; | 224 | return STATE_CRITICAL; |
| 227 | } else { | ||
| 228 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); | ||
| 229 | if (stamp.tm_year < 50) | ||
| 230 | stamp.tm_year += 100; | ||
| 231 | offset = 0; | ||
| 232 | } | 225 | } |
| 226 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); | ||
| 227 | if (stamp.tm_year < 50) { | ||
| 228 | stamp.tm_year += 100; | ||
| 229 | } | ||
| 230 | offset = 0; | ||
| 231 | |||
| 233 | } else { | 232 | } else { |
| 234 | if (tm->length < 12) { | 233 | if (tm->length < 12) { |
| 235 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); | 234 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); |
| 236 | return STATE_CRITICAL; | 235 | return STATE_CRITICAL; |
| 237 | } else { | ||
| 238 | stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); | ||
| 239 | stamp.tm_year -= 1900; | ||
| 240 | offset = 2; | ||
| 241 | } | 236 | } |
| 237 | stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + | ||
| 238 | (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); | ||
| 239 | stamp.tm_year -= 1900; | ||
| 240 | offset = 2; | ||
| 242 | } | 241 | } |
| 243 | stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; | 242 | stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; |
| 244 | stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); | 243 | stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); |
| @@ -247,48 +246,60 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int | |||
| 247 | stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0'); | 246 | stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0'); |
| 248 | stamp.tm_isdst = -1; | 247 | stamp.tm_isdst = -1; |
| 249 | 248 | ||
| 250 | tm_t = timegm(&stamp); | 249 | time_t tm_t = timegm(&stamp); |
| 251 | time_left = difftime(tm_t, time(NULL)); | 250 | float time_left = difftime(tm_t, time(NULL)); |
| 252 | days_left = time_left / 86400; | 251 | int days_left = time_left / 86400; |
| 253 | tz = getenv("TZ"); | 252 | char *tz = getenv("TZ"); |
| 254 | setenv("TZ", "GMT", 1); | 253 | setenv("TZ", "GMT", 1); |
| 255 | tzset(); | 254 | tzset(); |
| 255 | |||
| 256 | char timestamp[50] = ""; | ||
| 256 | strftime(timestamp, 50, "%c %z", localtime(&tm_t)); | 257 | strftime(timestamp, 50, "%c %z", localtime(&tm_t)); |
| 257 | if (tz) | 258 | if (tz) { |
| 258 | setenv("TZ", tz, 1); | 259 | setenv("TZ", tz, 1); |
| 259 | else | 260 | } else { |
| 260 | unsetenv("TZ"); | 261 | unsetenv("TZ"); |
| 262 | } | ||
| 263 | |||
| 261 | tzset(); | 264 | tzset(); |
| 262 | 265 | ||
| 266 | int time_remaining; | ||
| 267 | mp_state_enum status = STATE_UNKNOWN; | ||
| 263 | if (days_left > 0 && days_left <= days_till_exp_warn) { | 268 | if (days_left > 0 && days_left <= days_till_exp_warn) { |
| 264 | printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, | 269 | printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), |
| 265 | days_left, timestamp); | 270 | (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, days_left, timestamp); |
| 266 | if (days_left > days_till_exp_crit) | 271 | if (days_left > days_till_exp_crit) { |
| 267 | status = STATE_WARNING; | 272 | status = STATE_WARNING; |
| 268 | else | 273 | } else { |
| 269 | status = STATE_CRITICAL; | 274 | status = STATE_CRITICAL; |
| 275 | } | ||
| 270 | } else if (days_left == 0 && time_left > 0) { | 276 | } else if (days_left == 0 && time_left > 0) { |
| 271 | if (time_left >= 3600) | 277 | if (time_left >= 3600) { |
| 272 | time_remaining = (int)time_left / 3600; | 278 | time_remaining = (int)time_left / 3600; |
| 273 | else | 279 | } else { |
| 274 | time_remaining = (int)time_left / 60; | 280 | time_remaining = (int)time_left / 60; |
| 281 | } | ||
| 275 | 282 | ||
| 276 | printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, | 283 | printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"), |
| 277 | time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp); | 284 | (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining, |
| 285 | time_left >= 3600 ? "hours" : "minutes", timestamp); | ||
| 278 | 286 | ||
