diff options
Diffstat (limited to 'web/attachments/118230-check_http.c.diff')
-rw-r--r-- | web/attachments/118230-check_http.c.diff | 133 |
1 files changed, 133 insertions, 0 deletions
diff --git a/web/attachments/118230-check_http.c.diff b/web/attachments/118230-check_http.c.diff new file mode 100644 index 0000000..336ea2e --- /dev/null +++ b/web/attachments/118230-check_http.c.diff | |||
@@ -0,0 +1,133 @@ | |||
1 | *** nagios-plugins-1.4-beta1/plugins/check_http.c 2004-12-24 03:54:24.000000000 +0900 | ||
2 | --- check_http.c 2005-01-26 15:31:53.374334612 +0900 | ||
3 | *************** | ||
4 | *** 66,71 **** | ||
5 | --- 66,73 ---- | ||
6 | X509 *server_cert; | ||
7 | int connect_SSL (void); | ||
8 | int check_certificate (X509 **); | ||
9 | + # define VERIFY_CERTIFICATE 10 | ||
10 | + # define CAFILE 11 | ||
11 | #endif | ||
12 | int no_body = FALSE; | ||
13 | int maximum_age = -1; | ||
14 | *************** | ||
15 | *** 111,116 **** | ||
16 | --- 113,123 ---- | ||
17 | char *http_opt_headers; | ||
18 | int onredirect = STATE_OK; | ||
19 | int use_ssl = FALSE; | ||
20 | + int verify_certificate = FALSE; | ||
21 | + int use_cafile = FALSE; | ||
22 | + int CAfile = FALSE; | ||
23 | + int cert_verify_result; | ||
24 | + char *trusted_ca_file=NULL; | ||
25 | int verbose = FALSE; | ||
26 | int sd; | ||
27 | int min_page_len = 0; | ||
28 | *************** | ||
29 | *** 206,211 **** | ||
30 | --- 213,220 ---- | ||
31 | {"link", no_argument, 0, 'L'}, | ||
32 | {"nohtml", no_argument, 0, 'n'}, | ||
33 | {"ssl", no_argument, 0, 'S'}, | ||
34 | + {"certverify", no_argument, 0, VERIFY_CERTIFICATE}, | ||
35 | + {"CAfile", required_argument, 0, CAFILE}, | ||
36 | {"verbose", no_argument, 0, 'v'}, | ||
37 | {"post", required_argument, 0, 'P'}, | ||
38 | {"IP-address", required_argument, 0, 'I'}, | ||
39 | *************** | ||
40 | *** 315,320 **** | ||
41 | --- 324,351 ---- | ||
42 | usage4 (_("Invalid option - SSL is not available")); | ||
43 | #endif | ||
44 | break; | ||
45 | + #ifdef HAVE_SSL | ||
46 | + case VERIFY_CERTIFICATE : | ||
47 | + use_ssl = TRUE; | ||
48 | + verify_certificate = TRUE; | ||
49 | + if (specify_port == FALSE) | ||
50 | + server_port = HTTPS_PORT; | ||
51 | + #else | ||
52 | + usage4 (_("Invalid option - SSL is not available")); | ||
53 | + #endif | ||
54 | + break; | ||
55 | + | ||
56 | + #ifdef HAVE_SSL | ||
57 | + case CAFILE : | ||
58 | + if (!verify_certificate) usage2(_("Verify Certificate option not enabled"),optarg); | ||
59 | + use_cafile = TRUE; | ||
60 | + trusted_ca_file = strdup (optarg); | ||
61 | + #else | ||
62 | + usage4 (_("Invalid option - SSL is not available")); | ||
63 | + #endif | ||
64 | + break; | ||
65 | + | ||
66 | + | ||
67 | case 'f': /* onredirect */ | ||
68 | if (!strcmp (optarg, "follow")) | ||
69 | onredirect = STATE_DEPENDENT; | ||
70 | *************** | ||
71 | *** 732,738 **** | ||
72 | --- 763,771 ---- | ||
73 | die (STATE_CRITICAL, _("Unable to open TCP socket\n")); | ||
74 | } | ||
75 | |||
76 | + SSL_get_peer_cert_chain(ssl); /* We don't really mind if there is no cert chain as only the peer cert is needed */ | ||
77 | if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) { | ||
78 | + cert_verify_result = SSL_get_verify_result( ssl ); | ||
79 | X509_free (server_cert); | ||
80 | } | ||
81 | else { | ||
82 | *************** | ||
83 | *** 740,745 **** | ||
84 | --- 773,785 ---- | ||
85 | return STATE_CRITICAL; | ||
86 | } | ||
87 | |||
88 | + if (verify_certificate) { | ||
89 | + if (cert_verify_result != X509_V_OK) { | ||
90 | + printf ("CRITICAL - Certificate error : %s\n", X509_verify_cert_error_string(cert_verify_result) ); | ||
91 | + return STATE_CRITICAL; | ||
92 | + } | ||
93 | + } | ||
94 | + | ||
95 | } | ||
96 | else { | ||
97 | #endif | ||
98 | *************** | ||
99 | *** 1191,1196 **** | ||
100 | --- 1231,1246 ---- | ||
101 | return STATE_CRITICAL; | ||
102 | } | ||
103 | |||
104 | + if (use_cafile) { | ||
105 | + SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(trusted_ca_file)); | ||
106 | + if (!SSL_CTX_load_verify_locations(ctx, trusted_ca_file, NULL)) { | ||
107 | + printf (_("CRITICAL - Cannot load CAfile.\n")); | ||
108 | + }else { | ||
109 | + SSL_CTX_set_default_verify_paths(ctx); | ||
110 | + } | ||
111 | + } | ||
112 | + | ||
113 | + | ||
114 | /* Initialize alarm signal handling */ | ||
115 | signal (SIGALRM, socket_timeout_alarm_handler); | ||
116 | |||
117 | *************** | ||
118 | *** 1477,1482 **** | ||
119 | --- 1527,1540 ---- | ||
120 | STATE_OK is returned. When the certificate is still valid, but for less than\n\ | ||
121 | 14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when\n\ | ||
122 | the certificate is expired.\n")); | ||
123 | + | ||
124 | + printf (_("\n\ | ||
125 | + CHECK CERTIFICATE VALIDITY: check_http www.myhost.com --certverify \n\n\ | ||
126 | + Checks to see the validity of a certificate, will return a critical on any \n\ | ||
127 | + certificate error including self signed, untrusted issuer, decryption errors\n\ | ||
128 | + or certificate revocation.\n\ | ||
129 | + Full list : http://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS\n\n")); | ||
130 | + | ||
131 | #endif | ||
132 | |||
133 | printf (_(UT_SUPPORT)); | ||