1 files changed, 92 insertions, 81 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 2157764f..a1ce560d 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -36,92 +36,97 @@ static SSL_CTX *c=NULL;
 static SSL *s=NULL;
 static int initialized=0;
-int np_net_ssl_init (int sd) {
+int np_net_ssl_init(int sd) {
-                return np_net_ssl_init_with_hostname(sd, NULL);
+        return np_net_ssl_init_with_hostname(sd, NULL);
 }
-int np_net_ssl_init_with_hostname (int sd, char *host_name) {
+int np_net_ssl_init_with_hostname(int sd, char *host_name) {
-                return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
+        return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
 }
-int np_net_ssl_init_with_hostname_and_version (int sd, char *host_name, int version) {
+int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
-                const SSL_METHOD *method = NULL;
+        const SSL_METHOD *method = NULL;
-                switch (version) {
+        switch (version) {
-                case 0: /* Deafult to auto negotiation */
+        case 0: /* Deafult to auto negotiation */
-                        method = SSLv23_client_method();
+                method = SSLv23_client_method();
-                        break;
+                break;
-                case 1: /* TLSv1 protocol */
+        case 1: /* TLSv1 protocol */
-                        method = TLSv1_client_method();
+                method = TLSv1_client_method();
-                        break;
+                break;
-                case 2: /* SSLv2 protocol */
+        case 2: /* SSLv2 protocol */
-                        method = SSLv2_client_method();
+#if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2)
-                        break;
+                printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library.")));
-                case 3: /* SSLv3 protocol */
+                return STATE_CRITICAL;
-                        method = SSLv3_client_method();
+#else
-                        break;
+                method = SSLv2_client_method();
-                default: /* Unsupported */
+#endif
-                        printf ("%s\n", _("CRITICAL - Unsupported SSL Protocol Version."));
+                break;
-                        return STATE_CRITICAL;
+        case 3: /* SSLv3 protocol */
-                }
+                method = SSLv3_client_method();
-                if (!initialized) {
+                break;
-                        /* Initialize SSL context */
+        default: /* Unsupported */
-                        SSLeay_add_ssl_algorithms ();
+                printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));
-                        SSL_load_error_strings ();
+                return STATE_CRITICAL;
-                        OpenSSL_add_all_algorithms ();
+        }
-                        initialized = 1;
+        if (!initialized) {
-                }
+                /* Initialize SSL context */
-                if ((c = SSL_CTX_new (method)) == NULL) {
+                SSLeay_add_ssl_algorithms();
-                                printf ("%s\n", _("CRITICAL - Cannot create SSL context."));
+                SSL_load_error_strings();
-                                return STATE_CRITICAL;
+                OpenSSL_add_all_algorithms();
-                }
+                initialized = 1;
+        }
+        if ((c = SSL_CTX_new(method)) == NULL) {
+                printf("%s\n", _("CRITICAL - Cannot create SSL context."));
+                return STATE_CRITICAL;
+        }
 #ifdef SSL_OP_NO_TICKET
-                SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
+        SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
 #endif
-                if ((s = SSL_new (c)) != NULL){
+        if ((s = SSL_new(c)) != NULL) {
 #ifdef SSL_set_tlsext_host_name
-                                if (host_name != NULL)
+                if (host_name != NULL)
-                                        SSL_set_tlsext_host_name(s, host_name);
+                        SSL_set_tlsext_host_name(s, host_name);
 #endif
-                                SSL_set_fd (s, sd);
+                SSL_set_fd(s, sd);
-                                if (SSL_connect(s) == 1){
+                if (SSL_connect(s) == 1) {
-                                                return OK;
+                        return OK;
-                                } else {
+                } else {
-                                                printf ("%s\n", _("CRITICAL - Cannot make SSL connection "));
+                        printf("%s\n", _("CRITICAL - Cannot make SSL connection."));
 #  ifdef USE_OPENSSL /* XXX look into ERR_error_string */
-                                                ERR_print_errors_fp (stdout);
+                        ERR_print_errors_fp(stdout);
 #  endif /* USE_OPENSSL */
-                                }
-                } else {
