diff options
Diffstat (limited to 'plugins')
| -rw-r--r-- | plugins/Makefile.am | 4 | ||||
| -rw-r--r-- | plugins/check_curl.c | 66 | ||||
| -rw-r--r-- | plugins/sslutils.c | 33 | 
3 files changed, 79 insertions, 24 deletions
| diff --git a/plugins/Makefile.am b/plugins/Makefile.am index 2c87b4e1..ffd8baf2 100644 --- a/plugins/Makefile.am +++ b/plugins/Makefile.am | |||
| @@ -71,7 +71,7 @@ check_apt_LDADD = $(BASEOBJS) | |||
| 71 | check_cluster_LDADD = $(BASEOBJS) | 71 | check_cluster_LDADD = $(BASEOBJS) | 
| 72 | check_curl_CFLAGS = $(AM_CFLAGS) $(LIBCURLCFLAGS) | 72 | check_curl_CFLAGS = $(AM_CFLAGS) $(LIBCURLCFLAGS) | 
| 73 | check_curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCURLINCLUDE) | 73 | check_curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCURLINCLUDE) | 
| 74 | check_curl_LDADD = $(NETLIBS) $(LIBCURLLIBS) | 74 | check_curl_LDADD = $(NETLIBS) $(LIBCURLLIBS) $(SSLOBJS) | 
| 75 | check_dbi_LDADD = $(NETLIBS) $(DBILIBS) | 75 | check_dbi_LDADD = $(NETLIBS) $(DBILIBS) | 
| 76 | check_dig_LDADD = $(NETLIBS) | 76 | check_dig_LDADD = $(NETLIBS) | 
| 77 | check_disk_LDADD = $(BASEOBJS) | 77 | check_disk_LDADD = $(BASEOBJS) | 
| @@ -92,7 +92,7 @@ check_mysql_query_CFLAGS = $(AM_CFLAGS) $(MYSQLCFLAGS) | |||
| 92 | check_mysql_query_CPPFLAGS = $(AM_CPPFLAGS) $(MYSQLINCLUDE) | 92 | check_mysql_query_CPPFLAGS = $(AM_CPPFLAGS) $(MYSQLINCLUDE) | 
| 93 | check_mysql_query_LDADD = $(NETLIBS) $(MYSQLLIBS) | 93 | check_mysql_query_LDADD = $(NETLIBS) $(MYSQLLIBS) | 
| 94 | check_nagios_LDADD = $(BASEOBJS) | 94 | check_nagios_LDADD = $(BASEOBJS) | 
| 95 | check_nt_LDADD = $(NETLIBS) | 95 | check_nt_LDADD = $(NETLIBS) | 
| 96 | check_ntp_LDADD = $(NETLIBS) $(MATHLIBS) | 96 | check_ntp_LDADD = $(NETLIBS) $(MATHLIBS) | 
| 97 | check_ntp_peer_LDADD = $(NETLIBS) $(MATHLIBS) | 97 | check_ntp_peer_LDADD = $(NETLIBS) $(MATHLIBS) | 
| 98 | check_nwstat_LDADD = $(NETLIBS) | 98 | check_nwstat_LDADD = $(NETLIBS) | 
| diff --git a/plugins/check_curl.c b/plugins/check_curl.c index c6a7ab85..e14fb19b 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c | |||
| @@ -93,6 +93,7 @@ unsigned short server_port = HTTP_PORT; | |||
| 93 | char output_string_search[30] = ""; | 93 | char output_string_search[30] = ""; | 
| 94 | char *warning_thresholds = NULL; | 94 | char *warning_thresholds = NULL; | 
| 95 | char *critical_thresholds = NULL; | 95 | char *critical_thresholds = NULL; | 
| 96 | int days_till_exp_warn, days_till_exp_crit; | ||
| 96 | thresholds *thlds; | 97 | thresholds *thlds; | 
| 97 | char user_agent[DEFAULT_BUFFER_SIZE]; | 98 | char user_agent[DEFAULT_BUFFER_SIZE]; | 
| 98 | int verbose = 0; | 99 | int verbose = 0; | 
| @@ -122,6 +123,7 @@ int ssl_version = CURL_SSLVERSION_DEFAULT; | |||
| 122 | char *client_cert = NULL; | 123 | char *client_cert = NULL; | 
| 123 | char *client_privkey = NULL; | 124 | char *client_privkey = NULL; | 
| 124 | char *ca_cert = NULL; | 125 | char *ca_cert = NULL; | 
| 126 | X509 *cert = NULL; | ||
| 125 | 127 | ||
| 126 | int process_arguments (int, char**); | 128 | int process_arguments (int, char**); | 
| 127 | int check_http (void); | 129 | int check_http (void); | 
| @@ -162,6 +164,19 @@ main (int argc, char **argv) | |||
| 162 | return result; | 164 | return result; | 
| 163 | } | 165 | } | 
| 164 | 166 | ||
| 167 | int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) | ||
| 168 | { | ||
| 169 | cert = X509_STORE_CTX_get_current_cert(x509_ctx); | ||
| 170 | return 1; | ||
| 171 | } | ||
| 172 | |||
| 173 | CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm) | ||
| 174 | { | ||
| 175 | SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback); | ||
| 176 | |||
| 177 | return CURLE_OK; | ||
| 178 | } | ||
| 179 | |||
| 165 | int | 180 | int | 
| 166 | check_http (void) | 181 | check_http (void) | 
| 167 | { | 182 | { | 
| @@ -177,6 +192,9 @@ check_http (void) | |||
| 177 | if (verbose >= 3) | 192 | if (verbose >= 3) | 
| 178 | curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE); | 193 | curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE); | 
| 179 | 194 | ||
| 195 | /* print everything on stdout like check_http would do */ | ||
| 196 | curl_easy_setopt(curl, CURLOPT_STDERR, stdout); | ||
| 197 | |||
