1 files changed, 56 insertions, 10 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index c6a7ab8..e14fb19 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -93,6 +93,7 @@ unsigned short server_port = HTTP_PORT;
 char output_string_search[30] = "";
 char *warning_thresholds = NULL;
 char *critical_thresholds = NULL;
+int days_till_exp_warn, days_till_exp_crit;
 thresholds *thlds;
 char user_agent[DEFAULT_BUFFER_SIZE];
 int verbose = 0;
@@ -122,6 +123,7 @@ int ssl_version = CURL_SSLVERSION_DEFAULT;
 char *client_cert = NULL;
 char *client_privkey = NULL;
 char *ca_cert = NULL;
+X509 *cert = NULL;
 int process_arguments (int, char**);
 int check_http (void);
@@ -162,6 +164,19 @@ main (int argc, char **argv)
  return result;
 }
+int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
+{
+  cert = X509_STORE_CTX_get_current_cert(x509_ctx);
+  return 1;
+}
+CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm)
+{
+  SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback);
+  return CURLE_OK;
+}
 int
 check_http (void)
 {
@@ -177,6 +192,9 @@ check_http (void)
  if (verbose >= 3)
    curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE);
+  /* print everything on stdout like check_http would do */
+  curl_easy_setopt(curl, CURLOPT_STDERR, stdout);
  /* initialize buffer for body of the answer */
  if (curlhelp_initbuffer(&body_buf) < 0)
    die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n");
@@ -242,14 +260,16 @@ check_http (void)
  curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2);
  curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2);
-  /* backward-compatible behaviour, be tolerant in checks */
+  /* backward-compatible behaviour, be tolerant in checks
-  if (!check_cert) {
+   * TODO: depending on more options have aspects we want
-    /* TODO: depending on more options have aspects we want
+   * to be less tolerant about ssl verfications
-     * to be tolerant about
+   */
-     * curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1 );
+  curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
-     */
+  curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
-    curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
-    curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
+  /* set callback to extract certificate */
+  if(check_cert) {
+    curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun);
  }
  /* set default or user-given user agent identification */
@@ -308,6 +328,16 @@ check_http (void)
    die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
  }
+  /* certificate checks */
+#ifdef HAVE_SSL
+  if (use_ssl == TRUE) {
+    if (check_cert == TRUE) {
+      result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
+      return(result);
+    }
+  }
+#endif /* HAVE_SSL */
  /* we got the data and we executed the request in a given time, so we can append
   * performance data to the answer always
   */
@@ -439,6 +469,7 @@ int
 process_arguments (int argc, char **argv)
 {
  int c = 1;
+  char *temp;
  enum {
    INVERT_REGEX = CHAR_MAX + 1,
@@ -537,8 +568,23 @@ process_arguments (int argc, char **argv)
      break;
    case 'C': /* Check SSL cert validity */
 #ifdef LIBCURL_FEATURE_SSL
-      /* TODO: C:, check age of certificate for backward compatible
+      if ((temp=strchr(optarg,','))!=NULL) {
-       * behaviour, but we would later add more check conditions */
+        *temp='\0';
+        if (!is_intnonneg (optarg))
+          usage2 (_("Invalid certificate expiration period"), optarg);
+        days_till_exp_warn = atoi(optarg);
+        *temp=',';
+        temp++;
+        if (!is_intnonneg (temp))
+          usage2 (_("Invalid certificate expiration period"), temp);
+        days_till_exp_crit = atoi (temp);
+      }
+      else {
+        days_till_exp_crit=0;
+        if (!is_intnonneg (optarg))
+          usage2 (_("Invalid certificate expiration period"), optarg);
+        days_till_exp_warn = atoi (optarg);
+      }
      check_cert = TRUE;
      goto enable_ssl;
 #endif

diff --git a/plugins/check_curl.c b/plugins/check_curl.c index c6a7ab8..e14fb19 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c
@@ -93,6 +93,7 @@ unsigned short server_port = HTTP_PORT;
93	char output_string_search[30] = "";	93	char output_string_search[30] = "";
94	char *warning_thresholds = NULL;	94	char *warning_thresholds = NULL;
95	char *critical_thresholds = NULL;	95	char *critical_thresholds = NULL;
		96	int days_till_exp_warn, days_till_exp_crit;
96	thresholds *thlds;	97	thresholds *thlds;
97	char user_agent[DEFAULT_BUFFER_SIZE];	98	char user_agent[DEFAULT_BUFFER_SIZE];
98	int verbose = 0;	99	int verbose = 0;
@@ -122,6 +123,7 @@ int ssl_version = CURL_SSLVERSION_DEFAULT;
122	char *client_cert = NULL;	123	char *client_cert = NULL;
