diff options
| author | Sven Nierlein <sven@nierlein.de> | 2017-03-14 21:52:04 (GMT) |
|---|---|---|
| committer | Sven Nierlein <sven@nierlein.de> | 2018-10-22 14:28:51 (GMT) |
| commit | 16121a9b5526aa751f77a2d5ec3f15755f99b291 (patch) | |
| tree | 79395f12f46e781b95cf6b284a21c3756d4ef3de /plugins/check_curl.c | |
| parent | c6c4890702ef7095557b38ffda1531285902af42 (diff) | |
| download | monitoring-plugins-16121a9b5526aa751f77a2d5ec3f15755f99b291.tar.gz | |
check_curl: implement certificate checks
Signed-off-by: Sven Nierlein <sven@nierlein.de>
Diffstat (limited to 'plugins/check_curl.c')
| -rw-r--r-- | plugins/check_curl.c | 66 |
1 files changed, 56 insertions, 10 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c index c6a7ab8..e14fb19 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c | |||
| @@ -93,6 +93,7 @@ unsigned short server_port = HTTP_PORT; | |||
| 93 | char output_string_search[30] = ""; | 93 | char output_string_search[30] = ""; |
| 94 | char *warning_thresholds = NULL; | 94 | char *warning_thresholds = NULL; |
| 95 | char *critical_thresholds = NULL; | 95 | char *critical_thresholds = NULL; |
| 96 | int days_till_exp_warn, days_till_exp_crit; | ||
| 96 | thresholds *thlds; | 97 | thresholds *thlds; |
| 97 | char user_agent[DEFAULT_BUFFER_SIZE]; | 98 | char user_agent[DEFAULT_BUFFER_SIZE]; |
| 98 | int verbose = 0; | 99 | int verbose = 0; |
| @@ -122,6 +123,7 @@ int ssl_version = CURL_SSLVERSION_DEFAULT; | |||
| 122 | char *client_cert = NULL; | 123 | char *client_cert = NULL; |
| 123 | char *client_privkey = NULL; | 124 | char *client_privkey = NULL; |
| 124 | char *ca_cert = NULL; | 125 | char *ca_cert = NULL; |
| 126 | X509 *cert = NULL; | ||
| 125 | 127 | ||
| 126 | int process_arguments (int, char**); | 128 | int process_arguments (int, char**); |
| 127 | int check_http (void); | 129 | int check_http (void); |
| @@ -162,6 +164,19 @@ main (int argc, char **argv) | |||
| 162 | return result; | 164 | return result; |
| 163 | } | 165 | } |
| 164 | 166 | ||
| 167 | int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) | ||
| 168 | { | ||
| 169 | cert = X509_STORE_CTX_get_current_cert(x509_ctx); | ||
| 170 | return 1; | ||
| 171 | } | ||
| 172 | |||
| 173 | CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm) | ||
| 174 | { | ||
| 175 | SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback); | ||
| 176 | |||
| 177 | return CURLE_OK; | ||
| 178 | } | ||
| 179 | |||
| 165 | int | 180 | int |
| 166 | check_http (void) | 181 | check_http (void) |
| 167 | { | 182 | { |
| @@ -177,6 +192,9 @@ check_http (void) | |||
| 177 | if (verbose >= 3) | 192 | if (verbose >= 3) |
| 178 | curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE); | 193 | curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE); |
| 179 | 194 | ||
| 195 | /* print everything on stdout like check_http would do */ | ||
| 196 | curl_easy_setopt(curl, CURLOPT_STDERR, stdout); | ||
| 197 | |||
| 180 | /* initialize buffer for body of the answer */ | 198 | /* initialize buffer for body of the answer */ |
| 181 | if (curlhelp_initbuffer(&body_buf) < 0) | 199 | if (curlhelp_initbuffer(&body_buf) < 0) |
| 182 | die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n"); | 200 | die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n"); |
| @@ -242,14 +260,16 @@ check_http (void) | |||
| 242 | curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2); | 260 | curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2); |
| 243 | curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2); | 261 | curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2); |
