summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSven Nierlein <sven@nierlein.de>2017-03-14 22:52:04 +0100
committerSven Nierlein <sven@nierlein.de>2017-03-14 22:52:04 +0100
commit1684deb8f7cc64270edcdff7c9bf40981bff20e3 (patch)
tree96051b0ec70d5a01894c6790ce0d8d0bed013b94
parentafb41b29f7a444826a1f23535def3a57fb241375 (diff)
downloadmonitoring-plugins-1684deb8f7cc64270edcdff7c9bf40981bff20e3.tar.gz
check_curl: implement certificate checks
Signed-off-by: Sven Nierlein <sven@nierlein.de>
-rw-r--r--plugins/Makefile.am4
-rw-r--r--plugins/check_curl.c66
-rw-r--r--plugins/sslutils.c33
3 files changed, 79 insertions, 24 deletions
diff --git a/plugins/Makefile.am b/plugins/Makefile.am
index 2c87b4e1..ffd8baf2 100644
--- a/plugins/Makefile.am
+++ b/plugins/Makefile.am
@@ -71,7 +71,7 @@ check_apt_LDADD = $(BASEOBJS)
71check_cluster_LDADD = $(BASEOBJS) 71check_cluster_LDADD = $(BASEOBJS)
72check_curl_CFLAGS = $(AM_CFLAGS) $(LIBCURLCFLAGS) 72check_curl_CFLAGS = $(AM_CFLAGS) $(LIBCURLCFLAGS)
73check_curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCURLINCLUDE) 73check_curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCURLINCLUDE)
74check_curl_LDADD = $(NETLIBS) $(LIBCURLLIBS) 74check_curl_LDADD = $(NETLIBS) $(LIBCURLLIBS) $(SSLOBJS)
75check_dbi_LDADD = $(NETLIBS) $(DBILIBS) 75check_dbi_LDADD = $(NETLIBS) $(DBILIBS)
76check_dig_LDADD = $(NETLIBS) 76check_dig_LDADD = $(NETLIBS)
77check_disk_LDADD = $(BASEOBJS) 77check_disk_LDADD = $(BASEOBJS)
@@ -92,7 +92,7 @@ check_mysql_query_CFLAGS = $(AM_CFLAGS) $(MYSQLCFLAGS)
92check_mysql_query_CPPFLAGS = $(AM_CPPFLAGS) $(MYSQLINCLUDE) 92check_mysql_query_CPPFLAGS = $(AM_CPPFLAGS) $(MYSQLINCLUDE)
93check_mysql_query_LDADD = $(NETLIBS) $(MYSQLLIBS) 93check_mysql_query_LDADD = $(NETLIBS) $(MYSQLLIBS)
94check_nagios_LDADD = $(BASEOBJS) 94check_nagios_LDADD = $(BASEOBJS)
95check_nt_LDADD = $(NETLIBS) 95check_nt_LDADD = $(NETLIBS)
96check_ntp_LDADD = $(NETLIBS) $(MATHLIBS) 96check_ntp_LDADD = $(NETLIBS) $(MATHLIBS)
97check_ntp_peer_LDADD = $(NETLIBS) $(MATHLIBS) 97check_ntp_peer_LDADD = $(NETLIBS) $(MATHLIBS)
98check_nwstat_LDADD = $(NETLIBS) 98check_nwstat_LDADD = $(NETLIBS)
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index c6a7ab85..e14fb19b 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -93,6 +93,7 @@ unsigned short server_port = HTTP_PORT;
93char output_string_search[30] = ""; 93char output_string_search[30] = "";
94char *warning_thresholds = NULL; 94char *warning_thresholds = NULL;
95char *critical_thresholds = NULL; 95char *critical_thresholds = NULL;
96int days_till_exp_warn, days_till_exp_crit;
96thresholds *thlds; 97thresholds *thlds;
97char user_agent[DEFAULT_BUFFER_SIZE]; 98char user_agent[DEFAULT_BUFFER_SIZE];
98int verbose = 0; 99int verbose = 0;
@@ -122,6 +123,7 @@ int ssl_version = CURL_SSLVERSION_DEFAULT;
122char *client_cert = NULL; 123char *client_cert = NULL;
123char *client_privkey = NULL; 124char *client_privkey = NULL;
124char *ca_cert = NULL; 125char *ca_cert = NULL;
126X509 *cert = NULL;
125 127
126int process_arguments (int, char**); 128int process_arguments (int, char**);
127int check_http (void); 129int check_http (void);
@@ -162,6 +164,19 @@ main (int argc, char **argv)
162 return result; 164 return result;
163} 165}
164 166
167int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
168{
169 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
170 return 1;
171}
172
173CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm)
174{
175 SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback);
176
177 return CURLE_OK;
178}
179
165int 180int
166check_http (void) 181check_http (void)
167{ 182{
@@ -177,6 +192,9 @@ check_http (void)
177 if (verbose >= 3) 192 if (verbose >= 3)
