summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Guyot-Sionnest <dermoth@aei.ca>2011-02-04 00:54:52 -0500
committerThomas Guyot-Sionnest <dermoth@aei.ca>2011-02-04 00:54:52 -0500
commit4611e41bc50d15275b316c6f21b688997a9c78c4 (patch)
tree1de69d9b99ef3986d5680fd9b8a581ce150dd93e
parent1a5a83bb82c35d888229fe9f815fbc663c0f4d3c (diff)
downloadmonitoring-plugins-4611e41bc50d15275b316c6f21b688997a9c78c4.tar.gz
check_http: check for and print the certificate cn
This patch adds a check for the certificate cn (hostname) to normal certificate checks. It returns CRITICAL if th cn is missing, otherwise it prints it in the normal output. Patch by Stéphane Urbanovski
-rw-r--r--NEWS1
-rw-r--r--THANKS.in1
-rw-r--r--plugins/sslutils.c38
-rw-r--r--plugins/t/check_http.t2
-rwxr-xr-xplugins/tests/check_http.t6
5 files changed, 34 insertions, 14 deletions
diff --git a/NEWS b/NEWS
index 540e0cfa..d7fea273 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,7 @@ This file documents the major additions and syntax changes between releases.
5 check_nt UPTIME accepts warning/critical thresholds (Ryan Kelly) 5 check_nt UPTIME accepts warning/critical thresholds (Ryan Kelly)
6 check_disk_smb now allows spaces in share names (#990948, #1370031, Debian #601699) 6 check_disk_smb now allows spaces in share names (#990948, #1370031, Debian #601699)
7 check_http now uses standard threshold functions (enables floating point and ranges) 7 check_http now uses standard threshold functions (enables floating point and ranges)
8 check_http now checks for and prints the certificate cn (hostname) in SSL certificate checks (Stéphane Urbanovski)
8 9
9 FIXES 10 FIXES
10 Fix check_disk free space calculation if blocksizes differ within a disk group (Bekar - #2973603) 11 Fix check_disk free space calculation if blocksizes differ within a disk group (Bekar - #2973603)
diff --git a/THANKS.in b/THANKS.in
index ac2b1c24..387a3794 100644
--- a/THANKS.in
+++ b/THANKS.in
@@ -266,3 +266,4 @@ Stephane Chazelas
266Craig Leres 266Craig Leres
267Brian Landers 267Brian Landers
268Ryan Kelly 268Ryan Kelly
269Stéphane Urbanovski
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 64f4d61c..0bc61ed3 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -3,7 +3,7 @@
3* Nagios plugins SSL utilities 3* Nagios plugins SSL utilities
4* 4*
5* License: GPL 5* License: GPL
6* Copyright (c) 2005-2007 Nagios Plugins Development Team 6* Copyright (c) 2005-2010 Nagios Plugins Development Team
7* 7*
8* Description: 8* Description:
9* 9*
@@ -26,6 +26,7 @@
26* 26*
27*****************************************************************************/ 27*****************************************************************************/
28 28
29#define MAX_CN_LENGTH 256
29#define LOCAL_TIMEOUT_ALARM_HANDLER 30#define LOCAL_TIMEOUT_ALARM_HANDLER
30#include "common.h" 31#include "common.h"
31#include "netutils.h" 32#include "netutils.h"
@@ -97,6 +98,11 @@ int np_net_ssl_read(void *buf, int num){
97int np_net_ssl_check_cert(int days_till_exp){ 98int np_net_ssl_check_cert(int days_till_exp){
98# ifdef USE_OPENSSL 99# ifdef USE_OPENSSL
99 X509 *certificate=NULL; 100 X509 *certificate=NULL;
101 X509_NAME *subj=NULL;
102 char cn[MAX_CN_LENGTH]= "";
103 int cnlen =-1;
104 int status=STATE_UNKNOWN;
105
100 ASN1_STRING *tm; 106 ASN1_STRING *tm;
101 int offset; 107 int offset;
102 struct tm stamp; 108 struct tm stamp;
@@ -110,6 +116,17 @@ int np_net_ssl_check_cert(int days_till_exp){
110 return STATE_CRITICAL; 116 return STATE_CRITICAL;
111 } 117 }
112 118
119 /* Extract CN from certificate subject */
120 subj=X509_get_subject_name(certificate);
121
122 if(! subj){
123 printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
124 return STATE_CRITICAL;
125 }
126 cnlen = X509_NAME_get_text_by_NID (subj, NID_commonName, cn, sizeof(cn));
127 if ( cnlen == -1 )
128 strcpy(cn , _("Unknown CN"));
129
113 /* Retrieve timestamp of certificate */ 130 /* Retrieve timestamp of certificate */
114 tm = X509_get_notAfter (certificate); 131 tm = X509_get_notAfter (certificate);
115 132
@@ -155,19 +172,20 @@ int np_net_ssl_check_cert(int days_till_exp){