| 279 | if (days_left > days_till_exp_crit) | 287 | if (days_left > days_till_exp_crit) { |
| 280 | status = STATE_WARNING; | 288 | status = STATE_WARNING; |
| 281 | else | 289 | } else { |
| 282 | status = STATE_CRITICAL; | 290 | status = STATE_CRITICAL; |
| 291 | } | ||
| 283 | } else if (time_left < 0) { | 292 | } else if (time_left < 0) { |
| 284 | printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); | 293 | printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); |
| 285 | status = STATE_CRITICAL; | 294 | status = STATE_CRITICAL; |
| 286 | } else if (days_left == 0) { | 295 | } else if (days_left == 0) { |
| 287 | printf(_("%s - Certificate '%s' just expired (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp); | 296 | printf(_("%s - Certificate '%s' just expired (%s).\n"), |
| 288 | if (days_left > days_till_exp_crit) | 297 | (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp); |
| 298 | if (days_left > days_till_exp_crit) { | ||
| 289 | status = STATE_WARNING; | 299 | status = STATE_WARNING; |
| 290 | else | 300 | } else { |
| 291 | status = STATE_CRITICAL; | 301 | status = STATE_CRITICAL; |
| 302 | } | ||
| 292 | } else { | 303 | } else { |
| 293 | printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); | 304 | printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); |
| 294 | status = STATE_OK; | 305 | status = STATE_OK; |
| @@ -301,7 +312,7 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int | |||
| 301 | # endif /* USE_OPENSSL */ | 312 | # endif /* USE_OPENSSL */ |
| 302 | } | 313 | } |
| 303 | 314 | ||
| 304 | int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) { | 315 | mp_state_enum np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) { |
| 305 | # ifdef USE_OPENSSL | 316 | # ifdef USE_OPENSSL |
| 306 | X509 *certificate = NULL; | 317 | X509 *certificate = NULL; |
| 307 | certificate = SSL_get_peer_certificate(s); | 318 | certificate = SSL_get_peer_certificate(s); |
| @@ -312,4 +323,138 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) { | |||
| 312 | # endif /* USE_OPENSSL */ | 323 | # endif /* USE_OPENSSL */ |
| 313 | } | 324 | } |
| 314 | 325 | ||
| 326 | mp_subcheck mp_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, | ||
| 327 | int days_till_exp_crit) { | ||
| 328 | mp_subcheck sc_cert = mp_subcheck_init(); | ||
| 329 | # ifdef USE_OPENSSL | ||
| 330 | if (!certificate) { | ||
| 331 | xasprintf(&sc_cert.output, _("No server certificate present to inspect")); | ||
| 332 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); | ||
| 333 | return sc_cert; | ||
| 334 | } | ||
| 335 | |||
| 336 | /* Extract CN from certificate subject */ | ||
| 337 | X509_NAME *subj = X509_get_subject_name(certificate); | ||
| 338 | |||
| 339 | if (!subj) { | ||
| 340 | xasprintf(&sc_cert.output, _("Cannot retrieve certificate subject")); | ||
| 341 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); | ||
| 342 | return sc_cert; | ||
| 343 | } | ||
| 344 | |||
| 345 | char commonName[MAX_CN_LENGTH] = ""; | ||
| 346 | int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, commonName, sizeof(commonName)); | ||
| 347 | if (cnlen == -1) { | ||
| 348 | strcpy(commonName, _("Unknown CN")); | ||
| 349 | } | ||
| 350 | |||
| 351 | /* Retrieve timestamp of certificate */ | ||
| 352 | ASN1_STRING *expiry_timestamp = X509_get_notAfter(certificate); | ||
| 353 | |||
| 354 | int offset = 0; | ||
| 355 | struct tm stamp = {}; | ||
| 356 | /* Generate tm structure to process timestamp */ | ||
| 357 | if (expiry_timestamp->type == V_ASN1_UTCTIME) { | ||
| 358 | if (expiry_timestamp->length < 10) { | ||
| 359 | xasprintf(&sc_cert.output, _("Wrong time format in certificate")); | ||
| 360 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); | ||
| 361 | return sc_cert; | ||
| 362 | } | ||
| 363 | |||
| 364 | stamp.tm_year = (expiry_timestamp->data[0] - '0') * 10 + (expiry_timestamp->data[1] - '0'); | ||
| 365 | if (stamp.tm_year < 50) { | ||
| 366 | stamp.tm_year += 100; | ||
| 367 | } | ||
| 368 | |||
| 369 | offset = 0; | ||
| 370 | } else { | ||
| 371 | if (expiry_timestamp->length < 12) { | ||