178 curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE); 193 curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE);
179 194
195 /* print everything on stdout like check_http would do */
196 curl_easy_setopt(curl, CURLOPT_STDERR, stdout);
197
180 /* initialize buffer for body of the answer */ 198 /* initialize buffer for body of the answer */
181 if (curlhelp_initbuffer(&body_buf) < 0) 199 if (curlhelp_initbuffer(&body_buf) < 0)
182 die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n"); 200 die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n");
@@ -242,14 +260,16 @@ check_http (void)
242 curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2); 260 curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2);
243 curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2); 261 curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2);
244 262
245 /* backward-compatible behaviour, be tolerant in checks */ 263 /* backward-compatible behaviour, be tolerant in checks
246 if (!check_cert) { 264 * TODO: depending on more options have aspects we want
247 /* TODO: depending on more options have aspects we want 265 * to be less tolerant about ssl verfications
248 * to be tolerant about 266 */
249 * curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1 ); 267 curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
250 */ 268 curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
251 curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0); 269
252 curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0); 270 /* set callback to extract certificate */
271 if(check_cert) {
272 curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun);
253 } 273 }
254 274
255 /* set default or user-given user agent identification */ 275 /* set default or user-given user agent identification */
@@ -308,6 +328,16 @@ check_http (void)
308 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); 328 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
309 } 329 }
310 330
331 /* certificate checks */
332#ifdef HAVE_SSL
333 if (use_ssl == TRUE) {
334 if (check_cert == TRUE) {
335 result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
336 return(result);
337 }
338 }
339#endif /* HAVE_SSL */
340
311 /* we got the data and we executed the request in a given time, so we can append 341 /* we got the data and we executed the request in a given time, so we can append
312 * performance data to the answer always 342 * performance data to the answer always
313 */ 343 */
@@ -439,6 +469,7 @@ int
439process_arguments (int argc, char **argv) 469process_arguments (int argc, char **argv)
440{ 470{
441 int c = 1; 471 int c = 1;
472 char *temp;
442 473
443 enum { 474 enum {
444 INVERT_REGEX = CHAR_MAX + 1, 475 INVERT_REGEX = CHAR_MAX + 1,
@@ -537,8 +568,23 @@ process_arguments (int argc, char **argv)
537 break; 568 break;
538 case 'C': /* Check SSL cert validity */ 569 case 'C': /* Check SSL cert validity */
539#ifdef LIBCURL_FEATURE_SSL 570#ifdef LIBCURL_FEATURE_SSL
540 /* TODO: C:, check age of certificate for backward compatible 571 if ((temp=strchr(optarg,','))!=NULL) {
541 * behaviour, but we would later add more check conditions */ 572 *temp='\0';
573 if (!is_intnonneg (optarg))
574 usage2 (_("Invalid certificate expiration period"), optarg);
575 days_till_exp_warn = atoi(optarg);
576 *temp=',';
577 temp++;
578 if (!is_intnonneg (temp))
579 usage2 (_("Invalid certificate expiration period"), temp);
580 days_till_exp_crit = atoi (temp);
581 }
582 else {
583 days_till_exp_crit=0;
584 if (!is_intnonneg (optarg))
585 usage2 (_("Invalid certificate expiration period"), optarg);
586 days_till_exp_warn = atoi (optarg);
587 }
542 check_cert = TRUE; 588 check_cert = TRUE;
