applied patch that adds both critical and warning thresholds to certificate expiration checks of check_tcp, check_http, check_smtp

5 files changed, 89 insertions, 33 deletions

diff --git a/plugins/check_http.c b/plugins/check_http.c
index 315848fc..703e3174 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -58,8 +58,8 @@ enum {
 
 #ifdef HAVE_SSL
 int check_cert = FALSE;
-int days_till_exp;
 int ssl_version;
+int days_till_exp_warn, days_till_exp_crit;
 char *randbuff;
 X509 *server_cert;
 #  define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
@@ -178,6 +178,7 @@ process_arguments (int argc, char **argv)
 {
   int c = 1;
   char *p;
+  char *temp;
 
   enum {
     INVERT_REGEX = CHAR_MAX + 1,
@@ -282,13 +283,25 @@ process_arguments (int argc, char **argv)
       break;
     case 'C': /* Check SSL cert validity */
 #ifdef HAVE_SSL
-      if (!is_intnonneg (optarg))
-        usage2 (_("Invalid certificate expiration period"), optarg);
+      if ((temp=strchr(optarg,','))!=NULL) {
+        *temp='\0';
+        if (!is_intnonneg (temp))
+          usage2 (_("Invalid certificate expiration period"), optarg);
+        days_till_exp_warn = atoi(optarg);
+        *temp=',';
+        temp++;
+        if (!is_intnonneg (temp))
+          usage2 (_("Invalid certificate expiration period"), temp);
+        days_till_exp_crit = atoi (temp);
+      }
       else {
-        days_till_exp = atoi (optarg);
-        check_cert = TRUE;
+        days_till_exp_crit=0;
+        if (!is_intnonneg (optarg))
+          usage2 (_("Invalid certificate expiration period"), optarg);
+        days_till_exp_warn = atoi (optarg);
       }
-     /* Fall through to -S option */
+      check_cert = TRUE;
+      /* Fall through to -S option */
 #endif
     case 'S': /* use SSL */
 #ifndef HAVE_SSL
@@ -810,7 +823,7 @@ check_http (void)
     if (result != STATE_OK)
       return result;
     if (check_cert == TRUE) {
-      result = np_net_ssl_check_cert(days_till_exp);
+      result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
       np_net_ssl_cleanup();
       if (sd) close(sd);
       return result;
@@ -1427,6 +1440,13 @@ print_help (void)
   printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
   printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when"));
   printf (" %s\n", _("the certificate is expired."));
+
+  printf (" %s\n\n", "CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14");
+  printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,"));
+  printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
+  printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned."));
+  printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days"));
+
 #endif
 
   printf (UT_SUPPORT);
@@ -1444,6 +1464,6 @@ print_usage (void)
   printf ("       [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n");
   printf ("       [-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
   printf ("       [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");
-  printf ("       [-A string] [-k string] [-S <version>] [--sni] [-C <age>] [-T <content-type>]\n");
-  printf ("       [-j method]\n");
+  printf ("       [-A string] [-k string] [-S <version>] [--sni] [-C <warn_age>[,<crit_age>]]\n");
+  printf ("       [-T <content-type>] [-j method]\n");
 }
diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c
index 494bc2cd..0af50e32 100644
--- a/plugins/check_smtp.c
+++ b/plugins/check_smtp.c
@@ -41,7 +41,7 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net";
 
 #ifdef HAVE_SSL
 int check_cert = FALSE;
-int days_till_exp;
+int days_till_exp_warn, days_till_exp_crit;
 #  define my_recv(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
 #  define my_send(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
 #else /* ifndef HAVE_SSL */
@@ -275,7 +275,7 @@ main (int argc, char **argv)
 