| 180 | /* initialize buffer for body of the answer */ | 198 | /* initialize buffer for body of the answer */ | 
| 181 | if (curlhelp_initbuffer(&body_buf) < 0) | 199 | if (curlhelp_initbuffer(&body_buf) < 0) | 
| 182 | die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n"); | 200 | die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n"); | 
| @@ -242,14 +260,16 @@ check_http (void) | |||
| 242 | curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2); | 260 | curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2); | 
| 243 | curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2); | 261 | curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2); | 
| 244 | 262 | ||
| 245 | /* backward-compatible behaviour, be tolerant in checks */ | 263 | /* backward-compatible behaviour, be tolerant in checks | 
| 246 | if (!check_cert) { | 264 | * TODO: depending on more options have aspects we want | 
| 247 | /* TODO: depending on more options have aspects we want | 265 | * to be less tolerant about ssl verfications | 
| 248 | * to be tolerant about | 266 | */ | 
| 249 | * curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1 ); | 267 | curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0); | 
| 250 | */ | 268 | curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0); | 
| 251 | curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0); | 269 | |
| 252 | curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0); | 270 | /* set callback to extract certificate */ | 
| 271 | if(check_cert) { | ||
| 272 | curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun); | ||
| 253 | } | 273 | } | 
| 254 | 274 | ||
| 255 | /* set default or user-given user agent identification */ | 275 | /* set default or user-given user agent identification */ | 
| @@ -308,6 +328,16 @@ check_http (void) | |||
| 308 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); | 328 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); | 
| 309 | } | 329 | } | 
| 310 | 330 | ||
| 331 | /* certificate checks */ | ||
| 332 | #ifdef HAVE_SSL | ||
| 333 | if (use_ssl == TRUE) { | ||
| 334 | if (check_cert == TRUE) { | ||
| 335 | result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit); | ||
| 336 | return(result); | ||
| 337 | } | ||
| 338 | } | ||
| 339 | #endif /* HAVE_SSL */ | ||
| 340 | |||
| 311 | /* we got the data and we executed the request in a given time, so we can append | 341 | /* we got the data and we executed the request in a given time, so we can append | 
| 312 | * performance data to the answer always | 342 | * performance data to the answer always | 
| 313 | */ | 343 | */ | 
| @@ -439,6 +469,7 @@ int | |||
| 439 | process_arguments (int argc, char **argv) | 469 | process_arguments (int argc, char **argv) | 
| 440 | { | 470 | { | 
| 441 | int c = 1; | 471 | int c = 1; | 
| 472 | char *temp; | ||
| 442 | 473 | ||
| 443 | enum { | 474 | enum { | 
| 444 | INVERT_REGEX = CHAR_MAX + 1, | 475 | INVERT_REGEX = CHAR_MAX + 1, | 
| @@ -537,8 +568,23 @@ process_arguments (int argc, char **argv) | |||
| 537 | break; | 568 | break; | 
| 538 | case 'C': /* Check SSL cert validity */ | 569 | case 'C': /* Check SSL cert validity */ | 
| 539 | #ifdef LIBCURL_FEATURE_SSL | 570 | #ifdef LIBCURL_FEATURE_SSL | 
| 540 | /* TODO: C:, check age of certificate for backward compatible | 571 | if ((temp=strchr(optarg,','))!=NULL) { | 
| 541 | * behaviour, but we would later add more check conditions */ | 572 | *temp='\0'; | 
| 573 | if (!is_intnonneg (optarg)) | ||
| 574 | usage2 (_("Invalid certificate expiration period"), optarg); | ||
| 575 | days_till_exp_warn = atoi(optarg); | ||
| 576 | *temp=','; | ||
| 577 | temp++; | ||
| 578 | if (!is_intnonneg (temp)) | ||
| 579 | usage2 (_("Invalid certificate expiration period"), temp); | ||
| 580 | days_till_exp_crit = atoi (temp); | ||
| 581 | } | ||
| 582 | else { | ||
| 583 | days_till_exp_crit=0; | ||
| 584 | if (!is_intnonneg (optarg)) | ||
| 585 | usage2 (_("Invalid certificate expiration period"), optarg); | ||
| 586 | days_till_exp_warn = atoi (optarg); | ||
| 587 | } | ||
| 542 | check_cert = TRUE; | 588 | check_cert = TRUE; | 
| 543 | goto enable_ssl; | 589 | goto enable_ssl; | 
| 544 | #endif | 590 | #endif | 
| diff --git a/plugins/sslutils.c b/plugins/sslutils.c index e38947e3..14f6579d 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
