1 files changed, 76 insertions, 59 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 4f9c793..6bc0ba8 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -1,29 +1,29 @@
 /*****************************************************************************
-* 
+*
 * Monitoring Plugins SSL utilities
-* 
+*
 * License: GPL
 * Copyright (c) 2005-2010 Monitoring Plugins Development Team
-* 
+*
 * Description:
-* 
+*
 * This file contains common functions for plugins that require SSL.
-* 
+*
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
-* 
+*
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
-* 
+*
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
-* 
+*
-* 
+*
 *****************************************************************************/
 #define MAX_CN_LENGTH 256
@@ -31,9 +31,8 @@
 #include "netutils.h"
 #ifdef HAVE_SSL
-static SSL_CTX *c=NULL;
+static SSL_CTX *ctx=NULL;
 static SSL *s=NULL;
-static int initialized=0;
 int np_net_ssl_init(int sd) {
        return np_net_ssl_init_with_hostname(sd, NULL);
@@ -48,24 +47,24 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
 }
 int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) {
-        SSL_METHOD *method = NULL;
        long options = 0;
+        if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
+                printf("%s\n", _("CRITICAL - Cannot create SSL context."));
+                return STATE_CRITICAL;
+        }
        switch (version) {
        case MP_SSLv2: /* SSLv2 protocol */
-#if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2)
                printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
                return STATE_UNKNOWN;
-#else
-                method = SSLv2_client_method();
-                break;
-#endif
        case MP_SSLv3: /* SSLv3 protocol */
 #if defined(OPENSSL_NO_SSL3)
                printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
                return STATE_UNKNOWN;
 #else
-                method = SSLv3_client_method();
+                SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
+                SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
                break;
 #endif
        case MP_TLSv1: /* TLSv1 protocol */
@@ -73,7 +72,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
                printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
                return STATE_UNKNOWN;
 #else
-                method = TLSv1_client_method();
+                SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
+                SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
                break;
 #endif
        case MP_TLSv1_1: /* TLSv1.1 protocol */
@@ -81,7 +81,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
                printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
                return STATE_UNKNOWN;
 #else
-                method = TLSv1_1_client_method();
+                SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
+                SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
                break;
 #endif
        case MP_TLSv1_2: /* TLSv1.2 protocol */
@@ -89,7 +90,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
                printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
                return STATE_UNKNOWN;
 #else
-                method = TLSv1_2_client_method();
+                SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
+                SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
                break;
 #endif
        case MP_TLSv1_2_OR_NEWER:
@@ -97,47 +99,43 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
                printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
                return STATE_UNKNOWN;
 #else
-                options |= SSL_OP_NO_TLSv1_1;
+                SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
+                break;
 #endif
-                /* FALLTHROUGH */
        case MP_TLSv1_1_OR_NEWER:
 #if !defined(SSL_OP_NO_TLSv1)
                printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
                return STATE_UNKNOWN;
 #else
-                options |= SSL_OP_NO_TLSv1;
+                SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
+                break;
 #endif
-                /* FALLTHROUGH */
        case MP_TLSv1_OR_NEWER:
 #if defined(SSL_OP_NO_SSLv3)
-                options |= SSL_OP_NO_SSLv3;
+                SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
+                break;
 #endif
-                /* FALLTHROUGH */
        case MP_SSLv3_OR_NEWER:
 #if defined(SSL_OP_NO_SSLv2)
-                options |= SSL_OP_NO_SSLv2;
+                SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
+                break;
 #endif
-        case MP_SSLv2_OR_NEWER:
-                /* FALLTHROUGH */
-        default: /* Default to auto negotiation */
-                method = SSLv23_client_method();
-        }
-        if (!initialized) {
-                /* Initialize SSL context */
-                SSLeay_add_ssl_algorithms();
