1 files changed, 103 insertions, 26 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index d0ae4741..b412ef3d 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -49,28 +49,78 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
 int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) {
        SSL_METHOD *method = NULL;
+        long options = 0;
        switch (version) {
-        case 0: /* Deafult to auto negotiation */
+        case MP_SSLv2: /* SSLv2 protocol */
-                method = SSLv23_client_method();
-                break;
-        case 1: /* TLSv1 protocol */
-                method = TLSv1_client_method();
-                break;
-        case 2: /* SSLv2 protocol */
 #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2)
-                printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library.")));
+                printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
-                return STATE_CRITICAL;
+                return STATE_UNKNOWN;
 #else
                method = SSLv2_client_method();
-#endif
                break;
-        case 3: /* SSLv3 protocol */
+#endif
+        case MP_SSLv3: /* SSLv3 protocol */
+#if defined(OPENSSL_NO_SSL3)
+                printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
+                return STATE_UNKNOWN;
+#else
                method = SSLv3_client_method();
                break;
-        default: /* Unsupported */
+#endif
-                printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));
+        case MP_TLSv1: /* TLSv1 protocol */
-                return STATE_CRITICAL;
+#if defined(OPENSSL_NO_TLS1)
+                printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
+                return STATE_UNKNOWN;
+#else
+                method = TLSv1_client_method();
+                break;
+#endif
+        case MP_TLSv1_1: /* TLSv1.1 protocol */
+#if !defined(SSL_OP_NO_TLSv1_1)
+                printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
+                return STATE_UNKNOWN;
+#else
+                method = TLSv1_1_client_method();
+                break;
+#endif
+        case MP_TLSv1_2: /* TLSv1.2 protocol */
+#if !defined(SSL_OP_NO_TLSv1_2)
+                printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
+                return STATE_UNKNOWN;
+#else
+                method = TLSv1_2_client_method();
+                break;
+#endif
+        case MP_TLSv1_2_OR_NEWER:
+#if !defined(SSL_OP_NO_TLSv1_1)
+                printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
+                return STATE_UNKNOWN;
+#else
+                options |= SSL_OP_NO_TLSv1_1;
+#endif
+                /* FALLTHROUGH */
+        case MP_TLSv1_1_OR_NEWER:
+#if !defined(SSL_OP_NO_TLSv1)
+                printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
+                return STATE_UNKNOWN;
+#else
+                options |= SSL_OP_NO_TLSv1;
+#endif
+                /* FALLTHROUGH */
+        case MP_TLSv1_OR_NEWER:
+#if defined(SSL_OP_NO_SSLv3)
+                options |= SSL_OP_NO_SSLv3;
+#endif
+                /* FALLTHROUGH */
+        case MP_SSLv3_OR_NEWER:
+#if defined(SSL_OP_NO_SSLv2)
+                options |= SSL_OP_NO_SSLv2;
+#endif
+        case MP_SSLv2_OR_NEWER:
+                /* FALLTHROUGH */
+        default: /* Default to auto negotiation */
+                method = SSLv23_client_method();
        }
        if (!initialized) {
                /* Initialize SSL context */
@@ -94,8 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
 #endif
        }
 #ifdef SSL_OP_NO_TICKET
-        SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
+        options |= SSL_OP_NO_TICKET;
 #endif
+        SSL_CTX_set_options(c, options);
        SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY);
        if ((s = SSL_new(c)) != NULL) {
 #ifdef SSL_set_tlsext_host_name
@@ -144,7 +195,10 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
 #  ifdef USE_OPENSSL
        X509 *certificate=NULL;
        X509_NAME *subj=NULL;
+        char timestamp[50] = "";
        char cn[MAX_CN_LENGTH]= "";
+        char *tz;
+        
        int cnlen =-1;
        int status=STATE_UNKNOWN;
@@ -153,7 +207,7 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
        struct tm stamp;
        float time_left;
        int days_left;
-        char timestamp[50] = "";
+        int time_remaining;
        time_t tm_t;
        certificate=SSL_get_peer_certificate(s);
@@ -207,32 +261,55 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
                (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
        stamp.tm_min =
                (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
-        stamp.tm_sec = 0;
+        stamp.tm_sec =
+                (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
        stamp.tm_isdst = -1;
-        time_left = difftime(timegm(&stamp), time(NULL));
+        tm_t = timegm(&stamp);
+        time_left = difftime(tm_t, time(NULL));
        days_left = time_left / 86400;
