3 files changed, 79 insertions, 24 deletions
diff --git a/plugins/Makefile.am b/plugins/Makefile.am
index 2c87b4e1..ffd8baf2 100644
--- a/plugins/Makefile.am
+++ b/plugins/Makefile.am
@@ -71,7 +71,7 @@ check_apt_LDADD = $(BASEOBJS)
 check_cluster_LDADD = $(BASEOBJS)
 check_curl_CFLAGS = $(AM_CFLAGS) $(LIBCURLCFLAGS)
 check_curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCURLINCLUDE)
-check_curl_LDADD = $(NETLIBS) $(LIBCURLLIBS)
+check_curl_LDADD = $(NETLIBS) $(LIBCURLLIBS) $(SSLOBJS)
 check_dbi_LDADD = $(NETLIBS) $(DBILIBS)
 check_dig_LDADD = $(NETLIBS)
 check_disk_LDADD = $(BASEOBJS)
@@ -92,7 +92,7 @@ check_mysql_query_CFLAGS = $(AM_CFLAGS) $(MYSQLCFLAGS)
 check_mysql_query_CPPFLAGS = $(AM_CPPFLAGS) $(MYSQLINCLUDE)
 check_mysql_query_LDADD = $(NETLIBS) $(MYSQLLIBS)
 check_nagios_LDADD = $(BASEOBJS)
-check_nt_LDADD = $(NETLIBS) 
+check_nt_LDADD = $(NETLIBS)
 check_ntp_LDADD = $(NETLIBS) $(MATHLIBS)
 check_ntp_peer_LDADD = $(NETLIBS) $(MATHLIBS)
 check_nwstat_LDADD = $(NETLIBS)
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index c6a7ab85..e14fb19b 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -93,6 +93,7 @@ unsigned short server_port = HTTP_PORT;
 char output_string_search[30] = "";
 char *warning_thresholds = NULL;
 char *critical_thresholds = NULL;
+int days_till_exp_warn, days_till_exp_crit;
 thresholds *thlds;
 char user_agent[DEFAULT_BUFFER_SIZE];
 int verbose = 0;
@@ -122,6 +123,7 @@ int ssl_version = CURL_SSLVERSION_DEFAULT;
 char *client_cert = NULL;
 char *client_privkey = NULL;
 char *ca_cert = NULL;
+X509 *cert = NULL;
 int process_arguments (int, char**);
 int check_http (void);
@@ -162,6 +164,19 @@ main (int argc, char **argv)
  return result;
 }
+int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
+{
+  cert = X509_STORE_CTX_get_current_cert(x509_ctx);
+  return 1;
+}
+CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm)
+{
+  SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback);
+  return CURLE_OK;
+}
 int
 check_http (void)
 {
@@ -177,6 +192,9 @@ check_http (void)
  if (verbose >= 3)
    curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE);
+  /* print everything on stdout like check_http would do */
+  curl_easy_setopt(curl, CURLOPT_STDERR, stdout);
  /* initialize buffer for body of the answer */
  if (curlhelp_initbuffer(&body_buf) < 0)
    die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n");
@@ -242,14 +260,16 @@ check_http (void)
  curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2);
  curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2);
-  /* backward-compatible behaviour, be tolerant in checks */
+  /* backward-compatible behaviour, be tolerant in checks
-  if (!check_cert) {
+   * TODO: depending on more options have aspects we want
-    /* TODO: depending on more options have aspects we want
+   * to be less tolerant about ssl verfications
-     * to be tolerant about
+   */
-     * curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1 );
+  curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
-     */
+  curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
-    curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
-    curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
+  /* set callback to extract certificate */
+  if(check_cert) {
+    curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun);
  }
  /* set default or user-given user agent identification */
@@ -308,6 +328,16 @@ check_http (void)
    die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
  }
+  /* certificate checks */
+#ifdef HAVE_SSL
+  if (use_ssl == TRUE) {
+    if (check_cert == TRUE) {
+      result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
+      return(result);
+    }
+  }
+#endif /* HAVE_SSL */
  /* we got the data and we executed the request in a given time, so we can append
   * performance data to the answer always
   */
@@ -439,6 +469,7 @@ int
 process_arguments (int argc, char **argv)
 {
  int c = 1;
+  char *temp;
  enum {
    INVERT_REGEX = CHAR_MAX + 1,
@@ -537,8 +568,23 @@ process_arguments (int argc, char **argv)
      break;
    case 'C': /* Check SSL cert validity */
 #ifdef LIBCURL_FEATURE_SSL
-      /* TODO: C:, check age of certificate for backward compatible
+      if ((temp=strchr(optarg,','))!=NULL) {
-       * behaviour, but we would later add more check conditions */
+        *temp='\0';
+        if (!is_intnonneg (optarg))
+          usage2 (_("Invalid certificate expiration period"), optarg);
+        days_till_exp_warn = atoi(optarg);
+        *temp=',';
+        temp++;
+        if (!is_intnonneg (temp))
+          usage2 (_("Invalid certificate expiration period"), temp);
+        days_till_exp_crit = atoi (temp);
+      }
+      else {
+        days_till_exp_crit=0;
+        if (!is_intnonneg (optarg))
+          usage2 (_("Invalid certificate expiration period"), optarg);
+        days_till_exp_warn = atoi (optarg);
+      }
      check_cert = TRUE;
      goto enable_ssl;
 #endif
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index e38947e3..14f6579d 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -1,29 +1,29 @@
 /*****************************************************************************
-* 
+*
 * Monitoring Plugins SSL utilities
-* 
+*
 * License: GPL
 * Copyright (c) 2005-2010 Monitoring Plugins Development Team
-* 
+*
 * Description:
-* 
+*
 * This file contains common functions for plugins that require SSL.