-                SSL_load_error_strings();
-                OpenSSL_add_all_algorithms();
-                initialized = 1;
-        }
-        if ((c = SSL_CTX_new(method)) == NULL) {
-                printf("%s\n", _("CRITICAL - Cannot create SSL context."));
-                return STATE_CRITICAL;
        }
        if (cert && privkey) {
-                SSL_CTX_use_certificate_file(c, cert, SSL_FILETYPE_PEM);
-                SSL_CTX_use_PrivateKey_file(c, privkey, SSL_FILETYPE_PEM);
 #ifdef USE_OPENSSL
-                if (!SSL_CTX_check_private_key(c)) {
+                if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) {
+#elif  USE_GNUTLS
+                if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) {
+#else
+#error Unported for unknown SSL library
+#endif
+                        printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n"));
+                        return STATE_CRITICAL;
+                }
+                SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM);
+#ifdef USE_OPENSSL
+                if (!SSL_CTX_check_private_key(ctx)) {
                        printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
                        return STATE_CRITICAL;
                }
@@ -146,9 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
 #ifdef SSL_OP_NO_TICKET
        options |= SSL_OP_NO_TICKET;
 #endif
-        SSL_CTX_set_options(c, options);
+        SSL_CTX_set_options(ctx, options);
-        SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY);
+        SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
-        if ((s = SSL_new(c)) != NULL) {
+        if ((s = SSL_new(ctx)) != NULL) {
 #ifdef SSL_set_tlsext_host_name
                if (host_name != NULL)
                        SSL_set_tlsext_host_name(s, host_name);
@@ -175,9 +173,9 @@ void np_net_ssl_cleanup() {
 #endif
                SSL_shutdown(s);
                SSL_free(s);
-                if (c) {
+                if (ctx) {
-                        SSL_CTX_free(c);
+                        SSL_CTX_free(ctx);
-                        c=NULL;
+                        ctx=NULL;
                }
                s=NULL;
        }
@@ -191,13 +189,13 @@ int np_net_ssl_read(void *buf, int num) {
        return SSL_read(s, buf, num);
 }
-int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
+int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){
 #  ifdef USE_OPENSSL
-        X509 *certificate=NULL;
        X509_NAME *subj=NULL;
        char timestamp[50] = "";
        char cn[MAX_CN_LENGTH]= "";
-        
+        char *tz;
        int cnlen =-1;
        int status=STATE_UNKNOWN;
@@ -209,7 +207,6 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
        int time_remaining;
        time_t tm_t;
-        certificate=SSL_get_peer_certificate(s);
        if (!certificate) {
                printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
                return STATE_CRITICAL;
@@ -264,10 +261,18 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
                (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
        stamp.tm_isdst = -1;
-        time_left = difftime(timegm(&stamp), time(NULL));
+        tm_t = timegm(&stamp);
+        time_left = difftime(tm_t, time(NULL));
        days_left = time_left / 86400;
-        tm_t = mktime (&stamp);
+        tz = getenv("TZ");
-        strftime(timestamp, 50, "%c", localtime(&tm_t));
+        setenv("TZ", "GMT", 1);
+        tzset();
+        strftime(timestamp, 50, "%c %z", localtime(&tm_t));
+        if (tz)
+                setenv("TZ", tz, 1);
+        else
+                unsetenv("TZ");
+        tzset();
        if (days_left > 0 && days_left <= days_till_exp_warn) {
                printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);
@@ -310,4 +315,16 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
 #  endif /* USE_OPENSSL */
 }
+int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
+#  ifdef USE_OPENSSL
+        X509 *certificate = NULL;
+        certificate=SSL_get_peer_certificate(s);
+        return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
+#  else /* ifndef USE_OPENSSL */
+        printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
+        return STATE_WARNING;
+#  endif /* USE_OPENSSL */
+}
 #endif /* HAVE_SSL */

diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 4f9c793..6bc0ba8 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c
@@ -1,29 +1,29 @@
1	/*****************************************************************************	1	/*****************************************************************************
2	*	2	*
3	* Monitoring Plugins SSL utilities	3	* Monitoring Plugins SSL utilities
4	*	4	*
5	* License: GPL	5	* License: GPL
6	* Copyright (c) 2005-2010 Monitoring Plugins Development Team	6	* Copyright (c) 2005-2010 Monitoring Plugins Development Team
7	*	7	*
8	* Description:	8	* Description:
9	*	9	*
10	* This file contains common functions for plugins that require SSL.	10	* This file contains common functions for plugins that require SSL.
