diff options
author | Thomas Guyot-Sionnest <dermoth@aei.ca> | 2011-02-04 00:54:52 -0500 |
---|---|---|
committer | Thomas Guyot-Sionnest <dermoth@aei.ca> | 2011-02-04 00:54:52 -0500 |
commit | 4611e41bc50d15275b316c6f21b688997a9c78c4 (patch) | |
tree | 1de69d9b99ef3986d5680fd9b8a581ce150dd93e | |
parent | 1a5a83bb82c35d888229fe9f815fbc663c0f4d3c (diff) | |
download | monitoring-plugins-4611e41bc50d15275b316c6f21b688997a9c78c4.tar.gz |
check_http: check for and print the certificate cn
This patch adds a check for the certificate cn (hostname) to normal
certificate checks. It returns CRITICAL if th cn is missing, otherwise it
prints it in the normal output.
Patch by Stéphane Urbanovski
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | THANKS.in | 1 | ||||
-rw-r--r-- | plugins/sslutils.c | 38 | ||||
-rw-r--r-- | plugins/t/check_http.t | 2 | ||||
-rwxr-xr-x | plugins/tests/check_http.t | 6 |
5 files changed, 34 insertions, 14 deletions
@@ -5,6 +5,7 @@ This file documents the major additions and syntax changes between releases. | |||
5 | check_nt UPTIME accepts warning/critical thresholds (Ryan Kelly) | 5 | check_nt UPTIME accepts warning/critical thresholds (Ryan Kelly) |
6 | check_disk_smb now allows spaces in share names (#990948, #1370031, Debian #601699) | 6 | check_disk_smb now allows spaces in share names (#990948, #1370031, Debian #601699) |
7 | check_http now uses standard threshold functions (enables floating point and ranges) | 7 | check_http now uses standard threshold functions (enables floating point and ranges) |
8 | check_http now checks for and prints the certificate cn (hostname) in SSL certificate checks (Stéphane Urbanovski) | ||
8 | 9 | ||
9 | FIXES | 10 | FIXES |
10 | Fix check_disk free space calculation if blocksizes differ within a disk group (Bekar - #2973603) | 11 | Fix check_disk free space calculation if blocksizes differ within a disk group (Bekar - #2973603) |
@@ -266,3 +266,4 @@ Stephane Chazelas | |||
266 | Craig Leres | 266 | Craig Leres |
267 | Brian Landers | 267 | Brian Landers |
268 | Ryan Kelly | 268 | Ryan Kelly |
269 | Stéphane Urbanovski | ||
diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 64f4d61c..0bc61ed3 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
@@ -3,7 +3,7 @@ | |||
3 | * Nagios plugins SSL utilities | 3 | * Nagios plugins SSL utilities |
4 | * | 4 | * |
5 | * License: GPL | 5 | * License: GPL |
6 | * Copyright (c) 2005-2007 Nagios Plugins Development Team | 6 | * Copyright (c) 2005-2010 Nagios Plugins Development Team |
7 | * | 7 | * |
8 | * Description: | 8 | * Description: |
9 | * | 9 | * |
@@ -26,6 +26,7 @@ | |||
26 | * | 26 | * |
27 | *****************************************************************************/ | 27 | *****************************************************************************/ |
28 | 28 | ||
29 | #define MAX_CN_LENGTH 256 | ||
29 | #define LOCAL_TIMEOUT_ALARM_HANDLER | 30 | #define LOCAL_TIMEOUT_ALARM_HANDLER |
30 | #include "common.h" | 31 | #include "common.h" |
31 | #include "netutils.h" | 32 | #include "netutils.h" |
@@ -97,6 +98,11 @@ int np_net_ssl_read(void *buf, int num){ | |||
97 | int np_net_ssl_check_cert(int days_till_exp){ | 98 | int np_net_ssl_check_cert(int days_till_exp){ |
98 | # ifdef USE_OPENSSL | 99 | # ifdef USE_OPENSSL |
99 | X509 *certificate=NULL; | 100 | X509 *certificate=NULL; |
101 | X509_NAME *subj=NULL; | ||
102 | char cn[MAX_CN_LENGTH]= ""; | ||
103 | int cnlen =-1; | ||
104 | int status=STATE_UNKNOWN; | ||
105 | |||
100 | ASN1_STRING *tm; | 106 | ASN1_STRING *tm; |
101 | int offset; | 107 | int offset; |
102 | struct tm stamp; | 108 | struct tm stamp; |
@@ -110,6 +116,17 @@ int np_net_ssl_check_cert(int days_till_exp){ | |||
110 | return STATE_CRITICAL; | 116 | return STATE_CRITICAL; |
111 | } | 117 | } |
112 | 118 | ||
119 | /* Extract CN from certificate subject */ | ||
120 | subj=X509_get_subject_name(certificate); | ||
121 | |||
122 | if(! subj){ | ||
123 | printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject.")); | ||
124 | return STATE_CRITICAL; | ||
125 | } | ||
126 | cnlen = X509_NAME_get_text_by_NID (subj, NID_commonName, cn, sizeof(cn)); | ||
127 | if ( cnlen == -1 ) | ||
128 | strcpy(cn , _("Unknown CN")); | ||
129 | |||
113 | /* Retrieve timestamp of certificate */ | 130 | /* Retrieve timestamp of certificate */ |
114 | tm = X509_get_notAfter (certificate); | 131 | tm = X509_get_notAfter (certificate); |
115 | 132 | ||
@@ -155,19 +172,20 @@ int np_net_ssl_check_cert(int days_till_exp){ | |||