-* 
+*
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
-* 
+*
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
-* 
+*
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
-* 
+*
-* 
+*
 *****************************************************************************/
 #define MAX_CN_LENGTH 256
@@ -193,12 +193,22 @@ int np_net_ssl_read(void *buf, int num) {
 int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
 #  ifdef USE_OPENSSL
-        X509 *certificate=NULL;
+        X509 *certificate = NULL;
+        certificate=SSL_get_peer_certificate(s);
+        return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
+#  else /* ifndef USE_OPENSSL */
+        printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
+        return STATE_WARNING;
+#  endif /* USE_OPENSSL */
+}
+int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){
+#  ifdef USE_OPENSSL
        X509_NAME *subj=NULL;
        char timestamp[50] = "";
        char cn[MAX_CN_LENGTH]= "";
        char *tz;
-        
        int cnlen =-1;
        int status=STATE_UNKNOWN;
@@ -210,7 +220,6 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
        int time_remaining;
        time_t tm_t;
-        certificate=SSL_get_peer_certificate(s);
        if (!certificate) {
                printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
                return STATE_CRITICAL;

diff --git a/plugins/Makefile.am b/plugins/Makefile.am index 2c87b4e1..ffd8baf2 100644 --- a/plugins/Makefile.am +++ b/plugins/Makefile.am
@@ -71,7 +71,7 @@ check_apt_LDADD = $(BASEOBJS)
71	check_cluster_LDADD = $(BASEOBJS)	71	check_cluster_LDADD = $(BASEOBJS)
72	check_curl_CFLAGS = $(AM_CFLAGS) $(LIBCURLCFLAGS)	72	check_curl_CFLAGS = $(AM_CFLAGS) $(LIBCURLCFLAGS)
73	check_curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCURLINCLUDE)	73	check_curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCURLINCLUDE)
74	check_curl_LDADD = $(NETLIBS) $(LIBCURLLIBS)	74	check_curl_LDADD = $(NETLIBS) $(LIBCURLLIBS) $(SSLOBJS)
75	check_dbi_LDADD = $(NETLIBS) $(DBILIBS)	75	check_dbi_LDADD = $(NETLIBS) $(DBILIBS)
76	check_dig_LDADD = $(NETLIBS)	76	check_dig_LDADD = $(NETLIBS)
77	check_disk_LDADD = $(BASEOBJS)	77	check_disk_LDADD = $(BASEOBJS)
@@ -92,7 +92,7 @@ check_mysql_query_CFLAGS = $(AM_CFLAGS) $(MYSQLCFLAGS)
92	check_mysql_query_CPPFLAGS = $(AM_CPPFLAGS) $(MYSQLINCLUDE)	92	check_mysql_query_CPPFLAGS = $(AM_CPPFLAGS) $(MYSQLINCLUDE)
93	check_mysql_query_LDADD = $(NETLIBS) $(MYSQLLIBS)	93	check_mysql_query_LDADD = $(NETLIBS) $(MYSQLLIBS)
94	check_nagios_LDADD = $(BASEOBJS)	94	check_nagios_LDADD = $(BASEOBJS)
95	check_nt_LDADD = $(NETLIBS)	95	check_nt_LDADD = $(NETLIBS)
96	check_ntp_LDADD = $(NETLIBS) $(MATHLIBS)	96	check_ntp_LDADD = $(NETLIBS) $(MATHLIBS)
97	check_ntp_peer_LDADD = $(NETLIBS) $(MATHLIBS)	97	check_ntp_peer_LDADD = $(NETLIBS) $(MATHLIBS)
98	check_nwstat_LDADD = $(NETLIBS)	98	check_nwstat_LDADD = $(NETLIBS)


diff --git a/plugins/check_curl.c b/plugins/check_curl.c index c6a7ab85..e14fb19b 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c
@@ -93,6 +93,7 @@ unsigned short server_port = HTTP_PORT;
93	char output_string_search[30] = "";	93	char output_string_search[30] = "";
94	char *warning_thresholds = NULL;	94	char *warning_thresholds = NULL;
95	char *critical_thresholds = NULL;	95	char *critical_thresholds = NULL;
		96	int days_till_exp_warn, days_till_exp_crit;
96	thresholds *thlds;	97	thresholds *thlds;
97	char user_agent[DEFAULT_BUFFER_SIZE];	98	char user_agent[DEFAULT_BUFFER_SIZE];
98	int verbose = 0;	99	int verbose = 0;
@@ -122,6 +123,7 @@ int ssl_version = CURL_SSLVERSION_DEFAULT;
122	char *client_cert = NULL;	123	char *client_cert = NULL;
123	char *client_privkey = NULL;	124	char *client_privkey = NULL;
124	char *ca_cert = NULL;	125	char *ca_cert = NULL;
		126	X509 *cert = NULL;
125		127
126	int process_arguments (int, char**);	128	int process_arguments (int, char**);
127	int check_http (void);	129	int check_http (void);
@@ -162,6 +164,19 @@ main (int argc, char **argv)
162	return result;	164	return result;
163	}	165	}
164		166
