summaryrefslogtreecommitdiffstats
path: root/plugins/sslutils.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/sslutils.c')
-rw-r--r--plugins/sslutils.c96
1 files changed, 78 insertions, 18 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index c9882c6..b412ef3 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -49,28 +49,78 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
49 49
50int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { 50int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) {
51 SSL_METHOD *method = NULL; 51 SSL_METHOD *method = NULL;
52 long options = 0;
52 53
53 switch (version) { 54 switch (version) {
54 case 0: /* Deafult to auto negotiation */ 55 case MP_SSLv2: /* SSLv2 protocol */
55 method = SSLv23_client_method();
56 break;
57 case 1: /* TLSv1 protocol */
58 method = TLSv1_client_method();
59 break;
60 case 2: /* SSLv2 protocol */
61#if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) 56#if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2)
62 printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library."))); 57 printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
63 return STATE_CRITICAL; 58 return STATE_UNKNOWN;
64#else 59#else
65 method = SSLv2_client_method(); 60 method = SSLv2_client_method();
66#endif
67 break; 61 break;
68 case 3: /* SSLv3 protocol */ 62#endif
63 case MP_SSLv3: /* SSLv3 protocol */
64#if defined(OPENSSL_NO_SSL3)
65 printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
66 return STATE_UNKNOWN;
67#else
69 method = SSLv3_client_method(); 68 method = SSLv3_client_method();
70 break; 69 break;
71 default: /* Unsupported */ 70#endif
72 printf("%s\n", _("CRITICAL - Unsupported SSL protocol version.")); 71 case MP_TLSv1: /* TLSv1 protocol */
73 return STATE_CRITICAL; 72#if defined(OPENSSL_NO_TLS1)
73 printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
74 return STATE_UNKNOWN;
75#else
76 method = TLSv1_client_method();
77 break;
78#endif
79 case MP_TLSv1_1: /* TLSv1.1 protocol */
80#if !defined(SSL_OP_NO_TLSv1_1)
81 printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
82 return STATE_UNKNOWN;
83#else
84 method = TLSv1_1_client_method();
85 break;
86#endif
87 case MP_TLSv1_2: /* TLSv1.2 protocol */
88#if !defined(SSL_OP_NO_TLSv1_2)
89 printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
90 return STATE_UNKNOWN;
91#else
92 method = TLSv1_2_client_method();
93 break;
94#endif
95 case MP_TLSv1_2_OR_NEWER:
96#if !defined(SSL_OP_NO_TLSv1_1)
97 printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
98 return STATE_UNKNOWN;
99#else
100 options |= SSL_OP_NO_TLSv1_1;
101#endif
102 /* FALLTHROUGH */
103 case MP_TLSv1_1_OR_NEWER:
104#if !defined(SSL_OP_NO_TLSv1)
105 printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
106 return STATE_UNKNOWN;
107#else
108 options |= SSL_OP_NO_TLSv1;
109#endif
110 /* FALLTHROUGH */
111 case MP_TLSv1_OR_NEWER:
112#if defined(SSL_OP_NO_SSLv3)
113 options |= SSL_OP_NO_SSLv3;
114#endif
115 /* FALLTHROUGH */
116 case MP_SSLv3_OR_NEWER:
117#if defined(SSL_OP_NO_SSLv2)
118 options |= SSL_OP_NO_SSLv2;
119#endif
120 case MP_SSLv2_OR_NEWER:
121 /* FALLTHROUGH */
122 default: /* Default to auto negotiation */
123 method = SSLv23_client_method();
74 } 124 }
75 if (!initialized) { 125 if (!initialized) {
76 /* Initialize SSL context */ 126 /* Initialize SSL context */
@@ -94,8 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
94#endif 144#endif
95 } 145 }
96#ifdef SSL_OP_NO_TICKET 146#ifdef SSL_OP_NO_TICKET
97 SSL_CTX_set_options(c, SSL_OP_NO_TICKET); 147 options |= SSL_OP_NO_TICKET;
98#endif 148#endif
149 SSL_CTX_set_options(c, options);
99 SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); 150 SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY);
100 if ((s = SSL_new(c)) != NULL) { 151 if ((s = SSL_new(c)) != NULL) {
101#ifdef SSL_set_tlsext_host_name 152#ifdef SSL_set_tlsext_host_name
@@ -146,6 +197,7 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
146 X509_NAME *subj=NULL; 197 X509_NAME *subj=NULL;
147 char timestamp[50] = ""; 198 char timestamp[50] = "";
148 char cn[MAX_CN_LENGTH]= ""; 199 char cn[MAX_CN_LENGTH]= "";
200 char *tz;
149 201
150 int cnlen =-1; 202 int cnlen =-1;
151 int status=STATE_UNKNOWN; 203 int status=STATE_UNKNOWN;
@@ -213,10 +265,18 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
213 (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0'); 265 (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
214 stamp.tm_isdst = -1; 266 stamp.tm_isdst = -1;
215 267
216 time_left = difftime(timegm(&stamp), time(NULL)); 268 tm_t = timegm(&stamp);
269 time_left = difftime(tm_t, time(NULL));
217 days_left = time_left / 86400; 270 days_left = time_left / 86400;
218 tm_t = mktime (&stamp); 271 tz = getenv("TZ");
219 strftime(timestamp, 50, "%c", localtime(&tm_t)); 272 setenv("TZ", "GMT", 1);
273 tzset();
274 strftime(timestamp, 50, "%c %z", localtime(&tm_t));
275 if (tz)
276 setenv("TZ", tz, 1);
277 else
278 unsetenv("TZ");
279 tzset();
220 280
221 if (days_left > 0 && days_left <= days_till_exp_warn) { 281 if (days_left > 0 && days_left <= days_till_exp_warn) {
222 printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp); 282 printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);