11	*	11	*
12	*	12	*
13	* This program is free software: you can redistribute it and/or modify	13	* This program is free software: you can redistribute it and/or modify
14	* it under the terms of the GNU General Public License as published by	14	* it under the terms of the GNU General Public License as published by
15	* the Free Software Foundation, either version 3 of the License, or	15	* the Free Software Foundation, either version 3 of the License, or
16	* (at your option) any later version.	16	* (at your option) any later version.
17	*	17	*
18	* This program is distributed in the hope that it will be useful,	18	* This program is distributed in the hope that it will be useful,
19	* but WITHOUT ANY WARRANTY; without even the implied warranty of	19	* but WITHOUT ANY WARRANTY; without even the implied warranty of
20	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the	20	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21	* GNU General Public License for more details.	21	* GNU General Public License for more details.
22	*	22	*
23	* You should have received a copy of the GNU General Public License	23	* You should have received a copy of the GNU General Public License
24	* along with this program. If not, see <http://www.gnu.org/licenses/>.	24	* along with this program. If not, see <http://www.gnu.org/licenses/>.
25	*	25	*
26	*	26	*
27	*****************************************************************************/	27	*****************************************************************************/
28		28
29	#define MAX_CN_LENGTH 256	29	#define MAX_CN_LENGTH 256
@@ -31,9 +31,8 @@
31	#include "netutils.h"	31	#include "netutils.h"
32		32
33	#ifdef HAVE_SSL	33	#ifdef HAVE_SSL
34	static SSL_CTX *c=NULL;	34	static SSL_CTX *ctx=NULL;
35	static SSL *s=NULL;	35	static SSL *s=NULL;
36	static int initialized=0;
37		36
38	int np_net_ssl_init(int sd) {	37	int np_net_ssl_init(int sd) {
39	return np_net_ssl_init_with_hostname(sd, NULL);	38	return np_net_ssl_init_with_hostname(sd, NULL);
@@ -48,24 +47,24 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
48	}	47	}
49		48
50	int np_net_ssl_init_with_hostname_version_and_cert(int sd, char host_name, int version, char cert, char *privkey) {	49	int np_net_ssl_init_with_hostname_version_and_cert(int sd, char host_name, int version, char cert, char *privkey) {
51	SSL_METHOD *method = NULL;
52	long options = 0;	50	long options = 0;
53		51
		52	if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
		53	printf("%s\n", _("CRITICAL - Cannot create SSL context."));
		54	return STATE_CRITICAL;
		55	}
		56
54	switch (version) {	57	switch (version) {
55	case MP_SSLv2: /* SSLv2 protocol */	58	case MP_SSLv2: /* SSLv2 protocol */
56	#if defined(USE_GNUTLS) \|\| defined(OPENSSL_NO_SSL2)
57	printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));	59	printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
58	return STATE_UNKNOWN;	60	return STATE_UNKNOWN;
59	#else
60	method = SSLv2_client_method();
61	break;
62	#endif
63	case MP_SSLv3: /* SSLv3 protocol */	61	case MP_SSLv3: /* SSLv3 protocol */
64	#if defined(OPENSSL_NO_SSL3)	62	#if defined(OPENSSL_NO_SSL3)
65	printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));	63	printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
66	return STATE_UNKNOWN;	64	return STATE_UNKNOWN;
67	#else	65	#else
68	method = SSLv3_client_method();	66	SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
		67	SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
69	break;	68	break;
70	#endif	69	#endif
71	case MP_TLSv1: /* TLSv1 protocol */	70	case MP_TLSv1: /* TLSv1 protocol */
@@ -73,7 +72,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
73	printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));	72	printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
74	return STATE_UNKNOWN;	73	return STATE_UNKNOWN;
75	#else	74	#else