| 244 | 262 | ||
| 245 | /* backward-compatible behaviour, be tolerant in checks */ | 263 | /* backward-compatible behaviour, be tolerant in checks |
| 246 | if (!check_cert) { | 264 | * TODO: depending on more options have aspects we want |
| 247 | /* TODO: depending on more options have aspects we want | 265 | * to be less tolerant about ssl verfications |
| 248 | * to be tolerant about | 266 | */ |
| 249 | * curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1 ); | 267 | curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0); |
| 250 | */ | 268 | curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0); |
| 251 | curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0); | 269 | |
| 252 | curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0); | 270 | /* set callback to extract certificate */ |
| 271 | if(check_cert) { | ||
| 272 | curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun); | ||
| 253 | } | 273 | } |
| 254 | 274 | ||
| 255 | /* set default or user-given user agent identification */ | 275 | /* set default or user-given user agent identification */ |
| @@ -308,6 +328,16 @@ check_http (void) | |||
| 308 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); | 328 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); |
| 309 | } | 329 | } |
| 310 | 330 | ||
| 331 | /* certificate checks */ | ||
| 332 | #ifdef HAVE_SSL | ||
| 333 | if (use_ssl == TRUE) { | ||
| 334 | if (check_cert == TRUE) { | ||
| 335 | result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit); | ||
| 336 | return(result); | ||
| 337 | } | ||
| 338 | } | ||
| 339 | #endif /* HAVE_SSL */ | ||
| 340 | |||
| 311 | /* we got the data and we executed the request in a given time, so we can append | 341 | /* we got the data and we executed the request in a given time, so we can append |
| 312 | * performance data to the answer always | 342 | * performance data to the answer always |
| 313 | */ | 343 | */ |
| @@ -439,6 +469,7 @@ int | |||
| 439 | process_arguments (int argc, char **argv) | 469 | process_arguments (int argc, char **argv) |
| 440 | { | 470 | { |
| 441 | int c = 1; | 471 | int c = 1; |
| 472 | char *temp; | ||
| 442 | 473 | ||
| 443 | enum { | 474 | enum { |
| 444 | INVERT_REGEX = CHAR_MAX + 1, | 475 | INVERT_REGEX = CHAR_MAX + 1, |
| @@ -537,8 +568,23 @@ process_arguments (int argc, char **argv) | |||
| 537 | break; | 568 | break; |
| 538 | case 'C': /* Check SSL cert validity */ | 569 | case 'C': /* Check SSL cert validity */ |
| 539 | #ifdef LIBCURL_FEATURE_SSL | 570 | #ifdef LIBCURL_FEATURE_SSL |
| 540 | /* TODO: C:, check age of certificate for backward compatible | 571 | if ((temp=strchr(optarg,','))!=NULL) { |
| 541 | * behaviour, but we would later add more check conditions */ | 572 | *temp='\0'; |
| 573 | if (!is_intnonneg (optarg)) | ||
| 574 | usage2 (_("Invalid certificate expiration period"), optarg); | ||
| 575 | days_till_exp_warn = atoi(optarg); | ||
| 576 | *temp=','; | ||
| 577 | temp++; | ||
| 578 | if (!is_intnonneg (temp)) | ||
| 579 | usage2 (_("Invalid certificate expiration period"), temp); | ||
| 580 | days_till_exp_crit = atoi (temp); | ||
| 581 | } | ||
| 582 | else { | ||
| 583 | days_till_exp_crit=0; | ||
| 584 | if (!is_intnonneg (optarg)) | ||
| 585 | usage2 (_("Invalid certificate expiration period"), optarg); | ||
| 586 | days_till_exp_warn = atoi (optarg); | ||
| 587 | } | ||
| 542 | check_cert = TRUE; | 588 | check_cert = TRUE; |
| 543 | goto enable_ssl; | 589 | goto enable_ssl; |
| 544 | #endif | 590 | #endif |