summaryrefslogtreecommitdiffstats
path: root/plugins
diff options
context:
space:
mode:
authorThomas Guyot-Sionnest <dermoth@aei.ca>2011-02-04 00:54:52 -0500
committerThomas Guyot-Sionnest <dermoth@aei.ca>2011-02-04 00:54:52 -0500
commit4611e41bc50d15275b316c6f21b688997a9c78c4 (patch)
tree1de69d9b99ef3986d5680fd9b8a581ce150dd93e /plugins
parent1a5a83bb82c35d888229fe9f815fbc663c0f4d3c (diff)
downloadmonitoring-plugins-4611e41bc50d15275b316c6f21b688997a9c78c4.tar.gz
check_http: check for and print the certificate cn
This patch adds a check for the certificate cn (hostname) to normal certificate checks. It returns CRITICAL if th cn is missing, otherwise it prints it in the normal output. Patch by Stéphane Urbanovski
Diffstat (limited to 'plugins')
-rw-r--r--plugins/sslutils.c38
-rw-r--r--plugins/t/check_http.t2
-rwxr-xr-xplugins/tests/check_http.t6
3 files changed, 32 insertions, 14 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 64f4d61c..0bc61ed3 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -3,7 +3,7 @@
3* Nagios plugins SSL utilities 3* Nagios plugins SSL utilities
4* 4*
5* License: GPL 5* License: GPL
6* Copyright (c) 2005-2007 Nagios Plugins Development Team 6* Copyright (c) 2005-2010 Nagios Plugins Development Team
7* 7*
8* Description: 8* Description:
9* 9*
@@ -26,6 +26,7 @@
26* 26*
27*****************************************************************************/ 27*****************************************************************************/
28 28
29#define MAX_CN_LENGTH 256
29#define LOCAL_TIMEOUT_ALARM_HANDLER 30#define LOCAL_TIMEOUT_ALARM_HANDLER
30#include "common.h" 31#include "common.h"
31#include "netutils.h" 32#include "netutils.h"
@@ -97,6 +98,11 @@ int np_net_ssl_read(void *buf, int num){
97int np_net_ssl_check_cert(int days_till_exp){ 98int np_net_ssl_check_cert(int days_till_exp){
98# ifdef USE_OPENSSL 99# ifdef USE_OPENSSL
99 X509 *certificate=NULL; 100 X509 *certificate=NULL;
101 X509_NAME *subj=NULL;
102 char cn[MAX_CN_LENGTH]= "";
103 int cnlen =-1;
104 int status=STATE_UNKNOWN;
105
100 ASN1_STRING *tm; 106 ASN1_STRING *tm;
101 int offset; 107 int offset;
102 struct tm stamp; 108 struct tm stamp;
@@ -110,6 +116,17 @@ int np_net_ssl_check_cert(int days_till_exp){
110 return STATE_CRITICAL; 116 return STATE_CRITICAL;
111 } 117 }
112 118
119 /* Extract CN from certificate subject */
120 subj=X509_get_subject_name(certificate);
121
122 if(! subj){
123 printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
124 return STATE_CRITICAL;
125 }
126 cnlen = X509_NAME_get_text_by_NID (subj, NID_commonName, cn, sizeof(cn));
127 if ( cnlen == -1 )
128 strcpy(cn , _("Unknown CN"));
129
113 /* Retrieve timestamp of certificate */ 130 /* Retrieve timestamp of certificate */
114 tm = X509_get_notAfter (certificate); 131 tm = X509_get_notAfter (certificate);
115 132
@@ -155,19 +172,20 @@ int np_net_ssl_check_cert(int days_till_exp){
155 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); 172 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
156 173
157 if (days_left > 0 && days_left <= days_till_exp) { 174 if (days_left > 0 && days_left <= days_till_exp) {
158 printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp); 175 printf (_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp);
159 return STATE_WARNING; 176 status=STATE_WARNING;
160 } else if (time_left < 0) { 177 } else if (time_left < 0) {
161 printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp); 178 printf (_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
162 return STATE_CRITICAL; 179 status=STATE_CRITICAL;