-                                printf ("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
                }
-                return STATE_CRITICAL;
+        } else {
+                        printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
+        }
+        return STATE_CRITICAL;
 }
-void np_net_ssl_cleanup (){
+void np_net_ssl_cleanup() {
-                if(s){
+        if (s) {
 #ifdef SSL_set_tlsext_host_name
-                                SSL_set_tlsext_host_name(s, NULL);
+                SSL_set_tlsext_host_name(s, NULL);
 #endif
-                                SSL_shutdown (s);
+                SSL_shutdown(s);
-                                SSL_free (s);
+                SSL_free(s);
-                                if(c) {
+                if (c) {
-                                        SSL_CTX_free (c);
+                        SSL_CTX_free(c);
-                                        c=NULL;
+                        c=NULL;
-                                }
-                                s=NULL;
                }
+                s=NULL;
+        }
 }
-int np_net_ssl_write(const void *buf, int num){
+int np_net_ssl_write(const void *buf, int num) {
        return SSL_write(s, buf, num);
 }
-int np_net_ssl_read(void *buf, int num){
+int np_net_ssl_read(void *buf, int num) {
        return SSL_read(s, buf, num);
 }
-int np_net_ssl_check_cert(int days_till_exp){
+int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
 #  ifdef USE_OPENSSL
        X509 *certificate=NULL;
        X509_NAME *subj=NULL;
@@ -137,29 +142,29 @@ int np_net_ssl_check_cert(int days_till_exp){
        char timestamp[17] = "";
        certificate=SSL_get_peer_certificate(s);
-        if(! certificate){
+        if (!certificate) {
-                printf ("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
+                printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
                return STATE_CRITICAL;
        }
        /* Extract CN from certificate subject */
        subj=X509_get_subject_name(certificate);
-        if(! subj){
+        if (!subj) {
-                printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
+                printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
                return STATE_CRITICAL;
        }
-        cnlen = X509_NAME_get_text_by_NID (subj, NID_commonName, cn, sizeof(cn));
+        cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
-        if ( cnlen == -1 )
+        if (cnlen == -1)
-                strcpy(cn , _("Unknown CN"));
+                strcpy(cn, _("Unknown CN"));
        /* Retrieve timestamp of certificate */
-        tm = X509_get_notAfter (certificate);
+        tm = X509_get_notAfter(certificate);
        /* Generate tm structure to process timestamp */
        if (tm->type == V_ASN1_UTCTIME) {
                if (tm->length < 10) {
-                        printf ("%s\n", _("CRITICAL - Wrong time format in certificate."));
+                        printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
                        return STATE_CRITICAL;
                } else {
                        stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
@@ -169,7 +174,7 @@ int np_net_ssl_check_cert(int days_till_exp){
                }
        } else {
                if (tm->length < 12) {
-                        printf ("%s\n", _("CRITICAL - Wrong time format in certificate."));
+                        printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
                        return STATE_CRITICAL;
                } else {
                        stamp.tm_year =
@@ -197,23 +202,29 @@ int np_net_ssl_check_cert(int days_till_exp){
                 stamp.tm_mon + 1,
                 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
-        if (days_left > 0 && days_left <= days_till_exp) {
+        if (days_left > 0 && days_left <= days_till_exp_warn) {
-                printf (_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp);
+                printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);
-                status=STATE_WARNING;
+                if (days_left > days_till_exp_crit)
+                        return STATE_WARNING;
+                else
+                        return STATE_CRITICAL;
        } else if (time_left < 0) {
-                printf (_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
+                printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
                status=STATE_CRITICAL;
        } else if (days_left == 0) {
-                printf (_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp);
+                printf (_("%s - Certificate '%s' expires today (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp);
-                status=STATE_WARNING;
+                if (days_left > days_till_exp_crit)
+                        return STATE_WARNING;
+                else
+                        return STATE_CRITICAL;