155 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); 172 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
156 173
157 if (days_left > 0 && days_left <= days_till_exp) { 174 if (days_left > 0 && days_left <= days_till_exp) {
158 printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp); 175 printf (_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp);
159 return STATE_WARNING; 176 status=STATE_WARNING;
160 } else if (time_left < 0) { 177 } else if (time_left < 0) {
161 printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp); 178 printf (_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
162 return STATE_CRITICAL; 179 status=STATE_CRITICAL;
163 } else if (days_left == 0) { 180 } else if (days_left == 0) {
164 printf (_("WARNING - Certificate expires today (%s).\n"), timestamp); 181 printf (_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp);
165 return STATE_WARNING; 182 status=STATE_WARNING;
183 } else {
184 printf (_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
185 status=STATE_OK;
166 } 186 }
167
168 printf (_("OK - Certificate will expire on %s.\n"), timestamp);
169 X509_free (certificate); 187 X509_free (certificate);
170 return STATE_OK; 188 return status;
171# else /* ifndef USE_OPENSSL */ 189# else /* ifndef USE_OPENSSL */
172 printf ("%s\n", _("WARNING - Plugin does not support checking certificates.")); 190 printf ("%s\n", _("WARNING - Plugin does not support checking certificates."));
173 return STATE_WARNING; 191 return STATE_WARNING;
diff --git a/plugins/t/check_http.t b/plugins/t/check_http.t
index c43a64a9..55a5a530 100644
--- a/plugins/t/check_http.t
+++ b/plugins/t/check_http.t
@@ -102,7 +102,7 @@ SKIP: {
102 102
103 $res = NPTest->testCmd( "./check_http -C 1 --ssl www.verisign.com" ); 103 $res = NPTest->testCmd( "./check_http -C 1 --ssl www.verisign.com" );
104 cmp_ok( $res->return_code, '==', 0, "Checking certificate for www.verisign.com"); 104 cmp_ok( $res->return_code, '==', 0, "Checking certificate for www.verisign.com");
105 like ( $res->output, '/Certificate will expire on/', "Output OK" ); 105 like ( $res->output, "/Certificate 'www.verisign.com' will expire on/", "Output OK" );
106 my $saved_cert_output = $res->output; 106 my $saved_cert_output = $res->output;
107 107
108 $res = NPTest->testCmd( "./check_http www.verisign.com -C 1" ); 108 $res = NPTest->testCmd( "./check_http www.verisign.com -C 1" );
diff --git a/plugins/tests/check_http.t b/plugins/tests/check_http.t
index 74eff175..9ae6bbdc 100755
--- a/plugins/tests/check_http.t
+++ b/plugins/tests/check_http.t
@@ -182,17 +182,17 @@ SKIP: {
182 182
183 $result = NPTest->testCmd( "$command -p $port_https -S -C 14" ); 183 $result = NPTest->testCmd( "$command -p $port_https -S -C 14" );
184 is( $result->return_code, 0, "$command -p $port_https -S -C 14" ); 184 is( $result->return_code, 0, "$command -p $port_https -S -C 14" );
185 is( $result->output, 'OK - Certificate will expire on 03/03/2019 21:41.', "output ok" ); 185 is( $result->output, 'OK - Certificate \'Ton Voon\' will expire on 03/03/2019 21:41.', "output ok" );
186 186
187 $result = NPTest->testCmd( "$command -p $port_https -S -C 14000" ); 187 $result = NPTest->testCmd( "$command -p $port_https -S -C 14000" );
188 is( $result->return_code, 1, "$command -p $port_https -S -C 14000" ); 188 is( $result->return_code, 1, "$command -p $port_https -S -C 14000" );
189 like( $result->output, '/WARNING - Certificate expires in \d+ day\(s\) \(03/03/2019 21:41\)./', "output ok" ); 189 like( $result->output, '/WARNING - Certificate \'Ton Voon\' expires in \d+ day\(s\) \(03/03/2019 21:41\)./', "output ok" );
190 190
191 # Expired cert tests 191 # Expired cert tests
192 $result = NPTest->testCmd( "$command -p $port_https_expired -S -C 7" ); 192 $result = NPTest->testCmd( "$command -p $port_https_expired -S -C 7" );
193 is( $result->return_code, 2, "$command -p $port_https_expired -S -C 7" ); 193 is( $result->return_code, 2, "$command -p $port_https_expired -S -C 7" );
194 is( $result->output, 194 is( $result->output,
195 'CRITICAL - Certificate expired on 03/05/2009 00:13.', 195 'CRITICAL - Certificate \'Ton Voon\' expired on 03/05/2009 00:13.',
196 "output ok" ); 196 "output ok" );
197 197
198} 198}