 #  ifdef USE_OPENSSL
                   if ( check_cert ) {
-                    result = np_net_ssl_check_cert(days_till_exp);
+                    result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
                     my_close();
                     return result;
                   }
@@ -454,6 +454,7 @@ int
 process_arguments (int argc, char **argv)
 {
         int c;
+        char* temp;
 
         int option = 0;
         static struct option longopts[] = {
@@ -600,12 +601,26 @@ process_arguments (int argc, char **argv)
                 case 'D':
                 /* Check SSL cert validity */
 #ifdef USE_OPENSSL
-                        if (!is_intnonneg (optarg))
-                                usage2 ("Invalid certificate expiration period",optarg);
-                                days_till_exp = atoi (optarg);
-                                check_cert = TRUE;
+                        if ((temp=strchr(optarg,','))!=NULL) {
+                            *temp='\0';
+                            if (!is_intnonneg (temp))
+                               usage2 ("Invalid certificate expiration period", optarg);
+                            days_till_exp_warn = atoi(optarg);
+                            *temp=',';
+                            temp++;
+                            if (!is_intnonneg (temp))
+                                usage2 (_("Invalid certificate expiration period"), temp);
+                            days_till_exp_crit = atoi (temp);
+                        }
+                        else {
+                            days_till_exp_crit=0;
+                            if (!is_intnonneg (optarg))
+                                usage2 ("Invalid certificate expiration period", optarg);
+                            days_till_exp_warn = atoi (optarg);
+                        }
+                        check_cert = TRUE;
 #else
-                                usage (_("SSL support not available - install OpenSSL and recompile"));
+                        usage (_("SSL support not available - install OpenSSL and recompile"));
 #endif
                         break;
                 case '4':
@@ -802,7 +817,7 @@ print_help (void)
   printf (" %s\n", "-F, --fqdn=STRING");
   printf ("    %s\n", _("FQDN used for HELO"));
 #ifdef HAVE_SSL
-  printf (" %s\n", "-D, --certificate=INTEGER");
+  printf (" %s\n", "-D, --certificate=INTEGER[,INTEGER]");
   printf ("    %s\n", _("Minimum number of days a certificate has to be valid."));
   printf (" %s\n", "-S, --starttls");
   printf ("    %s\n", _("Use STARTTLS for the connection."));
@@ -838,8 +853,8 @@ void
 print_usage (void)
 {
   printf ("%s\n", _("Usage:"));
-  printf ("%s -H host [-p port] [-e expect] [-C command] [-f from addr]", progname);
-  printf ("[-A authtype -U authuser -P authpass] [-w warn] [-c crit] [-t timeout]\n");
-  printf ("[-F fqdn] [-S] [-D days] [-v] [-4|-6] [-q]\n");
+  printf ("%s -H host [-p port] [-4|-6] [-e expect] [-C command] [-f from addr]", progname);
+  printf ("[-A authtype -U authuser -P authpass] [-w warn] [-c crit] [-t timeout] [-q]\n");
+  printf ("[-F fqdn] [-S] [-D warn days cert expire[,crit days cert expire]] [-v] \n");
 }
 
diff --git a/plugins/check_tcp.c b/plugins/check_tcp.c
index d3c92a49..7b0f7f8a 100644
--- a/plugins/check_tcp.c
+++ b/plugins/check_tcp.c
@@ -39,7 +39,7 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net";
 
 #ifdef HAVE_SSL
 static int check_cert = FALSE;
-static int days_till_exp;
+static int days_till_exp_warn, days_till_exp_crit;
 # define my_recv(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
 # define my_send(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
 #else
@@ -235,7 +235,7 @@ main (int argc, char **argv)
         if (flags & FLAG_SSL){
                 result = np_net_ssl_init(sd);
                 if (result == STATE_OK && check_cert == TRUE) {
-                        result = np_net_ssl_check_cert(days_till_exp);
+                        result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
                 }
         }
         if(result != STATE_OK || check_cert == TRUE){
@@ -380,6 +380,7 @@ process_arguments (int argc, char **argv)
 {
         int c;
         int escape = 0;
+        char *temp;
 