123	char *client_privkey = NULL;	124	char *client_privkey = NULL;
124	char *ca_cert = NULL;	125	char *ca_cert = NULL;
		126	X509 *cert = NULL;
125		127
126	int process_arguments (int, char**);	128	int process_arguments (int, char**);
127	int check_http (void);	129	int check_http (void);
@@ -162,6 +164,19 @@ main (int argc, char **argv)
162	return result;	164	return result;
163	}	165	}
164		166
		167	int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
		168	{
		169	cert = X509_STORE_CTX_get_current_cert(x509_ctx);
		170	return 1;
		171	}
		172
		173	CURLcode sslctxfun(CURL curl, SSL_CTX sslctx, void *parm)
		174	{
		175	SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback);
		176
		177	return CURLE_OK;
		178	}
		179
165	int	180	int
166	check_http (void)	181	check_http (void)
167	{	182	{
@@ -177,6 +192,9 @@ check_http (void)
177	if (verbose >= 3)	192	if (verbose >= 3)
178	curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE);	193	curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE);
179		194
		195	/* print everything on stdout like check_http would do */
		196	curl_easy_setopt(curl, CURLOPT_STDERR, stdout);
		197
180	/* initialize buffer for body of the answer */	198	/* initialize buffer for body of the answer */
181	if (curlhelp_initbuffer(&body_buf) < 0)	199	if (curlhelp_initbuffer(&body_buf) < 0)
182	die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n");	200	die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n");
@@ -242,14 +260,16 @@ check_http (void)
242	curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2);	260	curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2);
243	curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2);	261	curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2);
244		262
245	/* backward-compatible behaviour, be tolerant in checks */	263	/* backward-compatible behaviour, be tolerant in checks
246	if (!check_cert) {	264	* TODO: depending on more options have aspects we want
247	/* TODO: depending on more options have aspects we want	265	* to be less tolerant about ssl verfications
248	* to be tolerant about	266	*/
249	* curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1 );	267	curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
250	*/	268	curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
251	curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);	269
252	curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);	270	/* set callback to extract certificate */
		271	if(check_cert) {
		272	curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun);
253	}	273	}
254		274
255	/* set default or user-given user agent identification */	275	/* set default or user-given user agent identification */
@@ -308,6 +328,16 @@ check_http (void)
308	die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);	328	die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
309	}	329	}
310		330
		331	/* certificate checks */
		332	#ifdef HAVE_SSL
		333	if (use_ssl == TRUE) {
		334	if (check_cert == TRUE) {
		335	result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
		336	return(result);
		337	}
		338	}
		339	#endif /* HAVE_SSL */
		340
311	/* we got the data and we executed the request in a given time, so we can append	341	/* we got the data and we executed the request in a given time, so we can append
312	* performance data to the answer always	342	* performance data to the answer always
313	*/	343	*/
@@ -439,6 +469,7 @@ int
439	process_arguments (int argc, char **argv)	469	process_arguments (int argc, char **argv)
440	{	470	{
441	int c = 1;	471	int c = 1;
		472	char *temp;
442		473
443	enum {	474	enum {
444	INVERT_REGEX = CHAR_MAX + 1,	475	INVERT_REGEX = CHAR_MAX + 1,
@@ -537,8 +568,23 @@ process_arguments (int argc, char **argv)
537	break;	568	break;
538	case 'C': /* Check SSL cert validity */	569	case 'C': /* Check SSL cert validity */
539	#ifdef LIBCURL_FEATURE_SSL	570	#ifdef LIBCURL_FEATURE_SSL
540	/* TODO: C:, check age of certificate for backward compatible	571	if ((temp=strchr(optarg,','))!=NULL) {
541	* behaviour, but we would later add more check conditions */	572	*temp='\0';
		573	if (!is_intnonneg (optarg))
		574	usage2 (_("Invalid certificate expiration period"), optarg);
		575	days_till_exp_warn = atoi(optarg);
		576	*temp=',';
		577	temp++;
		578	if (!is_intnonneg (temp))
		579	usage2 (_("Invalid certificate expiration period"), temp);
		580	days_till_exp_crit = atoi (temp);
		581	}
		582	else {
		583	days_till_exp_crit=0;
		584	if (!is_intnonneg (optarg))
		585	usage2 (_("Invalid certificate expiration period"), optarg);
		586	days_till_exp_warn = atoi (optarg);
		587	}
542	check_cert = TRUE;	588	check_cert = TRUE;
543	goto enable_ssl;	589	goto enable_ssl;
544	#endif	590	#endif