diff options
Diffstat (limited to 'plugins/sslutils.c')
| -rw-r--r-- | plugins/sslutils.c | 113 |
1 files changed, 88 insertions, 25 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c index f34c3d7..4f9c793 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
| @@ -49,33 +49,78 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi | |||
| 49 | 49 | ||
| 50 | int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { | 50 | int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { |
| 51 | SSL_METHOD *method = NULL; | 51 | SSL_METHOD *method = NULL; |
| 52 | long options = 0; | ||
| 52 | 53 | ||
| 53 | switch (version) { | 54 | switch (version) { |
| 54 | case 0: /* Deafult to auto negotiation */ | 55 | case MP_SSLv2: /* SSLv2 protocol */ |
| 55 | method = SSLv23_client_method(); | ||
| 56 | break; | ||
| 57 | case 1: /* TLSv1 protocol */ | ||
| 58 | method = TLSv1_client_method(); | ||
| 59 | break; | ||
| 60 | case 2: /* SSLv2 protocol */ | ||
| 61 | #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) | 56 | #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) |
| 62 | printf("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library.")); | 57 | printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); |
| 63 | return STATE_CRITICAL; | 58 | return STATE_UNKNOWN; |
| 64 | #else | 59 | #else |
| 65 | method = SSLv2_client_method(); | 60 | method = SSLv2_client_method(); |
| 66 | #endif | ||
| 67 | break; | 61 | break; |
| 68 | case 3: /* SSLv3 protocol */ | 62 | #endif |
| 63 | case MP_SSLv3: /* SSLv3 protocol */ | ||
| 69 | #if defined(OPENSSL_NO_SSL3) | 64 | #if defined(OPENSSL_NO_SSL3) |
| 70 | printf("%s\n", _("CRITICAL - SSL protocol version 3 is not supported by your SSL library.")); | 65 | printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); |
| 71 | return STATE_CRITICAL; | 66 | return STATE_UNKNOWN; |
| 72 | #else | 67 | #else |
| 73 | method = SSLv3_client_method(); | 68 | method = SSLv3_client_method(); |
| 69 | break; | ||
| 74 | #endif | 70 | #endif |
| 71 | case MP_TLSv1: /* TLSv1 protocol */ | ||
| 72 | #if defined(OPENSSL_NO_TLS1) | ||
| 73 | printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); | ||
| 74 | return STATE_UNKNOWN; | ||
| 75 | #else | ||
| 76 | method = TLSv1_client_method(); | ||
| 75 | break; | 77 | break; |
| 76 | default: /* Unsupported */ | 78 | #endif |
| 77 | printf("%s\n", _("CRITICAL - Unsupported SSL protocol version.")); | 79 | case MP_TLSv1_1: /* TLSv1.1 protocol */ |
| 78 | return STATE_CRITICAL; | 80 | #if !defined(SSL_OP_NO_TLSv1_1) |
| 81 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); | ||
| 82 | return STATE_UNKNOWN; | ||
| 83 | #else | ||
| 84 | method = TLSv1_1_client_method(); | ||
| 85 | break; | ||
| 86 | #endif | ||
| 87 | case MP_TLSv1_2: /* TLSv1.2 protocol */ | ||
| 88 | #if !defined(SSL_OP_NO_TLSv1_2) | ||
| 89 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); | ||
| 90 | return STATE_UNKNOWN; | ||
| 91 | #else | ||
| 92 | method = TLSv1_2_client_method(); | ||
| 93 | break; | ||
| 94 | #endif | ||
| 95 | case MP_TLSv1_2_OR_NEWER: | ||
| 96 | #if !defined(SSL_OP_NO_TLSv1_1) | ||
| 97 | printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); | ||
| 98 | return STATE_UNKNOWN; | ||
| 99 | #else | ||
| 100 | options |= SSL_OP_NO_TLSv1_1; | ||
| 101 | #endif | ||
| 102 | /* FALLTHROUGH */ | ||
| 103 | case MP_TLSv1_1_OR_NEWER: | ||
| 104 | #if !defined(SSL_OP_NO_TLSv1) | ||
| 105 | printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); | ||
| 106 | return STATE_UNKNOWN; | ||
| 107 | #else | ||
| 108 | options |= SSL_OP_NO_TLSv1; | ||
| 109 | #endif | ||
| 110 | /* FALLTHROUGH */ | ||
| 111 | case MP_TLSv1_OR_NEWER: | ||
| 112 | #if defined(SSL_OP_NO_SSLv3) | ||
| 113 | options |= SSL_OP_NO_SSLv3; | ||
| 114 | #endif | ||
| 115 | /* FALLTHROUGH */ | ||
| 116 | case MP_SSLv3_OR_NEWER: | ||
| 117 | #if defined(SSL_OP_NO_SSLv2) | ||
| 118 | options |= SSL_OP_NO_SSLv2; | ||
| 119 | #endif | ||
| 120 | case MP_SSLv2_OR_NEWER: | ||
| 121 | /* FALLTHROUGH */ | ||
| 122 | default: /* Default to auto negotiation */ | ||
| 123 | method = SSLv23_client_method(); | ||
| 79 | } | 124 | } |
| 80 | if (!initialized) { | 125 | if (!initialized) { |
| 81 | /* Initialize SSL context */ | 126 | /* Initialize SSL context */ |
| @@ -99,8 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
| 99 | #endif | 144 | #endif |
| 100 | } | 145 | } |
| 101 | #ifdef SSL_OP_NO_TICKET | 146 | #ifdef SSL_OP_NO_TICKET |
