*** nagios-plugins-1.4-beta1/plugins/check_http.c	2004-12-24 03:54:24.000000000 +0900
--- check_http.c	2005-01-26 15:31:53.374334612 +0900
***************
*** 66,71 ****
--- 66,73 ----
  X509 *server_cert;
  int connect_SSL (void);
  int check_certificate (X509 **);
+ # define VERIFY_CERTIFICATE 	10
+ # define CAFILE 		11
  #endif
  int no_body = FALSE;
  int maximum_age = -1;
***************
*** 111,116 ****
--- 113,123 ----
  char *http_opt_headers;
  int onredirect = STATE_OK;
  int use_ssl = FALSE;
+ int verify_certificate = FALSE;
+ int use_cafile = FALSE;
+ int CAfile = FALSE;
+ int cert_verify_result;
+ char *trusted_ca_file=NULL;
  int verbose = FALSE;
  int sd;
  int min_page_len = 0;
***************
*** 206,211 ****
--- 213,220 ----
  		{"link", no_argument, 0, 'L'},
  		{"nohtml", no_argument, 0, 'n'},
  		{"ssl", no_argument, 0, 'S'},
+ 		{"certverify", no_argument, 0, VERIFY_CERTIFICATE},
+ 		{"CAfile", required_argument, 0, CAFILE},
  		{"verbose", no_argument, 0, 'v'},
  		{"post", required_argument, 0, 'P'},
  		{"IP-address", required_argument, 0, 'I'},
***************
*** 315,320 ****
--- 324,351 ----
  			usage4 (_("Invalid option - SSL is not available"));
  #endif
  			break;
+ #ifdef HAVE_SSL
+ 		case VERIFY_CERTIFICATE : 
+ 			use_ssl = TRUE;
+ 			verify_certificate = TRUE;
+                         if (specify_port == FALSE)
+ 				server_port = HTTPS_PORT;
+ #else
+                         usage4 (_("Invalid option - SSL is not available"));
+ #endif
+                         break;
+ 
+ #ifdef HAVE_SSL
+                 case CAFILE :
+                         if (!verify_certificate) usage2(_("Verify Certificate option not enabled"),optarg);
+ 			use_cafile = TRUE;
+ 			trusted_ca_file = strdup (optarg);
+ #else
+                         usage4 (_("Invalid option - SSL is not available"));
+ #endif
+                         break;
+ 
+ 	
  		case 'f': /* onredirect */
  			if (!strcmp (optarg, "follow"))
  				onredirect = STATE_DEPENDENT;
***************
*** 732,738 ****
--- 763,771 ----
  			die (STATE_CRITICAL, _("Unable to open TCP socket\n"));
  		}
  
+ 		SSL_get_peer_cert_chain(ssl); /* We don't really mind if there is no cert chain as only the peer cert is needed */
  		if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) {
+ 			cert_verify_result = SSL_get_verify_result( ssl );
  			X509_free (server_cert);
  		}
  		else {
***************
*** 740,745 ****
--- 773,785 ----
  			return STATE_CRITICAL;
  		}
  
+ 		if (verify_certificate) {
+ 			if (cert_verify_result != X509_V_OK) {
+ 				printf ("CRITICAL - Certificate error : %s\n", X509_verify_cert_error_string(cert_verify_result) );
+ 				return STATE_CRITICAL;
+ 			}
+ 		}
+ 
  	}
  	else {
  #endif
***************
*** 1191,1196 ****
--- 1231,1246 ----
  		return STATE_CRITICAL;
  	}
  
+         if (use_cafile) {
+         	SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(trusted_ca_file));
+ 	        if (!SSL_CTX_load_verify_locations(ctx, trusted_ca_file, NULL)) {
+  		       printf (_("CRITICAL - Cannot load CAfile.\n"));
+ 	        }else {
+ 	               SSL_CTX_set_default_verify_paths(ctx);
+         	}
+         }
+ 
+ 
  	/* Initialize alarm signal handling */
  	signal (SIGALRM, socket_timeout_alarm_handler);
  
***************
*** 1477,1482 ****
--- 1527,1540 ----
  STATE_OK is returned. When the certificate is still valid, but for less than\n\
  14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when\n\
  the certificate is expired.\n"));
+ 
+ 	printf (_("\n\
+ CHECK CERTIFICATE VALIDITY: check_http www.myhost.com --certverify \n\n\
+ Checks to see the validity of a certificate, will return a critical on any \n\
+ certificate error including self signed, untrusted issuer, decryption errors\n\
+ or certificate revocation.\n\
+ Full list : http://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS\n\n"));
+ 
  #endif
  
  	printf (_(UT_SUPPORT));