163 } else if (days_left == 0) { 180 } else if (days_left == 0) {
164 printf (_("WARNING - Certificate expires today (%s).\n"), timestamp); 181 printf (_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp);
165 return STATE_WARNING; 182 status=STATE_WARNING;
183 } else {
184 printf (_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
185 status=STATE_OK;
166 } 186 }
167
168 printf (_("OK - Certificate will expire on %s.\n"), timestamp);
169 X509_free (certificate); 187 X509_free (certificate);
170 return STATE_OK; 188 return status;
171# else /* ifndef USE_OPENSSL */ 189# else /* ifndef USE_OPENSSL */
172 printf ("%s\n", _("WARNING - Plugin does not support checking certificates.")); 190 printf ("%s\n", _("WARNING - Plugin does not support checking certificates."));
173 return STATE_WARNING; 191 return STATE_WARNING;
diff --git a/plugins/t/check_http.t b/plugins/t/check_http.t
index c43a64a9..55a5a530 100644
--- a/plugins/t/check_http.t
+++ b/plugins/t/check_http.t
@@ -102,7 +102,7 @@ SKIP: {
102 102
103 $res = NPTest->testCmd( "./check_http -C 1 --ssl www.verisign.com" ); 103 $res = NPTest->testCmd( "./check_http -C 1 --ssl www.verisign.com" );
104 cmp_ok( $res->return_code, '==', 0, "Checking certificate for www.verisign.com"); 104 cmp_ok( $res->return_code, '==', 0, "Checking certificate for www.verisign.com");
105 like ( $res->output, '/Certificate will expire on/', "Output OK" ); 105 like ( $res->output, "/Certificate 'www.verisign.com' will expire on/", "Output OK" );
106 my $saved_cert_output = $res->output; 106 my $saved_cert_output = $res->output;
107 107
108 $res = NPTest->testCmd( "./check_http www.verisign.com -C 1" ); 108 $res = NPTest->testCmd( "./check_http www.verisign.com -C 1" );
diff --git a/plugins/tests/check_http.t b/plugins/tests/check_http.t
index 74eff175..9ae6bbdc 100755
--- a/plugins/tests/check_http.t
+++ b/plugins/tests/check_http.t
@@ -182,17 +182,17 @@ SKIP: {
182 182
183 $result = NPTest->testCmd( "$command -p $port_https -S -C 14" ); 183 $result = NPTest->testCmd( "$command -p $port_https -S -C 14" );
184 is( $result->return_code, 0, "$command -p $port_https -S -C 14" ); 184 is( $result->return_code, 0, "$command -p $port_https -S -C 14" );
185 is( $result->output, 'OK - Certificate will expire on 03/03/2019 21:41.', "output ok" ); 185 is( $result->output, 'OK - Certificate \'Ton Voon\' will expire on 03/03/2019 21:41.', "output ok" );
186 186
187 $result = NPTest->testCmd( "$command -p $port_https -S -C 14000" ); 187 $result = NPTest->testCmd( "$command -p $port_https -S -C 14000" );
188 is( $result->return_code, 1, "$command -p $port_https -S -C 14000" ); 188 is( $result->return_code, 1, "$command -p $port_https -S -C 14000" );
189 like( $result->output, '/WARNING - Certificate expires in \d+ day\(s\) \(03/03/2019 21:41\)./', "output ok" ); 189 like( $result->output, '/WARNING - Certificate \'Ton Voon\' expires in \d+ day\(s\) \(03/03/2019 21:41\)./', "output ok" );
190 190
191 # Expired cert tests 191 # Expired cert tests
192 $result = NPTest->testCmd( "$command -p $port_https_expired -S -C 7" ); 192 $result = NPTest->testCmd( "$command -p $port_https_expired -S -C 7" );
193 is( $result->return_code, 2, "$command -p $port_https_expired -S -C 7" ); 193 is( $result->return_code, 2, "$command -p $port_https_expired -S -C 7" );
194 is( $result->output, 194 is( $result->output,
195 'CRITICAL - Certificate expired on 03/05/2009 00:13.', 195 'CRITICAL - Certificate \'Ton Voon\' expired on 03/05/2009 00:13.',
196 "output ok" ); 196 "output ok" );
197 197
198} 198}