| 102 | SSL_CTX_set_options(c, SSL_OP_NO_TICKET); | 147 | options |= SSL_OP_NO_TICKET; |
| 103 | #endif | 148 | #endif |
| 149 | SSL_CTX_set_options(c, options); | ||
| 104 | SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); | 150 | SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); |
| 105 | if ((s = SSL_new(c)) != NULL) { | 151 | if ((s = SSL_new(c)) != NULL) { |
| 106 | #ifdef SSL_set_tlsext_host_name | 152 | #ifdef SSL_set_tlsext_host_name |
| @@ -149,7 +195,9 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ | |||
| 149 | # ifdef USE_OPENSSL | 195 | # ifdef USE_OPENSSL |
| 150 | X509 *certificate=NULL; | 196 | X509 *certificate=NULL; |
| 151 | X509_NAME *subj=NULL; | 197 | X509_NAME *subj=NULL; |
| 198 | char timestamp[50] = ""; | ||
| 152 | char cn[MAX_CN_LENGTH]= ""; | 199 | char cn[MAX_CN_LENGTH]= ""; |
| 200 | |||
| 153 | int cnlen =-1; | 201 | int cnlen =-1; |
| 154 | int status=STATE_UNKNOWN; | 202 | int status=STATE_UNKNOWN; |
| 155 | 203 | ||
| @@ -158,7 +206,7 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ | |||
| 158 | struct tm stamp; | 206 | struct tm stamp; |
| 159 | float time_left; | 207 | float time_left; |
| 160 | int days_left; | 208 | int days_left; |
| 161 | char timestamp[50] = ""; | 209 | int time_remaining; |
| 162 | time_t tm_t; | 210 | time_t tm_t; |
| 163 | 211 | ||
| 164 | certificate=SSL_get_peer_certificate(s); | 212 | certificate=SSL_get_peer_certificate(s); |
| @@ -212,7 +260,8 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ | |||
| 212 | (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); | 260 | (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); |
| 213 | stamp.tm_min = | 261 | stamp.tm_min = |
| 214 | (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); | 262 | (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); |
| 215 | stamp.tm_sec = 0; | 263 | stamp.tm_sec = |
| 264 | (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0'); | ||
| 216 | stamp.tm_isdst = -1; | 265 | stamp.tm_isdst = -1; |
| 217 | 266 | ||
| 218 | time_left = difftime(timegm(&stamp), time(NULL)); | 267 | time_left = difftime(timegm(&stamp), time(NULL)); |
| @@ -223,21 +272,35 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ | |||
| 223 | if (days_left > 0 && days_left <= days_till_exp_warn) { | 272 | if (days_left > 0 && days_left <= days_till_exp_warn) { |
| 224 | printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp); | 273 | printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp); |
| 225 | if (days_left > days_till_exp_crit) | 274 | if (days_left > days_till_exp_crit) |
| 226 | return STATE_WARNING; | 275 | status = STATE_WARNING; |
| 227 | else | 276 | else |
| 228 | return STATE_CRITICAL; | 277 | status = STATE_CRITICAL; |
| 278 | } else if (days_left == 0 && time_left > 0) { | ||
| 279 | if (time_left >= 3600) | ||
| 280 | time_remaining = (int) time_left / 3600; | ||
| 281 | else | ||
| 282 | time_remaining = (int) time_left / 60; | ||
| 283 | |||
| 284 | printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"), | ||
| 285 | (days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining, | ||
| 286 | time_left >= 3600 ? "hours" : "minutes", timestamp); | ||
| 287 | |||
| 288 | if ( days_left > days_till_exp_crit) | ||
| 289 | status = STATE_WARNING; | ||
| 290 | else | ||
| 291 | status = STATE_CRITICAL; | ||
| 229 | } else if (time_left < 0) { | 292 | } else if (time_left < 0) { |
| 230 | printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); | 293 | printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); |
| 231 | status=STATE_CRITICAL; | 294 | status=STATE_CRITICAL; |
| 232 | } else if (days_left == 0) { | 295 | } else if (days_left == 0) { |
| 233 | printf (_("%s - Certificate '%s' expires today (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp); | 296 | printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp); |
| 234 | if (days_left > days_till_exp_crit) | 297 | if (days_left > days_till_exp_crit) |
| 235 | return STATE_WARNING; | 298 | status = STATE_WARNING; |
| 236 | else | 299 | else |
| 237 | return STATE_CRITICAL; | 300 | status = STATE_CRITICAL; |
| 238 | } else { | 301 | } else { |
| 239 | printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); | 302 | printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); |
| 240 | status=STATE_OK; | 303 | status = STATE_OK; |
| 241 | } | 304 | } |
| 242 | X509_free(certificate); | 305 | X509_free(certificate); |
| 243 | return status; | 306 | return status; |