76	method = TLSv1_client_method();	75	SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
		76	SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
77	break;	77	break;
78	#endif	78	#endif
79	case MP_TLSv1_1: /* TLSv1.1 protocol */	79	case MP_TLSv1_1: /* TLSv1.1 protocol */
@@ -81,7 +81,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
81	printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));	81	printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
82	return STATE_UNKNOWN;	82	return STATE_UNKNOWN;
83	#else	83	#else
84	method = TLSv1_1_client_method();	84	SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
		85	SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
85	break;	86	break;
86	#endif	87	#endif
87	case MP_TLSv1_2: /* TLSv1.2 protocol */	88	case MP_TLSv1_2: /* TLSv1.2 protocol */
@@ -89,7 +90,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
89	printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));	90	printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
90	return STATE_UNKNOWN;	91	return STATE_UNKNOWN;
91	#else	92	#else
92	method = TLSv1_2_client_method();	93	SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
		94	SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
93	break;	95	break;
94	#endif	96	#endif
95	case MP_TLSv1_2_OR_NEWER:	97	case MP_TLSv1_2_OR_NEWER:
@@ -97,47 +99,43 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
97	printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));	99	printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
98	return STATE_UNKNOWN;	100	return STATE_UNKNOWN;
99	#else	101	#else
100	options \|= SSL_OP_NO_TLSv1_1;	102	SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
		103	break;
101	#endif	104	#endif
102	/* FALLTHROUGH */
103	case MP_TLSv1_1_OR_NEWER:	105	case MP_TLSv1_1_OR_NEWER:
104	#if !defined(SSL_OP_NO_TLSv1)	106	#if !defined(SSL_OP_NO_TLSv1)
105	printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));	107	printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
106	return STATE_UNKNOWN;	108	return STATE_UNKNOWN;
107	#else	109	#else
108	options \|= SSL_OP_NO_TLSv1;	110	SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
		111	break;
109	#endif	112	#endif
110	/* FALLTHROUGH */
111	case MP_TLSv1_OR_NEWER:	113	case MP_TLSv1_OR_NEWER:
112	#if defined(SSL_OP_NO_SSLv3)	114	#if defined(SSL_OP_NO_SSLv3)
113	options \|= SSL_OP_NO_SSLv3;	115	SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
		116	break;
114	#endif	117	#endif
115	/* FALLTHROUGH */
116	case MP_SSLv3_OR_NEWER:	118	case MP_SSLv3_OR_NEWER:
117	#if defined(SSL_OP_NO_SSLv2)	119	#if defined(SSL_OP_NO_SSLv2)
118	options \|= SSL_OP_NO_SSLv2;	120	SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
		121	break;
119	#endif	122	#endif
120	case MP_SSLv2_OR_NEWER:
121	/* FALLTHROUGH */
122	default: /* Default to auto negotiation */
123	method = SSLv23_client_method();
124	}
125	if (!initialized) {
126	/* Initialize SSL context */
127	SSLeay_add_ssl_algorithms();
128	SSL_load_error_strings();
129	OpenSSL_add_all_algorithms();
130	initialized = 1;
131	}
132	if ((c = SSL_CTX_new(method)) == NULL) {
133	printf("%s\n", _("CRITICAL - Cannot create SSL context."));
134	return STATE_CRITICAL;
135	}	123	}
		124
136	if (cert && privkey) {	125	if (cert && privkey) {
137	SSL_CTX_use_certificate_file(c, cert, SSL_FILETYPE_PEM);
138	SSL_CTX_use_PrivateKey_file(c, privkey, SSL_FILETYPE_PEM);
139	#ifdef USE_OPENSSL	126	#ifdef USE_OPENSSL
140	if (!SSL_CTX_check_private_key(c)) {	127	if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) {
		128	#elif USE_GNUTLS
		129	if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) {
		130	#else
		131	#error Unported for unknown SSL library
		132	#endif
		133	printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n"));
		134	return STATE_CRITICAL;
		135	}
		136	SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM);
		137	#ifdef USE_OPENSSL
		138	if (!SSL_CTX_check_private_key(ctx)) {
