From fa3d2a4074e1bd8526e37ba5e1a214ae4a1774cf Mon Sep 17 00:00:00 2001 From: William Leibzon Date: Mon, 21 May 2012 18:46:45 -0700 Subject: applied patch that adds both critical and warning thresholds to certificate expiration checks of check_tcp, check_http, check_smtp diff --git a/plugins/check_http.c b/plugins/check_http.c index 315848f..703e317 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c @@ -58,8 +58,8 @@ enum { #ifdef HAVE_SSL int check_cert = FALSE; -int days_till_exp; int ssl_version; +int days_till_exp_warn, days_till_exp_crit; char *randbuff; X509 *server_cert; # define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) @@ -178,6 +178,7 @@ process_arguments (int argc, char **argv) { int c = 1; char *p; + char *temp; enum { INVERT_REGEX = CHAR_MAX + 1, @@ -282,13 +283,25 @@ process_arguments (int argc, char **argv) break; case 'C': /* Check SSL cert validity */ #ifdef HAVE_SSL - if (!is_intnonneg (optarg)) - usage2 (_("Invalid certificate expiration period"), optarg); + if ((temp=strchr(optarg,','))!=NULL) { + *temp='\0'; + if (!is_intnonneg (temp)) + usage2 (_("Invalid certificate expiration period"), optarg); + days_till_exp_warn = atoi(optarg); + *temp=','; + temp++; + if (!is_intnonneg (temp)) + usage2 (_("Invalid certificate expiration period"), temp); + days_till_exp_crit = atoi (temp); + } else { - days_till_exp = atoi (optarg); - check_cert = TRUE; + days_till_exp_crit=0; + if (!is_intnonneg (optarg)) + usage2 (_("Invalid certificate expiration period"), optarg); + days_till_exp_warn = atoi (optarg); } - /* Fall through to -S option */ + check_cert = TRUE; + /* Fall through to -S option */ #endif case 'S': /* use SSL */ #ifndef HAVE_SSL @@ -810,7 +823,7 @@ check_http (void) if (result != STATE_OK) return result; if (check_cert == TRUE) { - result = np_net_ssl_check_cert(days_till_exp); + result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit); np_net_ssl_cleanup(); if (sd) close(sd); return result; @@ -1427,6 +1440,13 @@ print_help (void) printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than")); printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when")); printf (" %s\n", _("the certificate is expired.")); + + printf (" %s\n\n", "CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14"); + printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,")); + printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than")); + printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned.")); + printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days")); + #endif printf (UT_SUPPORT); @@ -1444,6 +1464,6 @@ print_usage (void) printf (" [-b proxy_auth] [-f ]\n"); printf (" [-e ] [-s string] [-l] [-r | -R ]\n"); printf (" [-P string] [-m :] [-4|-6] [-N] [-M ]\n"); - printf (" [-A string] [-k string] [-S ] [--sni] [-C ] [-T ]\n"); - printf (" [-j method]\n"); + printf (" [-A string] [-k string] [-S ] [--sni] [-C [,]]\n"); + printf (" [-T ] [-j method]\n"); } diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index 494bc2c..0af50e3 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -41,7 +41,7 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net"; #ifdef HAVE_SSL int check_cert = FALSE; -int days_till_exp; +int days_till_exp_warn, days_till_exp_crit; # define my_recv(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) # define my_send(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) #else /* ifndef HAVE_SSL */ @@ -275,7 +275,7 @@ main (int argc, char **argv) # ifdef USE_OPENSSL if ( check_cert ) { - result = np_net_ssl_check_cert(days_till_exp); + result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit); my_close(); return result; } @@ -454,6 +454,7 @@ int process_arguments (int argc, char **argv) { int c; + char* temp; int option = 0; static struct option longopts[] = { @@ -600,12 +601,26 @@ process_arguments (int argc, char **argv) case 'D': /* Check SSL cert validity */ #ifdef USE_OPENSSL - if (!is_intnonneg (optarg)) - usage2 ("Invalid certificate expiration period",optarg); - days_till_exp = atoi (optarg); - check_cert = TRUE; + if ((temp=strchr(optarg,','))!=NULL) { + *temp='\0'; + if (!is_intnonneg (temp)) + usage2 ("Invalid certificate expiration period", optarg); + days_till_exp_warn = atoi(optarg); + *temp=','; + temp++; + if (!is_intnonneg (temp)) + usage2 (_("Invalid certificate expiration period"), temp); + days_till_exp_crit = atoi (temp); + } + else { + days_till_exp_crit=0; + if (!is_intnonneg (optarg)) + usage2 ("Invalid certificate expiration period", optarg); + days_till_exp_warn = atoi (optarg); + } + check_cert = TRUE; #else - usage (_("SSL support not available - install OpenSSL and recompile")); + usage (_("SSL support not available - install OpenSSL and recompile")); #endif break; case '4': @@ -802,7 +817,7 @@ print_help (void) printf (" %s\n", "-F, --fqdn=STRING"); printf (" %s\n", _("FQDN used for HELO")); #ifdef HAVE_SSL - printf (" %s\n", "-D, --certificate=INTEGER"); + printf (" %s\n", "-D, --certificate=INTEGER[,INTEGER]"); printf (" %s\n", _("Minimum number of days a certificate has to be valid.")); printf (" %s\n", "-S, --starttls"); printf (" %s\n", _("Use STARTTLS for the connection.")); @@ -838,8 +853,8 @@ void print_usage (void) { printf ("%s\n", _("Usage:")); - printf ("%s -H host [-p port] [-e expect] [-C command] [-f from addr]", progname); - printf ("[-A authtype -U authuser -P authpass] [-w warn] [-c crit] [-t timeout]\n"); - printf ("[-F fqdn] [-S] [-D days] [-v] [-4|-6] [-q]\n"); + printf ("%s -H host [-p port] [-4|-6] [-e expect] [-C command] [-f from addr]", progname); + printf ("[-A authtype -U authuser -P authpass] [-w warn] [-c crit] [-t timeout] [-q]\n"); + printf ("[-F fqdn] [-S] [-D warn days cert expire[,crit days cert expire]] [-v] \n"); } diff --git a/plugins/check_tcp.c b/plugins/check_tcp.c index d3c92a4..7b0f7f8 100644 --- a/plugins/check_tcp.c +++ b/plugins/check_tcp.c @@ -39,7 +39,7 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net"; #ifdef HAVE_SSL static int check_cert = FALSE; -static int days_till_exp; +static int days_till_exp_warn, days_till_exp_crit; # define my_recv(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) # define my_send(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) #else @@ -235,7 +235,7 @@ main (int argc, char **argv) if (flags & FLAG_SSL){ result = np_net_ssl_init(sd); if (result == STATE_OK && check_cert == TRUE) { - result = np_net_ssl_check_cert(days_till_exp); + result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit); } } if(result != STATE_OK || check_cert == TRUE){ @@ -380,6 +380,7 @@ process_arguments (int argc, char **argv) { int c; int escape = 0; + char *temp; int option = 0; static struct option longopts[] = { @@ -552,9 +553,22 @@ process_arguments (int argc, char **argv) case 'D': /* Check SSL cert validity - days 'til certificate expiration */ #ifdef HAVE_SSL # ifdef USE_OPENSSL /* XXX */ - if (!is_intnonneg (optarg)) + if ((temp=strchr(optarg,','))!=NULL) { + *temp='\0'; + if (!is_intnonneg (temp)) + usage2 (_("Invalid certificate expiration period"), optarg); days_till_exp_warn = atoi(optarg); + *temp=','; + temp++; + if (!is_intnonneg (temp)) + usage2 (_("Invalid certificate expiration period"), temp); + days_till_exp_crit = atoi (temp); + } + else { + days_till_exp_crit=0; + if (!is_intnonneg (optarg)) usage2 (_("Invalid certificate expiration period"), optarg); - days_till_exp = atoi (optarg); + days_till_exp_warn = atoi (optarg); + } check_cert = TRUE; flags |= FLAG_SSL; break; @@ -626,8 +640,9 @@ print_help (void) printf (" %s\n", _("Seconds to wait between sending string and polling for response")); #ifdef HAVE_SSL - printf (" %s\n", "-D, --certificate=INTEGER"); + printf (" %s\n", "-D, --certificate=INTEGER[,INTEGER]"); printf (" %s\n", _("Minimum number of days a certificate has to be valid.")); + printf (" %s\n", _("1st is #days for warning, 2nd is critical (if not specified - 0).")); printf (" %s\n", "-S, --ssl"); printf (" %s\n", _("Use SSL for the connection.")); #endif @@ -649,6 +664,6 @@ print_usage (void) printf ("%s -H host -p port [-w ] [-c ] [-s ]\n",progname); printf ("[-e ] [-q ][-m ] [-d ]\n"); printf ("[-t ] [-r ] [-M ] [-v] [-4|-6] [-j]\n"); - printf ("[-D ] [-S ] [-E]\n"); + printf ("[-D [,]] [-S ] [-E]\n"); } diff --git a/plugins/netutils.h b/plugins/netutils.h index 572a3ae..21017f1 100644 --- a/plugins/netutils.h +++ b/plugins/netutils.h @@ -103,7 +103,7 @@ int np_net_ssl_init_with_hostname(int sd, char *host_name); void np_net_ssl_cleanup(); int np_net_ssl_write(const void *buf, int num); int np_net_ssl_read(void *buf, int num); -int np_net_ssl_check_cert(int days_till_exp); +int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit); #endif /* HAVE_SSL */ #endif /* _NETUTILS_H_ */ diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 5425bb2..fe31b56 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c @@ -126,7 +126,7 @@ int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); } -int np_net_ssl_check_cert(int days_till_exp) { +int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ # ifdef USE_OPENSSL X509 *certificate=NULL; X509_NAME *subj=NULL; @@ -202,15 +202,21 @@ int np_net_ssl_check_cert(int days_till_exp) { stamp.tm_mon + 1, stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); - if (days_left > 0 && days_left <= days_till_exp) { - printf(_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp); - status=STATE_WARNING; + if (days_left > 0 && days_left <= days_till_exp_warn) { + printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"CRITICAL":"WARNING", cn, days_left, timestamp); + if (days_left > days_till_exp_crit) + return STATE_WARNING; + else + return STATE_CRITICAL; } else if (time_left < 0) { printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); status=STATE_CRITICAL; } else if (days_left == 0) { - printf(_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp); - status=STATE_WARNING; + printf (_("%s - Certificate '%s' expires today (%s).\n"), (days_left>days_till_exp_crit)?"CRITICAL":"WARNING", cn, timestamp); + if (days_left > days_till_exp_crit) + return STATE_WARNING; + else + return STATE_CRITICAL; } else { printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); status=STATE_OK; -- cgit v0.10-9-g596f