543 goto enable_ssl; 589 goto enable_ssl;
544#endif 590#endif
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index e38947e3..14f6579d 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -1,29 +1,29 @@
1/***************************************************************************** 1/*****************************************************************************
2* 2*
3* Monitoring Plugins SSL utilities 3* Monitoring Plugins SSL utilities
4* 4*
5* License: GPL 5* License: GPL
6* Copyright (c) 2005-2010 Monitoring Plugins Development Team 6* Copyright (c) 2005-2010 Monitoring Plugins Development Team
7* 7*
8* Description: 8* Description:
9* 9*
10* This file contains common functions for plugins that require SSL. 10* This file contains common functions for plugins that require SSL.
11* 11*
12* 12*
13* This program is free software: you can redistribute it and/or modify 13* This program is free software: you can redistribute it and/or modify
14* it under the terms of the GNU General Public License as published by 14* it under the terms of the GNU General Public License as published by
15* the Free Software Foundation, either version 3 of the License, or 15* the Free Software Foundation, either version 3 of the License, or
16* (at your option) any later version. 16* (at your option) any later version.
17* 17*
18* This program is distributed in the hope that it will be useful, 18* This program is distributed in the hope that it will be useful,
19* but WITHOUT ANY WARRANTY; without even the implied warranty of 19* but WITHOUT ANY WARRANTY; without even the implied warranty of
20* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 20* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21* GNU General Public License for more details. 21* GNU General Public License for more details.
22* 22*
23* You should have received a copy of the GNU General Public License 23* You should have received a copy of the GNU General Public License
24* along with this program. If not, see <http://www.gnu.org/licenses/>. 24* along with this program. If not, see <http://www.gnu.org/licenses/>.
25* 25*
26* 26*
27*****************************************************************************/ 27*****************************************************************************/
28 28
29#define MAX_CN_LENGTH 256 29#define MAX_CN_LENGTH 256
@@ -193,12 +193,22 @@ int np_net_ssl_read(void *buf, int num) {
193 193
194int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ 194int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
195# ifdef USE_OPENSSL 195# ifdef USE_OPENSSL
196 X509 *certificate=NULL; 196 X509 *certificate = NULL;
197 certificate=SSL_get_peer_certificate(s);
198 return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
199# else /* ifndef USE_OPENSSL */
200 printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
201 return STATE_WARNING;
202# endif /* USE_OPENSSL */
203}
204
205int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){
206# ifdef USE_OPENSSL
197 X509_NAME *subj=NULL; 207 X509_NAME *subj=NULL;
198 char timestamp[50] = ""; 208 char timestamp[50] = "";
199 char cn[MAX_CN_LENGTH]= ""; 209 char cn[MAX_CN_LENGTH]= "";
200 char *tz; 210 char *tz;
201 211
202 int cnlen =-1; 212 int cnlen =-1;
203 int status=STATE_UNKNOWN; 213 int status=STATE_UNKNOWN;
204 214
@@ -210,7 +220,6 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
210 int time_remaining; 220 int time_remaining;
211 time_t tm_t; 221 time_t tm_t;
212 222
213 certificate=SSL_get_peer_certificate(s);
214 if (!certificate) { 223 if (!certificate) {
215 printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); 224 printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
216 return STATE_CRITICAL; 225 return STATE_CRITICAL;