         int option = 0;
         static struct option longopts[] = {
@@ -552,9 +553,22 @@ process_arguments (int argc, char **argv)
                 case 'D': /* Check SSL cert validity - days 'til certificate expiration */
 #ifdef HAVE_SSL
 #  ifdef USE_OPENSSL /* XXX */
-                        if (!is_intnonneg (optarg))
+                        if ((temp=strchr(optarg,','))!=NULL) {
+                            *temp='\0';
+                            if (!is_intnonneg (temp))
+                               usage2 (_("Invalid certificate expiration period"), optarg);                              days_till_exp_warn = atoi(optarg);
+                            *temp=',';
+                            temp++;
+                            if (!is_intnonneg (temp))
+                                usage2 (_("Invalid certificate expiration period"), temp);
+                            days_till_exp_crit = atoi (temp);
+                        }
+                        else {
+                            days_till_exp_crit=0;
+                            if (!is_intnonneg (optarg))
                                 usage2 (_("Invalid certificate expiration period"), optarg);
-                        days_till_exp = atoi (optarg);
+                            days_till_exp_warn = atoi (optarg);
+                        }
                         check_cert = TRUE;
                         flags |= FLAG_SSL;
                         break;
@@ -626,8 +640,9 @@ print_help (void)
   printf ("    %s\n", _("Seconds to wait between sending string and polling for response"));
 
 #ifdef HAVE_SSL
-        printf (" %s\n", "-D, --certificate=INTEGER");
+        printf (" %s\n", "-D, --certificate=INTEGER[,INTEGER]");
   printf ("    %s\n", _("Minimum number of days a certificate has to be valid."));
+  printf ("    %s\n", _("1st is #days for warning, 2nd is critical (if not specified - 0)."));
   printf (" %s\n", "-S, --ssl");
   printf ("    %s\n", _("Use SSL for the connection."));
 #endif
@@ -649,6 +664,6 @@ print_usage (void)
   printf ("%s -H host -p port [-w <warning time>] [-c <critical time>] [-s <send string>]\n",progname);
   printf ("[-e <expect string>] [-q <quit string>][-m <maximum bytes>] [-d <delay>]\n");
   printf ("[-t <timeout seconds>] [-r <refuse state>] [-M <mismatch state>] [-v] [-4|-6] [-j]\n");
-  printf ("[-D <days to cert expiry>] [-S <use SSL>] [-E]\n");
+  printf ("[-D <warn days cert expire>[,<crit days cert expire>]] [-S <use SSL>] [-E]\n");
 }
 
diff --git a/plugins/netutils.h b/plugins/netutils.h
index 572a3ae2..21017f1f 100644
--- a/plugins/netutils.h
+++ b/plugins/netutils.h
@@ -103,7 +103,7 @@ int np_net_ssl_init_with_hostname(int sd, char *host_name);
 void np_net_ssl_cleanup();
 int np_net_ssl_write(const void *buf, int num);
 int np_net_ssl_read(void *buf, int num);
-int np_net_ssl_check_cert(int days_till_exp);
+int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit);
 #endif /* HAVE_SSL */
 
 #endif /* _NETUTILS_H_ */
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 5425bb2c..fe31b562 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -126,7 +126,7 @@ int np_net_ssl_read(void *buf, int num) {
         return SSL_read(s, buf, num);
 }
 
-int np_net_ssl_check_cert(int days_till_exp) {
+int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
 #  ifdef USE_OPENSSL
         X509 *certificate=NULL;
         X509_NAME *subj=NULL;
@@ -202,15 +202,21 @@ int np_net_ssl_check_cert(int days_till_exp) {
                  stamp.tm_mon + 1,
                  stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
 
-        if (days_left > 0 && days_left <= days_till_exp) {
-                printf(_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp);
-                status=STATE_WARNING;
+        if (days_left > 0 && days_left <= days_till_exp_warn) {
+                printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"CRITICAL":"WARNING", cn, days_left, timestamp);
+                if (days_left > days_till_exp_crit)
+                        return STATE_WARNING;
+                else
+                        return STATE_CRITICAL;
         } else if (time_left < 0) {
                 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
                 status=STATE_CRITICAL;
         } else if (days_left == 0) {
-                printf(_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp);
-                status=STATE_WARNING;
+                printf (_("%s - Certificate '%s' expires today (%s).\n"), (days_left>days_till_exp_crit)?"CRITICAL":"WARNING", cn, timestamp);
+                if (days_left > days_till_exp_crit)
+                        return STATE_WARNING;
+                else
+                        return STATE_CRITICAL;
         } else {
                 printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
                 status=STATE_OK;