155 | stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); | 172 | stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); |
156 | 173 | ||
157 | if (days_left > 0 && days_left <= days_till_exp) { | 174 | if (days_left > 0 && days_left <= days_till_exp) { |
158 | printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp); | 175 | printf (_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp); |
159 | return STATE_WARNING; | 176 | status=STATE_WARNING; |
160 | } else if (time_left < 0) { | 177 | } else if (time_left < 0) { |
161 | printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp); | 178 | printf (_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); |
162 | return STATE_CRITICAL; | 179 | status=STATE_CRITICAL; |
163 | } else if (days_left == 0) { | 180 | } else if (days_left == 0) { |
164 | printf (_("WARNING - Certificate expires today (%s).\n"), timestamp); | 181 | printf (_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp); |
165 | return STATE_WARNING; | 182 | status=STATE_WARNING; |
183 | } else { | ||
184 | printf (_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); | ||
185 | status=STATE_OK; | ||
166 | } | 186 | } |
167 | |||
168 | printf (_("OK - Certificate will expire on %s.\n"), timestamp); | ||
169 | X509_free (certificate); | 187 | X509_free (certificate); |
170 | return STATE_OK; | 188 | return status; |
171 | # else /* ifndef USE_OPENSSL */ | 189 | # else /* ifndef USE_OPENSSL */ |
172 | printf ("%s\n", _("WARNING - Plugin does not support checking certificates.")); | 190 | printf ("%s\n", _("WARNING - Plugin does not support checking certificates.")); |
173 | return STATE_WARNING; | 191 | return STATE_WARNING; |
diff --git a/plugins/t/check_http.t b/plugins/t/check_http.t index c43a64a9..55a5a530 100644 --- a/plugins/t/check_http.t +++ b/plugins/t/check_http.t | |||
@@ -102,7 +102,7 @@ SKIP: { | |||
102 | 102 | ||
103 | $res = NPTest->testCmd( "./check_http -C 1 --ssl www.verisign.com" ); | 103 | $res = NPTest->testCmd( "./check_http -C 1 --ssl www.verisign.com" ); |
104 | cmp_ok( $res->return_code, '==', 0, "Checking certificate for www.verisign.com"); | 104 | cmp_ok( $res->return_code, '==', 0, "Checking certificate for www.verisign.com"); |
105 | like ( $res->output, '/Certificate will expire on/', "Output OK" ); | 105 | like ( $res->output, "/Certificate 'www.verisign.com' will expire on/", "Output OK" ); |
106 | my $saved_cert_output = $res->output; | 106 | my $saved_cert_output = $res->output; |
107 | 107 | ||
108 | $res = NPTest->testCmd( "./check_http www.verisign.com -C 1" ); | 108 | $res = NPTest->testCmd( "./check_http www.verisign.com -C 1" ); |
diff --git a/plugins/tests/check_http.t b/plugins/tests/check_http.t index 74eff175..9ae6bbdc 100755 --- a/plugins/tests/check_http.t +++ b/plugins/tests/check_http.t | |||
@@ -182,17 +182,17 @@ SKIP: { | |||
182 | 182 | ||
183 | $result = NPTest->testCmd( "$command -p $port_https -S -C 14" ); | 183 | $result = NPTest->testCmd( "$command -p $port_https -S -C 14" ); |
184 | is( $result->return_code, 0, "$command -p $port_https -S -C 14" ); | 184 | is( $result->return_code, 0, "$command -p $port_https -S -C 14" ); |
185 | is( $result->output, 'OK - Certificate will expire on 03/03/2019 21:41.', "output ok" ); | 185 | is( $result->output, 'OK - Certificate \'Ton Voon\' will expire on 03/03/2019 21:41.', "output ok" ); |
186 | 186 | ||
187 | $result = NPTest->testCmd( "$command -p $port_https -S -C 14000" ); | 187 | $result = NPTest->testCmd( "$command -p $port_https -S -C 14000" ); |
188 | is( $result->return_code, 1, "$command -p $port_https -S -C 14000" ); | 188 | is( $result->return_code, 1, "$command -p $port_https -S -C 14000" ); |
189 | like( $result->output, '/WARNING - Certificate expires in \d+ day\(s\) \(03/03/2019 21:41\)./', "output ok" ); | 189 | like( $result->output, '/WARNING - Certificate \'Ton Voon\' expires in \d+ day\(s\) \(03/03/2019 21:41\)./', "output ok" ); |
190 | 190 | ||
191 | # Expired cert tests | 191 | # Expired cert tests |
192 | $result = NPTest->testCmd( "$command -p $port_https_expired -S -C 7" ); | 192 | $result = NPTest->testCmd( "$command -p $port_https_expired -S -C 7" ); |
193 | is( $result->return_code, 2, "$command -p $port_https_expired -S -C 7" ); | 193 | is( $result->return_code, 2, "$command -p $port_https_expired -S -C 7" ); |
194 | is( $result->output, | 194 | is( $result->output, |
195 | 'CRITICAL - Certificate expired on 03/05/2009 00:13.', | 195 | 'CRITICAL - Certificate \'Ton Voon\' expired on 03/05/2009 00:13.', |
196 | "output ok" ); | 196 | "output ok" ); |
197 | 197 | ||
198 | } | 198 | } |