        } else {
-                printf (_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
+                printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
                status=STATE_OK;
        }
-        X509_free (certificate);
+        X509_free(certificate);
        return status;
 #  else /* ifndef USE_OPENSSL */
-        printf ("%s\n", _("WARNING - Plugin does not support checking certificates."));
+        printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
        return STATE_WARNING;
 #  endif /* USE_OPENSSL */
 }

diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 2157764f..a1ce560d 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c
@@ -36,92 +36,97 @@ static SSL_CTX *c=NULL;
36	static SSL *s=NULL;	36	static SSL *s=NULL;
37	static int initialized=0;	37	static int initialized=0;
38		38
39	int np_net_ssl_init (int sd) {	39	int np_net_ssl_init(int sd) {
40	return np_net_ssl_init_with_hostname(sd, NULL);	40	return np_net_ssl_init_with_hostname(sd, NULL);
41	}	41	}
42		42
43	int np_net_ssl_init_with_hostname (int sd, char *host_name) {	43	int np_net_ssl_init_with_hostname(int sd, char *host_name) {
44	return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);	44	return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
45	}	45	}
46		46
47	int np_net_ssl_init_with_hostname_and_version (int sd, char *host_name, int version) {	47	int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
48	const SSL_METHOD *method = NULL;	48	const SSL_METHOD *method = NULL;
49		49
50	switch (version) {	50	switch (version) {
51	case 0: /* Deafult to auto negotiation */	51	case 0: /* Deafult to auto negotiation */
52	method = SSLv23_client_method();	52	method = SSLv23_client_method();
53	break;	53	break;
54	case 1: /* TLSv1 protocol */	54	case 1: /* TLSv1 protocol */
55	method = TLSv1_client_method();	55	method = TLSv1_client_method();
56	break;	56	break;
57	case 2: /* SSLv2 protocol */	57	case 2: /* SSLv2 protocol */
58	method = SSLv2_client_method();	58	#if defined(USE_GNUTLS) \|\| defined(OPENSSL_NO_SSL2)
59	break;	59	printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library.")));
60	case 3: /* SSLv3 protocol */	60	return STATE_CRITICAL;
61	method = SSLv3_client_method();	61	#else
62	break;	62	method = SSLv2_client_method();
63	default: /* Unsupported */	63	#endif
64	printf ("%s\n", _("CRITICAL - Unsupported SSL Protocol Version."));	64	break;
65	return STATE_CRITICAL;	65	case 3: /* SSLv3 protocol */
66	}	66	method = SSLv3_client_method();
67	if (!initialized) {	67	break;
68	/* Initialize SSL context */	68	default: /* Unsupported */
69	SSLeay_add_ssl_algorithms ();	69	printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));
70	SSL_load_error_strings ();	70	return STATE_CRITICAL;
71	OpenSSL_add_all_algorithms ();	71	}
72	initialized = 1;	72	if (!initialized) {
73	}	73	/* Initialize SSL context */
74	if ((c = SSL_CTX_new (method)) == NULL) {	74	SSLeay_add_ssl_algorithms();
75	printf ("%s\n", _("CRITICAL - Cannot create SSL context."));	75	SSL_load_error_strings();
76	return STATE_CRITICAL;	76	OpenSSL_add_all_algorithms();
77	}	77	initialized = 1;
		78	}
		79	if ((c = SSL_CTX_new(method)) == NULL) {
		80	printf("%s\n", _("CRITICAL - Cannot create SSL context."));
		81	return STATE_CRITICAL;
		82	}
78	#ifdef SSL_OP_NO_TICKET	83	#ifdef SSL_OP_NO_TICKET
79	SSL_CTX_set_options(c, SSL_OP_NO_TICKET);	84	SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
80	#endif	85	#endif
81	if ((s = SSL_new (c)) != NULL){	86	if ((s = SSL_new(c)) != NULL) {
82	#ifdef SSL_set_tlsext_host_name	87	#ifdef SSL_set_tlsext_host_name
83	if (host_name != NULL)	88	if (host_name != NULL)
84	SSL_set_tlsext_host_name(s, host_name);	89	SSL_set_tlsext_host_name(s, host_name);
85	#endif	90	#endif
86	SSL_set_fd (s, sd);	91	SSL_set_fd(s, sd);
87	if (SSL_connect(s) == 1){	92	if (SSL_connect(s) == 1) {
88	return OK;	93	return OK;
89	} else {	94	} else {
90	printf ("%s\n", _("CRITICAL - Cannot make SSL connection "));	95	printf("%s\n", _("CRITICAL - Cannot make SSL connection."));
91	# ifdef USE_OPENSSL /* XXX look into ERR_error_string */	96	# ifdef USE_OPENSSL /* XXX look into ERR_error_string */
92	ERR_print_errors_fp (stdout);	97	ERR_print_errors_fp(stdout);
93	# endif /* USE_OPENSSL */	98	# endif /* USE_OPENSSL */
94	}
95	} else {
96	printf ("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
97	}	99	}
98	return STATE_CRITICAL;	100	} else {
		101	printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
		102	}
		103	return STATE_CRITICAL;
99	}	104	}
100		105
101	void np_net_ssl_cleanup (){	106	void np_net_ssl_cleanup() {
102	if(s){	107	if (s) {
103	#ifdef SSL_set_tlsext_host_name	108	#ifdef SSL_set_tlsext_host_name
104	SSL_set_tlsext_host_name(s, NULL);	109	SSL_set_tlsext_host_name(s, NULL);
105	#endif	110	#endif
106	SSL_shutdown (s);	111	SSL_shutdown(s);
107	SSL_free (s);	112	SSL_free(s);
108	if(c) {	113	if (c) {
109	SSL_CTX_free (c);	114	SSL_CTX_free(c);