-        tm_t = mktime (&stamp);
+        tz = getenv("TZ");
-        strftime(timestamp, 50, "%c", localtime(&tm_t));
+        setenv("TZ", "GMT", 1);
+        tzset();
+        strftime(timestamp, 50, "%c %z", localtime(&tm_t));
+        if (tz)
+                setenv("TZ", tz, 1);
+        else
+                unsetenv("TZ");
+        tzset();
        if (days_left > 0 && days_left <= days_till_exp_warn) {
                printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);
                if (days_left > days_till_exp_crit)
-                        return STATE_WARNING;
+                        status = STATE_WARNING;
                else
-                        return STATE_CRITICAL;
+                        status = STATE_CRITICAL;
+        } else if (days_left == 0 && time_left > 0) {
+                if (time_left >= 3600)
+                        time_remaining = (int) time_left / 3600;
+                else
+                        time_remaining = (int) time_left / 60;
+                printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"),
+                        (days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining,
+                        time_left >= 3600 ? "hours" : "minutes", timestamp);
+                if ( days_left > days_till_exp_crit)
+                        status = STATE_WARNING;
+                else
+                        status = STATE_CRITICAL;
        } else if (time_left < 0) {
                printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
                status=STATE_CRITICAL;
        } else if (days_left == 0) {
-                printf (_("%s - Certificate '%s' expires today (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp);
+                printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp);
                if (days_left > days_till_exp_crit)
-                        return STATE_WARNING;
+                        status = STATE_WARNING;
                else
-                        return STATE_CRITICAL;
+                        status = STATE_CRITICAL;
        } else {
                printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
-                status=STATE_OK;
+                status = STATE_OK;
        }
        X509_free(certificate);
        return status;

diff --git a/plugins/sslutils.c b/plugins/sslutils.c index d0ae4741..b412ef3d 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c
@@ -49,28 +49,78 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
49		49
50	int np_net_ssl_init_with_hostname_version_and_cert(int sd, char host_name, int version, char cert, char *privkey) {	50	int np_net_ssl_init_with_hostname_version_and_cert(int sd, char host_name, int version, char cert, char *privkey) {
51	SSL_METHOD *method = NULL;	51	SSL_METHOD *method = NULL;
		52	long options = 0;
52		53
53	switch (version) {	54	switch (version) {
54	case 0: /* Deafult to auto negotiation */	55	case MP_SSLv2: /* SSLv2 protocol */
55	method = SSLv23_client_method();
56	break;
57	case 1: /* TLSv1 protocol */
58	method = TLSv1_client_method();
59	break;
60	case 2: /* SSLv2 protocol */
61	#if defined(USE_GNUTLS) \|\| defined(OPENSSL_NO_SSL2)	56	#if defined(USE_GNUTLS) \|\| defined(OPENSSL_NO_SSL2)
62	printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library.")));	57	printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
63	return STATE_CRITICAL;	58	return STATE_UNKNOWN;
64	#else	59	#else
65	method = SSLv2_client_method();	60	method = SSLv2_client_method();
66	#endif
67	break;	61	break;
68	case 3: /* SSLv3 protocol */	62	#endif
		63	case MP_SSLv3: /* SSLv3 protocol */
		64	#if defined(OPENSSL_NO_SSL3)
		65	printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
		66	return STATE_UNKNOWN;
		67	#else
69	method = SSLv3_client_method();	68	method = SSLv3_client_method();
70	break;	69	break;
71	default: /* Unsupported */	70	#endif
72	printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));	71	case MP_TLSv1: /* TLSv1 protocol */
73	return STATE_CRITICAL;	72	#if defined(OPENSSL_NO_TLS1)
		73	printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
		74	return STATE_UNKNOWN;
		75	#else
		76	method = TLSv1_client_method();
		77	break;
		78	#endif
		79	case MP_TLSv1_1: /* TLSv1.1 protocol */
		80	#if !defined(SSL_OP_NO_TLSv1_1)
		81	printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
		82	return STATE_UNKNOWN;
		83	#else
		84	method = TLSv1_1_client_method();
		85	break;
		86	#endif
		87	case MP_TLSv1_2: /* TLSv1.2 protocol */
		88	#if !defined(SSL_OP_NO_TLSv1_2)
		89	printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
		90	return STATE_UNKNOWN;
		91	#else
		92	method = TLSv1_2_client_method();
		93	break;
		94	#endif
		95	case MP_TLSv1_2_OR_NEWER:
		96	#if !defined(SSL_OP_NO_TLSv1_1)
		97	printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
		98	return STATE_UNKNOWN;
		99	#else
		100	options \|= SSL_OP_NO_TLSv1_1;
		101	#endif
		102	/* FALLTHROUGH */
		103	case MP_TLSv1_1_OR_NEWER:
		104	#if !defined(SSL_OP_NO_TLSv1)
