summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Baumann <mail@andreasbaumann.cc>2017-04-21 16:05:58 +0000
committerAndreas Baumann <mail@andreasbaumann.cc>2017-04-21 16:05:58 +0000
commite74128e66d3ce295d7603adc74a923fb481c14ae (patch)
treefdd23aeb4fec45e4576b89bca8b229db7fc2fb15
parent65d1d2ca3c617240142736a6316504f8a7e13ca9 (diff)
downloadmonitoring-plugins-e74128e.tar.gz
made non-OpenSSL version of certificate -C check work
-rw-r--r--plugins/check_curl.c117
1 files changed, 114 insertions, 3 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index 878276e6..603c7be6 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -1752,26 +1752,137 @@ curlhelp_get_ssl_library_string (curlhelp_ssl_library ssl_library)
1752} 1752}
1753 1753
1754#ifdef LIBCURL_FEATURE_SSL 1754#ifdef LIBCURL_FEATURE_SSL
1755time_t
1756parse_cert_date (const char *s)
1757{
1758 struct tm tm;
1759 time_t date;
1760
1761 if (!s) return -1;
1762
1763 strptime (s, "%Y-%m-%d %H:%M:%S GMT", &tm);
1764 date = mktime (&tm);
1765
1766 return date;
1767}
1768
1769/* TODO: this needs cleanup in the sslutils.c, maybe we the #else case to
1770 * OpenSSL could be this function
1771 */
1755int 1772int
1756net_noopenssl_check_certificate (cert_ptr_union* cert_ptr, int days_till_exp_warn, int days_till_exp_crit) 1773net_noopenssl_check_certificate (cert_ptr_union* cert_ptr, int days_till_exp_warn, int days_till_exp_crit)
1757{ 1774{
1758 int i; 1775 int i;
1759 struct curl_slist *slist; 1776 struct curl_slist* slist;
1777 int cname_found = 0;
1778 char* start_date_str = NULL;
1779 char* end_date_str = NULL;
1780 time_t start_date;
1781 time_t end_date;
1782 char *tz;
1783 float time_left;
1784 int days_left;
1785 int time_remaining;
1786 char timestamp[50] = "";
1787 int status = STATE_UNKNOWN;
1760 1788
1761 if (verbose >= 2) 1789 if (verbose >= 2)
1762 printf ("**** REQUEST CERTIFICATES ****\n"); 1790 printf ("**** REQUEST CERTIFICATES ****\n");
1763 1791
1764 for (i = 0; i < cert_ptr->to_certinfo->num_of_certs; i++) { 1792 for (i = 0; i < cert_ptr->to_certinfo->num_of_certs; i++) {
1765 for (slist = cert_ptr->to_certinfo->certinfo[i]; slist; slist = slist->next) { 1793 for (slist = cert_ptr->to_certinfo->certinfo[i]; slist; slist = slist->next) {
1794 /* find first common name in subject, TODO: check alternative subjects for
1795 * multi-host certificate, check wildcards
1796 */
1797 if (strncmp (slist->data, "Subject:", 8) == 0) {
1798 char* p = strstr (slist->data, "CN=");
1799 if (p != NULL) {
1800 if (strncmp (host_name, p+3, strlen (host_name)) == 0) {
1801 cname_found = 1;
1802 }
1803 }
1804 } else if (strncmp (slist->data, "Start Date:", 11) == 0) {
1805 start_date_str = &slist->data[11];
1806 } else if (strncmp (slist->data, "Expire Date:", 12) == 0) {
1807 end_date_str = &slist->data[12];
1808 } else if (strncmp (slist->data, "Cert:", 5) == 0) {
1809 goto HAVE_FIRST_CERT;
1810 }
1766 if (verbose >= 2) 1811 if (verbose >= 2)
1767 printf ("%d ** %s\n", i, slist->data); 1812 printf ("%d ** %s\n", i, slist->data);
1768 } 1813 }
1769 } 1814 }
1815HAVE_FIRST_CERT:
1770 1816
1771 if (verbose >= 2) 1817 if (verbose >= 2)
1772 printf ("**** REQUEST CERTIFICATES ****\n"); 1818 printf ("**** REQUEST CERTIFICATES ****\n");
1819
1820 if (!cname_found) {
1821 printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
1822 return STATE_CRITICAL;
1823 }
1824
1825 start_date = parse_cert_date (start_date_str);
1826 if (start_date <= 0) {
1827 snprintf (msg, DEFAULT_BUFFER_SIZE, _("WARNING - Unparsable 'Start Date' in certificate: '%s'"),
1828 start_date_str);
1829 puts (msg);
1830 return STATE_WARNING;
1831 }
1832
1833 end_date = parse_cert_date (end_date_str);
1834 if (end_date <= 0) {
1835 snprintf (msg, DEFAULT_BUFFER_SIZE, _("WARNING - Unparsable 'Expire Date' in certificate: '%s'"),
1836 start_date_str);
1837 puts (msg);
1838 return STATE_WARNING;
1839 }
1773 1840
1774 printf("%s\n", _("WARNING - Plugin does not support checking certificates without OpenSSL.")); 1841 time_left = difftime (end_date, time(NULL));
1775 return STATE_WARNING; 1842 days_left = time_left / 86400;
1843 tz = getenv("TZ");
1844 setenv("TZ", "GMT", 1);
1845 tzset();
1846 strftime(timestamp, 50, "%c %z", localtime(&end_date));
1847 if (tz)
1848 setenv("TZ", tz, 1);
1849 else
1850 unsetenv("TZ");
1851 tzset();
1852
1853 if (days_left > 0 && days_left <= days_till_exp_warn) {
1854 printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", host_name, days_left, timestamp);
1855 if (days_left > days_till_exp_crit)
1856 status = STATE_WARNING;
1857 else
1858 status = STATE_CRITICAL;
1859 } else if (days_left == 0 && time_left > 0) {
1860 if (time_left >= 3600)
1861 time_remaining = (int) time_left / 3600;
1862 else
1863 time_remaining = (int) time_left / 60;
1864
1865 printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"),
1866 (days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", host_name, time_remaining,
1867 time_left >= 3600 ? "hours" : "minutes", timestamp);
1868
1869 if ( days_left > days_till_exp_crit)
1870 status = STATE_WARNING;
1871 else
1872 status = STATE_CRITICAL;
1873 } else if (time_left < 0) {
1874 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), host_name, timestamp);
1875 status=STATE_CRITICAL;
1876 } else if (days_left == 0) {
1877 printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", host_name, timestamp);
1878 if (days_left > days_till_exp_crit)
1879 status = STATE_WARNING;
1880 else
1881 status = STATE_CRITICAL;
1882 } else {
1883 printf(_("OK - Certificate '%s' will expire on %s.\n"), host_name, timestamp);
1884 status = STATE_OK;
1885 }
1886 return status;
1776} 1887}
1777#endif /* LIBCURL_FEATURE_SSL */ 1888#endif /* LIBCURL_FEATURE_SSL */