		167	int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
		168	{
		169	cert = X509_STORE_CTX_get_current_cert(x509_ctx);
		170	return 1;
		171	}
		172
		173	CURLcode sslctxfun(CURL curl, SSL_CTX sslctx, void *parm)
		174	{
		175	SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback);
		176
		177	return CURLE_OK;
		178	}
		179
165	int	180	int
166	check_http (void)	181	check_http (void)
167	{	182	{
@@ -177,6 +192,9 @@ check_http (void)
177	if (verbose >= 3)	192	if (verbose >= 3)
178	curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE);	193	curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE);
179		194
		195	/* print everything on stdout like check_http would do */
		196	curl_easy_setopt(curl, CURLOPT_STDERR, stdout);
		197
180	/* initialize buffer for body of the answer */	198	/* initialize buffer for body of the answer */
181	if (curlhelp_initbuffer(&body_buf) < 0)	199	if (curlhelp_initbuffer(&body_buf) < 0)
182	die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n");	200	die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n");
@@ -242,14 +260,16 @@ check_http (void)
242	curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2);	260	curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2);
243	curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2);	261	curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2);
244		262
245	/* backward-compatible behaviour, be tolerant in checks */	263	/* backward-compatible behaviour, be tolerant in checks
246	if (!check_cert) {	264	* TODO: depending on more options have aspects we want
247	/* TODO: depending on more options have aspects we want	265	* to be less tolerant about ssl verfications
248	* to be tolerant about	266	*/
249	* curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1 );	267	curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
250	*/	268	curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
251	curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);	269
252	curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);	270	/* set callback to extract certificate */
		271	if(check_cert) {
		272	curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun);
253	}	273	}
254		274
255	/* set default or user-given user agent identification */	275	/* set default or user-given user agent identification */
@@ -308,6 +328,16 @@ check_http (void)
308	die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);	328	die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
309	}	329	}
310		330
		331	/* certificate checks */
		332	#ifdef HAVE_SSL
		333	if (use_ssl == TRUE) {
		334	if (check_cert == TRUE) {
		335	result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
		336	return(result);
		337	}
		338	}
		339	#endif /* HAVE_SSL */
		340
311	/* we got the data and we executed the request in a given time, so we can append	341	/* we got the data and we executed the request in a given time, so we can append
312	* performance data to the answer always	342	* performance data to the answer always
313	*/	343	*/
@@ -439,6 +469,7 @@ int
439	process_arguments (int argc, char **argv)	469	process_arguments (int argc, char **argv)
440	{	470	{
441	int c = 1;	471	int c = 1;
		472	char *temp;
442		473
443	enum {	474	enum {
444	INVERT_REGEX = CHAR_MAX + 1,	475	INVERT_REGEX = CHAR_MAX + 1,
@@ -537,8 +568,23 @@ process_arguments (int argc, char **argv)
537	break;	568	break;
538	case 'C': /* Check SSL cert validity */	569	case 'C': /* Check SSL cert validity */
539	#ifdef LIBCURL_FEATURE_SSL	570	#ifdef LIBCURL_FEATURE_SSL
540	/* TODO: C:, check age of certificate for backward compatible	571	if ((temp=strchr(optarg,','))!=NULL) {
541	* behaviour, but we would later add more check conditions */	572	*temp='\0';
		573	if (!is_intnonneg (optarg))
		574	usage2 (_("Invalid certificate expiration period"), optarg);
		575	days_till_exp_warn = atoi(optarg);
		576	*temp=',';
		577	temp++;
		578	if (!is_intnonneg (temp))
		579	usage2 (_("Invalid certificate expiration period"), temp);
		580	days_till_exp_crit = atoi (temp);
		581	}
		582	else {