110	c=NULL;	115	c=NULL;
111	}
112	s=NULL;
113	}	116	}
		117	s=NULL;
		118	}
114	}	119	}
115		120
116	int np_net_ssl_write(const void *buf, int num){	121	int np_net_ssl_write(const void *buf, int num) {
117	return SSL_write(s, buf, num);	122	return SSL_write(s, buf, num);
118	}	123	}
119		124
120	int np_net_ssl_read(void *buf, int num){	125	int np_net_ssl_read(void *buf, int num) {
121	return SSL_read(s, buf, num);	126	return SSL_read(s, buf, num);
122	}	127	}
123		128
124	int np_net_ssl_check_cert(int days_till_exp){	129	int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
125	# ifdef USE_OPENSSL	130	# ifdef USE_OPENSSL
126	X509 *certificate=NULL;	131	X509 *certificate=NULL;
127	X509_NAME *subj=NULL;	132	X509_NAME *subj=NULL;
@@ -137,29 +142,29 @@ int np_net_ssl_check_cert(int days_till_exp){
137	char timestamp[17] = "";	142	char timestamp[17] = "";
138		143
139	certificate=SSL_get_peer_certificate(s);	144	certificate=SSL_get_peer_certificate(s);
140	if(! certificate){	145	if (!certificate) {
141	printf ("%s\n",_("CRITICAL - Cannot retrieve server certificate."));	146	printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
142	return STATE_CRITICAL;	147	return STATE_CRITICAL;
143	}	148	}
144		149
145	/* Extract CN from certificate subject */	150	/* Extract CN from certificate subject */
146	subj=X509_get_subject_name(certificate);	151	subj=X509_get_subject_name(certificate);
147		152
148	if(! subj){	153	if (!subj) {
149	printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));	154	printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
150	return STATE_CRITICAL;	155	return STATE_CRITICAL;
151	}	156	}
152	cnlen = X509_NAME_get_text_by_NID (subj, NID_commonName, cn, sizeof(cn));	157	cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
153	if ( cnlen == -1 )	158	if (cnlen == -1)
154	strcpy(cn , _("Unknown CN"));	159	strcpy(cn, _("Unknown CN"));
155		160
156	/* Retrieve timestamp of certificate */	161	/* Retrieve timestamp of certificate */
157	tm = X509_get_notAfter (certificate);	162	tm = X509_get_notAfter(certificate);
158		163
159	/* Generate tm structure to process timestamp */	164	/* Generate tm structure to process timestamp */
160	if (tm->type == V_ASN1_UTCTIME) {	165	if (tm->type == V_ASN1_UTCTIME) {
161	if (tm->length < 10) {	166	if (tm->length < 10) {
162	printf ("%s\n", _("CRITICAL - Wrong time format in certificate."));	167	printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
163	return STATE_CRITICAL;	168	return STATE_CRITICAL;
164	} else {	169	} else {
165	stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');	170	stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
@@ -169,7 +174,7 @@ int np_net_ssl_check_cert(int days_till_exp){
169	}	174	}
170	} else {	175	} else {
171	if (tm->length < 12) {	176	if (tm->length < 12) {
172	printf ("%s\n", _("CRITICAL - Wrong time format in certificate."));	177	printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
173	return STATE_CRITICAL;	178	return STATE_CRITICAL;
174	} else {	179	} else {
175	stamp.tm_year =	180	stamp.tm_year =
@@ -197,23 +202,29 @@ int np_net_ssl_check_cert(int days_till_exp){
197	stamp.tm_mon + 1,	202	stamp.tm_mon + 1,
198	stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);	203	stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
199		204
200	if (days_left > 0 && days_left <= days_till_exp) {	205	if (days_left > 0 && days_left <= days_till_exp_warn) {
201	printf (_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp);	206	printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);
202	status=STATE_WARNING;	207	if (days_left > days_till_exp_crit)
		208	return STATE_WARNING;
		209	else
		210	return STATE_CRITICAL;
203	} else if (time_left < 0) {	211	} else if (time_left < 0) {
204	printf (_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);	212	printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
205	status=STATE_CRITICAL;	213	status=STATE_CRITICAL;
206	} else if (days_left == 0) {	214	} else if (days_left == 0) {
207	printf (_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp);	215	printf (_("%s - Certificate '%s' expires today (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp);
208	status=STATE_WARNING;	216	if (days_left > days_till_exp_crit)
		217	return STATE_WARNING;
		218	else
		219	return STATE_CRITICAL;
209	} else {	220	} else {
210	printf (_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);	221	printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
211	status=STATE_OK;	222	status=STATE_OK;
212	}	223	}
213	X509_free (certificate);	224	X509_free(certificate);
214	return status;	225	return status;
215	# else /* ifndef USE_OPENSSL */	226	# else /* ifndef USE_OPENSSL */
216	printf ("%s\n", _("WARNING - Plugin does not support checking certificates."));	227	printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
217	return STATE_WARNING;	228	return STATE_WARNING;
218	# endif /* USE_OPENSSL */	229	# endif /* USE_OPENSSL */
219	}	230	}