| @@ -1,29 +1,29 @@ | |||
| 1 | /***************************************************************************** | 1 | /***************************************************************************** | 
| 2 | * | 2 | * | 
| 3 | * Monitoring Plugins SSL utilities | 3 | * Monitoring Plugins SSL utilities | 
| 4 | * | 4 | * | 
| 5 | * License: GPL | 5 | * License: GPL | 
| 6 | * Copyright (c) 2005-2010 Monitoring Plugins Development Team | 6 | * Copyright (c) 2005-2010 Monitoring Plugins Development Team | 
| 7 | * | 7 | * | 
| 8 | * Description: | 8 | * Description: | 
| 9 | * | 9 | * | 
| 10 | * This file contains common functions for plugins that require SSL. | 10 | * This file contains common functions for plugins that require SSL. | 
| 11 | * | 11 | * | 
| 12 | * | 12 | * | 
| 13 | * This program is free software: you can redistribute it and/or modify | 13 | * This program is free software: you can redistribute it and/or modify | 
| 14 | * it under the terms of the GNU General Public License as published by | 14 | * it under the terms of the GNU General Public License as published by | 
| 15 | * the Free Software Foundation, either version 3 of the License, or | 15 | * the Free Software Foundation, either version 3 of the License, or | 
| 16 | * (at your option) any later version. | 16 | * (at your option) any later version. | 
| 17 | * | 17 | * | 
| 18 | * This program is distributed in the hope that it will be useful, | 18 | * This program is distributed in the hope that it will be useful, | 
| 19 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | 19 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | 
| 20 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 20 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 
| 21 | * GNU General Public License for more details. | 21 | * GNU General Public License for more details. | 
| 22 | * | 22 | * | 
| 23 | * You should have received a copy of the GNU General Public License | 23 | * You should have received a copy of the GNU General Public License | 
| 24 | * along with this program. If not, see <http://www.gnu.org/licenses/>. | 24 | * along with this program. If not, see <http://www.gnu.org/licenses/>. | 
| 25 | * | 25 | * | 
| 26 | * | 26 | * | 
| 27 | *****************************************************************************/ | 27 | *****************************************************************************/ | 
| 28 | 28 | ||
| 29 | #define MAX_CN_LENGTH 256 | 29 | #define MAX_CN_LENGTH 256 | 
| @@ -193,12 +193,22 @@ int np_net_ssl_read(void *buf, int num) { | |||
| 193 | 193 | ||
| 194 | int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ | 194 | int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ | 
| 195 | # ifdef USE_OPENSSL | 195 | # ifdef USE_OPENSSL | 
| 196 | X509 *certificate=NULL; | 196 | X509 *certificate = NULL; | 
| 197 | certificate=SSL_get_peer_certificate(s); | ||
| 198 | return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit)); | ||
| 199 | # else /* ifndef USE_OPENSSL */ | ||
| 200 | printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); | ||
| 201 | return STATE_WARNING; | ||
| 202 | # endif /* USE_OPENSSL */ | ||
| 203 | } | ||
| 204 | |||
| 205 | int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){ | ||
| 206 | # ifdef USE_OPENSSL | ||
| 197 | X509_NAME *subj=NULL; | 207 | X509_NAME *subj=NULL; | 
| 198 | char timestamp[50] = ""; | 208 | char timestamp[50] = ""; | 
| 199 | char cn[MAX_CN_LENGTH]= ""; | 209 | char cn[MAX_CN_LENGTH]= ""; | 
| 200 | char *tz; | 210 | char *tz; | 
| 201 | 211 | ||
| 202 | int cnlen =-1; | 212 | int cnlen =-1; | 
| 203 | int status=STATE_UNKNOWN; | 213 | int status=STATE_UNKNOWN; | 
| 204 | 214 | ||
| @@ -210,7 +220,6 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ | |||
| 210 | int time_remaining; | 220 | int time_remaining; | 
| 211 | time_t tm_t; | 221 | time_t tm_t; | 
| 212 | 222 | ||
| 213 | certificate=SSL_get_peer_certificate(s); | ||
| 214 | if (!certificate) { | 223 | if (!certificate) { | 
| 215 | printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); | 224 | printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); | 
| 216 | return STATE_CRITICAL; | 225 | return STATE_CRITICAL; | 