		583	days_till_exp_crit=0;
		584	if (!is_intnonneg (optarg))
		585	usage2 (_("Invalid certificate expiration period"), optarg);
		586	days_till_exp_warn = atoi (optarg);
		587	}
542	check_cert = TRUE;	588	check_cert = TRUE;
543	goto enable_ssl;	589	goto enable_ssl;
544	#endif	590	#endif


diff --git a/plugins/sslutils.c b/plugins/sslutils.c index e38947e3..14f6579d 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c
@@ -1,29 +1,29 @@
1	/*****************************************************************************	1	/*****************************************************************************
2	*	2	*
3	* Monitoring Plugins SSL utilities	3	* Monitoring Plugins SSL utilities
4	*	4	*
5	* License: GPL	5	* License: GPL
6	* Copyright (c) 2005-2010 Monitoring Plugins Development Team	6	* Copyright (c) 2005-2010 Monitoring Plugins Development Team
7	*	7	*
8	* Description:	8	* Description:
9	*	9	*
10	* This file contains common functions for plugins that require SSL.	10	* This file contains common functions for plugins that require SSL.
11	*	11	*
12	*	12	*
13	* This program is free software: you can redistribute it and/or modify	13	* This program is free software: you can redistribute it and/or modify
14	* it under the terms of the GNU General Public License as published by	14	* it under the terms of the GNU General Public License as published by
15	* the Free Software Foundation, either version 3 of the License, or	15	* the Free Software Foundation, either version 3 of the License, or
16	* (at your option) any later version.	16	* (at your option) any later version.
17	*	17	*
18	* This program is distributed in the hope that it will be useful,	18	* This program is distributed in the hope that it will be useful,
19	* but WITHOUT ANY WARRANTY; without even the implied warranty of	19	* but WITHOUT ANY WARRANTY; without even the implied warranty of
20	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the	20	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21	* GNU General Public License for more details.	21	* GNU General Public License for more details.
22	*	22	*
23	* You should have received a copy of the GNU General Public License	23	* You should have received a copy of the GNU General Public License
24	* along with this program. If not, see <http://www.gnu.org/licenses/>.	24	* along with this program. If not, see <http://www.gnu.org/licenses/>.
25	*	25	*
26	*	26	*
27	*****************************************************************************/	27	*****************************************************************************/
28		28
29	#define MAX_CN_LENGTH 256	29	#define MAX_CN_LENGTH 256
@@ -193,12 +193,22 @@ int np_net_ssl_read(void *buf, int num) {
193		193
194	int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){	194	int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
195	# ifdef USE_OPENSSL	195	# ifdef USE_OPENSSL
196	X509 *certificate=NULL;	196	X509 *certificate = NULL;
		197	certificate=SSL_get_peer_certificate(s);
		198	return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
		199	# else /* ifndef USE_OPENSSL */
		200	printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
		201	return STATE_WARNING;
		202	# endif /* USE_OPENSSL */
		203	}
		204
		205	int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){
		206	# ifdef USE_OPENSSL
197	X509_NAME *subj=NULL;	207	X509_NAME *subj=NULL;
198	char timestamp[50] = "";	208	char timestamp[50] = "";
199	char cn[MAX_CN_LENGTH]= "";	209	char cn[MAX_CN_LENGTH]= "";
200	char *tz;	210	char *tz;
201		211
202	int cnlen =-1;	212	int cnlen =-1;
203	int status=STATE_UNKNOWN;	213	int status=STATE_UNKNOWN;
204		214
@@ -210,7 +220,6 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
210	int time_remaining;	220	int time_remaining;
211	time_t tm_t;	221	time_t tm_t;
212		222
213	certificate=SSL_get_peer_certificate(s);
214	if (!certificate) {	223	if (!certificate) {
215	printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));	224	printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
216	return STATE_CRITICAL;	225	return STATE_CRITICAL;