summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--plugins/sslutils.c65
1 files changed, 41 insertions, 24 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 96740b3a..92e0cc84 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -37,13 +37,16 @@ static SSL *s = NULL;
37 37
38int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); } 38int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); }
39 39
40int np_net_ssl_init_with_hostname(int sd, char *host_name) { return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); } 40int np_net_ssl_init_with_hostname(int sd, char *host_name) {
41 return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
42}
41 43
42int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) { 44int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
43 return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL); 45 return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL);
44} 46}
45 47
46int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { 48int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert,
49 char *privkey) {
47 long options = 0; 50 long options = 0;
48 51
49 if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) { 52 if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
@@ -75,7 +78,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
75# endif 78# endif
76 case MP_TLSv1_1: /* TLSv1.1 protocol */ 79 case MP_TLSv1_1: /* TLSv1.1 protocol */
77# if !defined(SSL_OP_NO_TLSv1_1) 80# if !defined(SSL_OP_NO_TLSv1_1)
78 printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); 81 printf("%s\n",
82 _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
79 return STATE_UNKNOWN; 83 return STATE_UNKNOWN;
80# else 84# else
81 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); 85 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
@@ -84,7 +88,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
84# endif 88# endif
85 case MP_TLSv1_2: /* TLSv1.2 protocol */ 89 case MP_TLSv1_2: /* TLSv1.2 protocol */
86# if !defined(SSL_OP_NO_TLSv1_2) 90# if !defined(SSL_OP_NO_TLSv1_2)
87 printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); 91 printf("%s\n",
92 _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
88 return STATE_UNKNOWN; 93 return STATE_UNKNOWN;
89# else 94# else
90 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); 95 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
@@ -145,8 +150,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
145 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); 150 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
146 if ((s = SSL_new(ctx)) != NULL) { 151 if ((s = SSL_new(ctx)) != NULL) {
147# ifdef SSL_set_tlsext_host_name 152# ifdef SSL_set_tlsext_host_name
148 if (host_name != NULL) 153 if (host_name != NULL) {
149 SSL_set_tlsext_host_name(s, host_name); 154 SSL_set_tlsext_host_name(s, host_name);
155 }
150# endif 156# endif
151 SSL_set_fd(s, sd); 157 SSL_set_fd(s, sd);
152 if (SSL_connect(s) == 1) { 158 if (SSL_connect(s) == 1) {
@@ -182,7 +188,8 @@ int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num);
182 188
183int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); } 189int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); }
184 190
185int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit) { 191int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
192 int days_till_exp_crit) {
186# ifdef USE_OPENSSL 193# ifdef USE_OPENSSL
187 X509_NAME *subj = NULL; 194 X509_NAME *subj = NULL;
188 char timestamp[50] = ""; 195 char timestamp[50] = "";
@@ -213,8 +220,9 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
213 return STATE_CRITICAL; 220 return STATE_CRITICAL;
214 } 221 }
215 cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn)); 222 cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
216 if (cnlen == -1) 223 if (cnlen == -1) {
217 strcpy(cn, _("Unknown CN")); 224 strcpy(cn, _("Unknown CN"));
225 }
218 226
219 /* Retrieve timestamp of certificate */ 227 /* Retrieve timestamp of certificate */
220 tm = X509_get_notAfter(certificate); 228 tm = X509_get_notAfter(certificate);
@@ -226,8 +234,9 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
226 return STATE_CRITICAL; 234 return STATE_CRITICAL;
227 } else { 235 } else {
228 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); 236 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
229 if (stamp.tm_year < 50) 237 if (stamp.tm_year < 50) {
230 stamp.tm_year += 100; 238 stamp.tm_year += 100;
239 }
231 offset = 0; 240 offset = 0;
232 } 241 }
233 } else { 242 } else {
@@ -235,7 +244,8 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
235 printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); 244 printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
236 return STATE_CRITICAL; 245 return STATE_CRITICAL;
237 } else { 246 } else {
238 stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); 247 stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
248 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
239 stamp.tm_year -= 1900; 249 stamp.tm_year -= 1900;
240 offset = 2; 250 offset = 2;
241 } 251 }
@@ -254,41 +264,48 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
254 setenv("TZ", "GMT", 1); 264 setenv("TZ", "GMT", 1);
255 tzset(); 265 tzset();
256 strftime(timestamp, 50, "%c %z", localtime(&tm_t)); 266 strftime(timestamp, 50, "%c %z", localtime(&tm_t));
257 if (tz) 267 if (tz) {
258 setenv("TZ", tz, 1); 268 setenv("TZ", tz, 1);
259 else 269 } else {
260 unsetenv("TZ"); 270 unsetenv("TZ");
271 }
261 tzset(); 272 tzset();
262 273
263 if (days_left > 0 && days_left <= days_till_exp_warn) { 274 if (days_left > 0 && days_left <= days_till_exp_warn) {
264 printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, 275 printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"),
265 days_left, timestamp); 276 (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, days_left, timestamp);
266 if (days_left > days_till_exp_crit) 277 if (days_left > days_till_exp_crit) {
267 status = STATE_WARNING; 278 status = STATE_WARNING;
268 else 279 } else {
269 status = STATE_CRITICAL; 280 status = STATE_CRITICAL;
281 }
270 } else if (days_left == 0 && time_left > 0) { 282 } else if (days_left == 0 && time_left > 0) {
271 if (time_left >= 3600) 283 if (time_left >= 3600) {
272 time_remaining = (int)time_left / 3600; 284 time_remaining = (int)time_left / 3600;
273 else 285 } else {
274 time_remaining = (int)time_left / 60; 286 time_remaining = (int)time_left / 60;
287 }
275 288
276 printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, 289 printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"),
277 time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp); 290 (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining,
291 time_left >= 3600 ? "hours" : "minutes", timestamp);
278 292
279 if (days_left > days_till_exp_crit) 293 if (days_left > days_till_exp_crit) {
280 status = STATE_WARNING; 294 status = STATE_WARNING;
281 else 295 } else {
282 status = STATE_CRITICAL; 296 status = STATE_CRITICAL;
297 }
283 } else if (time_left < 0) { 298 } else if (time_left < 0) {
284 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); 299 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
285 status = STATE_CRITICAL; 300 status = STATE_CRITICAL;
286 } else if (days_left == 0) { 301 } else if (days_left == 0) {
287 printf(_("%s - Certificate '%s' just expired (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp); 302 printf(_("%s - Certificate '%s' just expired (%s).\n"),
288 if (days_left > days_till_exp_crit) 303 (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp);
304 if (days_left > days_till_exp_crit) {
289 status = STATE_WARNING; 305 status = STATE_WARNING;
290 else 306 } else {
291 status = STATE_CRITICAL; 307 status = STATE_CRITICAL;
308 }
292 } else { 309 } else {
293 printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); 310 printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
294 status = STATE_OK; 311 status = STATE_OK;