summaryrefslogtreecommitdiffstats
path: root/plugins/check_curl.c
diff options
context:
space:
mode:
authorSven Nierlein <sven@nierlein.de>2017-03-14 22:52:04 +0100
committerSven Nierlein <sven@nierlein.de>2018-10-22 16:28:51 +0200
commit16121a9b5526aa751f77a2d5ec3f15755f99b291 (patch)
tree79395f12f46e781b95cf6b284a21c3756d4ef3de /plugins/check_curl.c
parentc6c4890702ef7095557b38ffda1531285902af42 (diff)
downloadmonitoring-plugins-16121a9b5526aa751f77a2d5ec3f15755f99b291.tar.gz
check_curl: implement certificate checks
Signed-off-by: Sven Nierlein <sven@nierlein.de>
Diffstat (limited to 'plugins/check_curl.c')
-rw-r--r--plugins/check_curl.c66
1 files changed, 56 insertions, 10 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index c6a7ab85..e14fb19b 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -93,6 +93,7 @@ unsigned short server_port = HTTP_PORT;
93char output_string_search[30] = ""; 93char output_string_search[30] = "";
94char *warning_thresholds = NULL; 94char *warning_thresholds = NULL;
95char *critical_thresholds = NULL; 95char *critical_thresholds = NULL;
96int days_till_exp_warn, days_till_exp_crit;
96thresholds *thlds; 97thresholds *thlds;
97char user_agent[DEFAULT_BUFFER_SIZE]; 98char user_agent[DEFAULT_BUFFER_SIZE];
98int verbose = 0; 99int verbose = 0;
@@ -122,6 +123,7 @@ int ssl_version = CURL_SSLVERSION_DEFAULT;
122char *client_cert = NULL; 123char *client_cert = NULL;
123char *client_privkey = NULL; 124char *client_privkey = NULL;
124char *ca_cert = NULL; 125char *ca_cert = NULL;
126X509 *cert = NULL;
125 127
126int process_arguments (int, char**); 128int process_arguments (int, char**);
127int check_http (void); 129int check_http (void);
@@ -162,6 +164,19 @@ main (int argc, char **argv)
162 return result; 164 return result;
163} 165}
164 166
167int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
168{
169 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
170 return 1;
171}
172
173CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm)
174{
175 SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback);
176
177 return CURLE_OK;
178}
179
165int 180int
166check_http (void) 181check_http (void)
167{ 182{
@@ -177,6 +192,9 @@ check_http (void)
177 if (verbose >= 3) 192 if (verbose >= 3)
178 curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE); 193 curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE);
179 194
195 /* print everything on stdout like check_http would do */
196 curl_easy_setopt(curl, CURLOPT_STDERR, stdout);
197
180 /* initialize buffer for body of the answer */ 198 /* initialize buffer for body of the answer */
181 if (curlhelp_initbuffer(&body_buf) < 0) 199 if (curlhelp_initbuffer(&body_buf) < 0)
182 die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n"); 200 die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n");
@@ -242,14 +260,16 @@ check_http (void)
242 curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2); 260 curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2);
243 curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2); 261 curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2);
244 262
245 /* backward-compatible behaviour, be tolerant in checks */ 263 /* backward-compatible behaviour, be tolerant in checks
246 if (!check_cert) { 264 * TODO: depending on more options have aspects we want
247 /* TODO: depending on more options have aspects we want 265 * to be less tolerant about ssl verfications
248 * to be tolerant about 266 */
249 * curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1 ); 267 curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
250 */ 268 curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
251 curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0); 269
252 curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0); 270 /* set callback to extract certificate */
271 if(check_cert) {
272 curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun);
253 } 273 }
254 274
255 /* set default or user-given user agent identification */ 275 /* set default or user-given user agent identification */
@@ -308,6 +328,16 @@ check_http (void)
308 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); 328 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
309 } 329 }
310 330
331 /* certificate checks */
332#ifdef HAVE_SSL
333 if (use_ssl == TRUE) {
334 if (check_cert == TRUE) {
335 result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
336 return(result);
337 }
338 }
339#endif /* HAVE_SSL */
340
311 /* we got the data and we executed the request in a given time, so we can append 341 /* we got the data and we executed the request in a given time, so we can append
312 * performance data to the answer always 342 * performance data to the answer always
313 */ 343 */
@@ -439,6 +469,7 @@ int
439process_arguments (int argc, char **argv) 469process_arguments (int argc, char **argv)
440{ 470{
441 int c = 1; 471 int c = 1;
472 char *temp;
442 473
443 enum { 474 enum {
444 INVERT_REGEX = CHAR_MAX + 1, 475 INVERT_REGEX = CHAR_MAX + 1,
@@ -537,8 +568,23 @@ process_arguments (int argc, char **argv)
537 break; 568 break;
538 case 'C': /* Check SSL cert validity */ 569 case 'C': /* Check SSL cert validity */
539#ifdef LIBCURL_FEATURE_SSL 570#ifdef LIBCURL_FEATURE_SSL
540 /* TODO: C:, check age of certificate for backward compatible 571 if ((temp=strchr(optarg,','))!=NULL) {
541 * behaviour, but we would later add more check conditions */ 572 *temp='\0';
573 if (!is_intnonneg (optarg))
574 usage2 (_("Invalid certificate expiration period"), optarg);
575 days_till_exp_warn = atoi(optarg);
576 *temp=',';
577 temp++;
578 if (!is_intnonneg (temp))
579 usage2 (_("Invalid certificate expiration period"), temp);
580 days_till_exp_crit = atoi (temp);
581 }
582 else {
583 days_till_exp_crit=0;
584 if (!is_intnonneg (optarg))
585 usage2 (_("Invalid certificate expiration period"), optarg);
586 days_till_exp_warn = atoi (optarg);
587 }
542 check_cert = TRUE; 588 check_cert = TRUE;
543 goto enable_ssl; 589 goto enable_ssl;
544#endif 590#endif