| 372 | xasprintf(&sc_cert.output, _("Wrong time format in certificate")); | ||
| 373 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); | ||
| 374 | return sc_cert; | ||
| 375 | } | ||
| 376 | stamp.tm_year = (expiry_timestamp->data[0] - '0') * 1000 + | ||
| 377 | (expiry_timestamp->data[1] - '0') * 100 + | ||
| 378 | (expiry_timestamp->data[2] - '0') * 10 + (expiry_timestamp->data[3] - '0'); | ||
| 379 | stamp.tm_year -= 1900; | ||
| 380 | offset = 2; | ||
| 381 | } | ||
| 382 | |||
| 383 | stamp.tm_mon = (expiry_timestamp->data[2 + offset] - '0') * 10 + | ||
| 384 | (expiry_timestamp->data[3 + offset] - '0') - 1; | ||
| 385 | stamp.tm_mday = (expiry_timestamp->data[4 + offset] - '0') * 10 + | ||
| 386 | (expiry_timestamp->data[5 + offset] - '0'); | ||
| 387 | stamp.tm_hour = (expiry_timestamp->data[6 + offset] - '0') * 10 + | ||
| 388 | (expiry_timestamp->data[7 + offset] - '0'); | ||
| 389 | stamp.tm_min = (expiry_timestamp->data[8 + offset] - '0') * 10 + | ||
| 390 | (expiry_timestamp->data[9 + offset] - '0'); | ||
| 391 | stamp.tm_sec = (expiry_timestamp->data[10 + offset] - '0') * 10 + | ||
| 392 | (expiry_timestamp->data[11 + offset] - '0'); | ||
| 393 | stamp.tm_isdst = -1; | ||
| 394 | |||
| 395 | time_t tm_t = timegm(&stamp); | ||
| 396 | double time_left = difftime(tm_t, time(NULL)); | ||
| 397 | int days_left = (int)(time_left / 86400); | ||
| 398 | char *timeZone = getenv("TZ"); | ||
| 399 | setenv("TZ", "GMT", 1); | ||
| 400 | tzset(); | ||
| 401 | |||
| 402 | char timestamp[50] = ""; | ||
| 403 | strftime(timestamp, 50, "%c %z", localtime(&tm_t)); | ||
| 404 | if (timeZone) { | ||
| 405 | setenv("TZ", timeZone, 1); | ||
| 406 | } else { | ||
| 407 | unsetenv("TZ"); | ||
| 408 | } | ||
| 409 | |||
| 410 | tzset(); | ||
| 411 | |||
| 412 | int time_remaining; | ||
| 413 | if (days_left > 0 && days_left <= days_till_exp_warn) { | ||
| 414 | xasprintf(&sc_cert.output, _("Certificate '%s' expires in %d day(s) (%s)"), commonName, | ||
| 415 | days_left, timestamp); | ||
| 416 | if (days_left > days_till_exp_crit) { | ||
| 417 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING); | ||
| 418 | } else { | ||
| 419 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); | ||
| 420 | } | ||
| 421 | } else if (days_left == 0 && time_left > 0) { | ||
| 422 | if (time_left >= 3600) { | ||
| 423 | time_remaining = (int)time_left / 3600; | ||
| 424 | } else { | ||
| 425 | time_remaining = (int)time_left / 60; | ||
| 426 | } | ||
| 427 | |||
| 428 | xasprintf(&sc_cert.output, _("Certificate '%s' expires in %u %s (%s)"), commonName, | ||
| 429 | time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp); | ||
| 430 | |||
| 431 | if (days_left > days_till_exp_crit) { | ||
| 432 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING); | ||
| 433 | } else { | ||
| 434 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); | ||
| 435 | } | ||
| 436 | } else if (time_left < 0) { | ||
| 437 | xasprintf(&sc_cert.output, _("Certificate '%s' expired on %s"), commonName, timestamp); | ||
| 438 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); | ||
| 439 | } else if (days_left == 0) { | ||
| 440 | xasprintf(&sc_cert.output, _("Certificate '%s' just expired (%s)"), commonName, | ||
| 441 | timestamp); | ||
| 442 | if (days_left > days_till_exp_crit) { | ||
| 443 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING); | ||
| 444 | } else { | ||
| 445 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); | ||
| 446 | } | ||
| 447 | } else { | ||
| 448 | xasprintf(&sc_cert.output, _("Certificate '%s' will expire on %s"), commonName, | ||
| 449 | timestamp); | ||
| 450 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_OK); | ||
| 451 | } | ||
| 452 | X509_free(certificate); | ||
| 453 | return sc_cert; | ||
| 454 | # else /* ifndef USE_OPENSSL */ | ||
| 455 | xasprintf(&sc_cert.output, _("Plugin does not support checking certificates")); | ||
| 456 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING); | ||
| 457 | return sc_cert; | ||
| 458 | # endif /* USE_OPENSSL */ | ||
| 459 | } | ||
| 315 | #endif /* HAVE_SSL */ | 460 | #endif /* HAVE_SSL */ |