diff options
author | Sven Nierlein <sven@nierlein.de> | 2017-03-14 22:52:04 +0100 |
---|---|---|
committer | Sven Nierlein <sven@nierlein.de> | 2017-03-14 22:52:04 +0100 |
commit | 1684deb8f7cc64270edcdff7c9bf40981bff20e3 (patch) | |
tree | 96051b0ec70d5a01894c6790ce0d8d0bed013b94 /plugins/check_curl.c | |
parent | afb41b29f7a444826a1f23535def3a57fb241375 (diff) | |
download | monitoring-plugins-1684deb.tar.gz |
check_curl: implement certificate checks
Signed-off-by: Sven Nierlein <sven@nierlein.de>
Diffstat (limited to 'plugins/check_curl.c')
-rw-r--r-- | plugins/check_curl.c | 66 |
1 files changed, 56 insertions, 10 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c index c6a7ab85..e14fb19b 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c | |||
@@ -93,6 +93,7 @@ unsigned short server_port = HTTP_PORT; | |||
93 | char output_string_search[30] = ""; | 93 | char output_string_search[30] = ""; |
94 | char *warning_thresholds = NULL; | 94 | char *warning_thresholds = NULL; |
95 | char *critical_thresholds = NULL; | 95 | char *critical_thresholds = NULL; |
96 | int days_till_exp_warn, days_till_exp_crit; | ||
96 | thresholds *thlds; | 97 | thresholds *thlds; |
97 | char user_agent[DEFAULT_BUFFER_SIZE]; | 98 | char user_agent[DEFAULT_BUFFER_SIZE]; |
98 | int verbose = 0; | 99 | int verbose = 0; |
@@ -122,6 +123,7 @@ int ssl_version = CURL_SSLVERSION_DEFAULT; | |||
122 | char *client_cert = NULL; | 123 | char *client_cert = NULL; |
123 | char *client_privkey = NULL; | 124 | char *client_privkey = NULL; |
124 | char *ca_cert = NULL; | 125 | char *ca_cert = NULL; |
126 | X509 *cert = NULL; | ||
125 | 127 | ||
126 | int process_arguments (int, char**); | 128 | int process_arguments (int, char**); |
127 | int check_http (void); | 129 | int check_http (void); |
@@ -162,6 +164,19 @@ main (int argc, char **argv) | |||
162 | return result; | 164 | return result; |
163 | } | 165 | } |
164 | 166 | ||
167 | int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) | ||
168 | { | ||
169 | cert = X509_STORE_CTX_get_current_cert(x509_ctx); | ||
170 | return 1; | ||
171 | } | ||
172 | |||
173 | CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm) | ||
174 | { | ||
175 | SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback); | ||
176 | |||
177 | return CURLE_OK; | ||
178 | } | ||
179 | |||
165 | int | 180 | int |
166 | check_http (void) | 181 | check_http (void) |
167 | { | 182 | { |
@@ -177,6 +192,9 @@ check_http (void) | |||
177 | if (verbose >= 3) | 192 | if (verbose >= 3) |
178 | curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE); | 193 | curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE); |
179 | 194 | ||
195 | /* print everything on stdout like check_http would do */ | ||
196 | curl_easy_setopt(curl, CURLOPT_STDERR, stdout); | ||
197 | |||
180 | /* initialize buffer for body of the answer */ | 198 | /* initialize buffer for body of the answer */ |
181 | if (curlhelp_initbuffer(&body_buf) < 0) | 199 | if (curlhelp_initbuffer(&body_buf) < 0) |
182 | die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n"); | 200 | die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n"); |
@@ -242,14 +260,16 @@ check_http (void) | |||
242 | curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2); | 260 | curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2); |
243 | curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2); | 261 | curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2); |
244 | 262 | ||
245 | /* backward-compatible behaviour, be tolerant in checks */ | 263 | /* backward-compatible behaviour, be tolerant in checks |
246 | if (!check_cert) { | 264 | * TODO: depending on more options have aspects we want |
247 | /* TODO: depending on more options have aspects we want | 265 | * to be less tolerant about ssl verfications |
248 | * to be tolerant about | 266 | */ |
249 | * curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1 ); | 267 | curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0); |
250 | */ | 268 | curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0); |
251 | curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0); | 269 | |
252 | curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0); | 270 | /* set callback to extract certificate */ |
271 | if(check_cert) { | ||
272 | curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun); | ||
253 | } | 273 | } |
254 | 274 | ||
255 | /* set default or user-given user agent identification */ | 275 | /* set default or user-given user agent identification */ |
@@ -308,6 +328,16 @@ check_http (void) | |||
308 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); | 328 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); |
309 | } | 329 | } |
310 | 330 | ||
331 | /* certificate checks */ | ||
332 | #ifdef HAVE_SSL | ||
333 | if (use_ssl == TRUE) { | ||
334 | if (check_cert == TRUE) { | ||
335 | result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit); | ||
336 | return(result); | ||
337 | } | ||
338 | } | ||
339 | #endif /* HAVE_SSL */ | ||
340 | |||
311 | /* we got the data and we executed the request in a given time, so we can append | 341 | /* we got the data and we executed the request in a given time, so we can append |
312 | * performance data to the answer always | 342 | * performance data to the answer always |
313 | */ | 343 | */ |
@@ -439,6 +469,7 @@ int | |||
439 | process_arguments (int argc, char **argv) | 469 | process_arguments (int argc, char **argv) |
440 | { | 470 | { |
441 | int c = 1; | 471 | int c = 1; |
472 | char *temp; | ||
442 | 473 | ||
443 | enum { | 474 | enum { |
444 | INVERT_REGEX = CHAR_MAX + 1, | 475 | INVERT_REGEX = CHAR_MAX + 1, |
@@ -537,8 +568,23 @@ process_arguments (int argc, char **argv) | |||
537 | break; | 568 | break; |
538 | case 'C': /* Check SSL cert validity */ | 569 | case 'C': /* Check SSL cert validity */ |
539 | #ifdef LIBCURL_FEATURE_SSL | 570 | #ifdef LIBCURL_FEATURE_SSL |
540 | /* TODO: C:, check age of certificate for backward compatible | 571 | if ((temp=strchr(optarg,','))!=NULL) { |
541 | * behaviour, but we would later add more check conditions */ | 572 | *temp='\0'; |
573 | if (!is_intnonneg (optarg)) | ||
574 | usage2 (_("Invalid certificate expiration period"), optarg); | ||
575 | days_till_exp_warn = atoi(optarg); | ||
576 | *temp=','; | ||
577 | temp++; | ||
578 | if (!is_intnonneg (temp)) | ||
579 | usage2 (_("Invalid certificate expiration period"), temp); | ||
580 | days_till_exp_crit = atoi (temp); | ||
581 | } | ||
582 | else { | ||
583 | days_till_exp_crit=0; | ||
584 | if (!is_intnonneg (optarg)) | ||
585 | usage2 (_("Invalid certificate expiration period"), optarg); | ||
586 | days_till_exp_warn = atoi (optarg); | ||
587 | } | ||
542 | check_cert = TRUE; | 588 | check_cert = TRUE; |
543 | goto enable_ssl; | 589 | goto enable_ssl; |
544 | #endif | 590 | #endif |