141	printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));	139	printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
142	return STATE_CRITICAL;	140	return STATE_CRITICAL;
143	}	141	}
@@ -146,9 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
146	#ifdef SSL_OP_NO_TICKET	144	#ifdef SSL_OP_NO_TICKET
147	options \|= SSL_OP_NO_TICKET;	145	options \|= SSL_OP_NO_TICKET;
148	#endif	146	#endif
149	SSL_CTX_set_options(c, options);	147	SSL_CTX_set_options(ctx, options);
150	SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY);	148	SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
151	if ((s = SSL_new(c)) != NULL) {	149	if ((s = SSL_new(ctx)) != NULL) {
152	#ifdef SSL_set_tlsext_host_name	150	#ifdef SSL_set_tlsext_host_name
153	if (host_name != NULL)	151	if (host_name != NULL)
154	SSL_set_tlsext_host_name(s, host_name);	152	SSL_set_tlsext_host_name(s, host_name);
@@ -175,9 +173,9 @@ void np_net_ssl_cleanup() {
175	#endif	173	#endif
176	SSL_shutdown(s);	174	SSL_shutdown(s);
177	SSL_free(s);	175	SSL_free(s);
178	if (c) {	176	if (ctx) {
179	SSL_CTX_free(c);	177	SSL_CTX_free(ctx);
180	c=NULL;	178	ctx=NULL;
181	}	179	}
182	s=NULL;	180	s=NULL;
183	}	181	}
@@ -191,13 +189,13 @@ int np_net_ssl_read(void *buf, int num) {
191	return SSL_read(s, buf, num);	189	return SSL_read(s, buf, num);
192	}	190	}
193		191
194	int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){	192	int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){
195	# ifdef USE_OPENSSL	193	# ifdef USE_OPENSSL
196	X509 *certificate=NULL;
197	X509_NAME *subj=NULL;	194	X509_NAME *subj=NULL;
198	char timestamp[50] = "";	195	char timestamp[50] = "";
199	char cn[MAX_CN_LENGTH]= "";	196	char cn[MAX_CN_LENGTH]= "";
200		197	char *tz;
		198
201	int cnlen =-1;	199	int cnlen =-1;
202	int status=STATE_UNKNOWN;	200	int status=STATE_UNKNOWN;
203		201
@@ -209,7 +207,6 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
209	int time_remaining;	207	int time_remaining;
210	time_t tm_t;	208	time_t tm_t;
211		209
212	certificate=SSL_get_peer_certificate(s);
213	if (!certificate) {	210	if (!certificate) {
214	printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));	211	printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
215	return STATE_CRITICAL;	212	return STATE_CRITICAL;
@@ -264,10 +261,18 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
264	(tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');	261	(tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
265	stamp.tm_isdst = -1;	262	stamp.tm_isdst = -1;
266		263
267	time_left = difftime(timegm(&stamp), time(NULL));	264	tm_t = timegm(&stamp);
		265	time_left = difftime(tm_t, time(NULL));
268	days_left = time_left / 86400;	266	days_left = time_left / 86400;
269	tm_t = mktime (&stamp);	267	tz = getenv("TZ");
270	strftime(timestamp, 50, "%c", localtime(&tm_t));	268	setenv("TZ", "GMT", 1);
		269	tzset();
		270	strftime(timestamp, 50, "%c %z", localtime(&tm_t));
		271	if (tz)
		272	setenv("TZ", tz, 1);
		273	else
		274	unsetenv("TZ");
		275	tzset();
271		276
272	if (days_left > 0 && days_left <= days_till_exp_warn) {	277	if (days_left > 0 && days_left <= days_till_exp_warn) {
273	printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);	278	printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);
@@ -310,4 +315,16 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
310	# endif /* USE_OPENSSL */	315	# endif /* USE_OPENSSL */
311	}	316	}
312		317
		318	int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
		319	# ifdef USE_OPENSSL
		320	X509 *certificate = NULL;
		321	certificate=SSL_get_peer_certificate(s);
		322	return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
		323	# else /* ifndef USE_OPENSSL */
		324	printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
		325	return STATE_WARNING;
		326	# endif /* USE_OPENSSL */
		327	}
		328
		329
313	#endif /* HAVE_SSL */	330	#endif /* HAVE_SSL */