		105	printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
		106	return STATE_UNKNOWN;
		107	#else
		108	options \|= SSL_OP_NO_TLSv1;
		109	#endif
		110	/* FALLTHROUGH */
		111	case MP_TLSv1_OR_NEWER:
		112	#if defined(SSL_OP_NO_SSLv3)
		113	options \|= SSL_OP_NO_SSLv3;
		114	#endif
		115	/* FALLTHROUGH */
		116	case MP_SSLv3_OR_NEWER:
		117	#if defined(SSL_OP_NO_SSLv2)
		118	options \|= SSL_OP_NO_SSLv2;
		119	#endif
		120	case MP_SSLv2_OR_NEWER:
		121	/* FALLTHROUGH */
		122	default: /* Default to auto negotiation */
		123	method = SSLv23_client_method();
74	}	124	}
75	if (!initialized) {	125	if (!initialized) {
76	/* Initialize SSL context */	126	/* Initialize SSL context */
@@ -94,8 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
94	#endif	144	#endif
95	}	145	}
96	#ifdef SSL_OP_NO_TICKET	146	#ifdef SSL_OP_NO_TICKET
97	SSL_CTX_set_options(c, SSL_OP_NO_TICKET);	147	options \|= SSL_OP_NO_TICKET;
98	#endif	148	#endif
		149	SSL_CTX_set_options(c, options);
99	SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY);	150	SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY);
100	if ((s = SSL_new(c)) != NULL) {	151	if ((s = SSL_new(c)) != NULL) {
101	#ifdef SSL_set_tlsext_host_name	152	#ifdef SSL_set_tlsext_host_name
@@ -144,7 +195,10 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
144	# ifdef USE_OPENSSL	195	# ifdef USE_OPENSSL
145	X509 *certificate=NULL;	196	X509 *certificate=NULL;
146	X509_NAME *subj=NULL;	197	X509_NAME *subj=NULL;
		198	char timestamp[50] = "";
147	char cn[MAX_CN_LENGTH]= "";	199	char cn[MAX_CN_LENGTH]= "";
		200	char *tz;
		201
148	int cnlen =-1;	202	int cnlen =-1;
149	int status=STATE_UNKNOWN;	203	int status=STATE_UNKNOWN;
150		204
@@ -153,7 +207,7 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
153	struct tm stamp;	207	struct tm stamp;
154	float time_left;	208	float time_left;
155	int days_left;	209	int days_left;
156	char timestamp[50] = "";	210	int time_remaining;
157	time_t tm_t;	211	time_t tm_t;
158		212
159	certificate=SSL_get_peer_certificate(s);	213	certificate=SSL_get_peer_certificate(s);
@@ -207,32 +261,55 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
207	(tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');	261	(tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
208	stamp.tm_min =	262	stamp.tm_min =
209	(tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');	263	(tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
210	stamp.tm_sec = 0;	264	stamp.tm_sec =
		265	(tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
211	stamp.tm_isdst = -1;	266	stamp.tm_isdst = -1;
212		267
213	time_left = difftime(timegm(&stamp), time(NULL));	268	tm_t = timegm(&stamp);
		269	time_left = difftime(tm_t, time(NULL));
214	days_left = time_left / 86400;	270	days_left = time_left / 86400;
215	tm_t = mktime (&stamp);	271	tz = getenv("TZ");
216	strftime(timestamp, 50, "%c", localtime(&tm_t));	272	setenv("TZ", "GMT", 1);
		273	tzset();
		274	strftime(timestamp, 50, "%c %z", localtime(&tm_t));
		275	if (tz)
		276	setenv("TZ", tz, 1);
		277	else
		278	unsetenv("TZ");
		279	tzset();
217		280
218	if (days_left > 0 && days_left <= days_till_exp_warn) {	281	if (days_left > 0 && days_left <= days_till_exp_warn) {
219	printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);	282	printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);
220	if (days_left > days_till_exp_crit)	283	if (days_left > days_till_exp_crit)
221	return STATE_WARNING;	284	status = STATE_WARNING;
222	else	285	else
223	return STATE_CRITICAL;	286	status = STATE_CRITICAL;
		287	} else if (days_left == 0 && time_left > 0) {
		288	if (time_left >= 3600)
		289	time_remaining = (int) time_left / 3600;
		290	else
		291	time_remaining = (int) time_left / 60;
		292
		293	printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"),
		294	(days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining,
		295	time_left >= 3600 ? "hours" : "minutes", timestamp);
		296
		297	if ( days_left > days_till_exp_crit)
		298	status = STATE_WARNING;
		299	else
		300	status = STATE_CRITICAL;
224	} else if (time_left < 0) {	301	} else if (time_left < 0) {
225	printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);	302	printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
226	status=STATE_CRITICAL;	303	status=STATE_CRITICAL;
227	} else if (days_left == 0) {	304	} else if (days_left == 0) {
228	printf (_("%s - Certificate '%s' expires today (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp);	305	printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp);
229	if (days_left > days_till_exp_crit)	306	if (days_left > days_till_exp_crit)
230	return STATE_WARNING;	307	status = STATE_WARNING;
231	else	308	else
232	return STATE_CRITICAL;	309	status = STATE_CRITICAL;
233	} else {	310	} else {
234	printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);	311	printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
235	status=STATE_OK;	312	status = STATE_OK;
236	}	313	}
237	X509_free(certificate);	314	X509_free(certificate);
238	return status;	315	return status;