diff options
author | Sven Nierlein <sven@nierlein.de> | 2017-03-14 22:52:04 +0100 |
---|---|---|
committer | Sven Nierlein <sven@nierlein.de> | 2017-03-14 22:52:04 +0100 |
commit | 1684deb8f7cc64270edcdff7c9bf40981bff20e3 (patch) | |
tree | 96051b0ec70d5a01894c6790ce0d8d0bed013b94 /plugins | |
parent | afb41b29f7a444826a1f23535def3a57fb241375 (diff) | |
download | monitoring-plugins-1684deb8f7cc64270edcdff7c9bf40981bff20e3.tar.gz |
check_curl: implement certificate checks
Signed-off-by: Sven Nierlein <sven@nierlein.de>
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/Makefile.am | 4 | ||||
-rw-r--r-- | plugins/check_curl.c | 66 | ||||
-rw-r--r-- | plugins/sslutils.c | 33 |
3 files changed, 79 insertions, 24 deletions
diff --git a/plugins/Makefile.am b/plugins/Makefile.am index 2c87b4e1..ffd8baf2 100644 --- a/plugins/Makefile.am +++ b/plugins/Makefile.am | |||
@@ -71,7 +71,7 @@ check_apt_LDADD = $(BASEOBJS) | |||
71 | check_cluster_LDADD = $(BASEOBJS) | 71 | check_cluster_LDADD = $(BASEOBJS) |
72 | check_curl_CFLAGS = $(AM_CFLAGS) $(LIBCURLCFLAGS) | 72 | check_curl_CFLAGS = $(AM_CFLAGS) $(LIBCURLCFLAGS) |
73 | check_curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCURLINCLUDE) | 73 | check_curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCURLINCLUDE) |
74 | check_curl_LDADD = $(NETLIBS) $(LIBCURLLIBS) | 74 | check_curl_LDADD = $(NETLIBS) $(LIBCURLLIBS) $(SSLOBJS) |
75 | check_dbi_LDADD = $(NETLIBS) $(DBILIBS) | 75 | check_dbi_LDADD = $(NETLIBS) $(DBILIBS) |
76 | check_dig_LDADD = $(NETLIBS) | 76 | check_dig_LDADD = $(NETLIBS) |
77 | check_disk_LDADD = $(BASEOBJS) | 77 | check_disk_LDADD = $(BASEOBJS) |
@@ -92,7 +92,7 @@ check_mysql_query_CFLAGS = $(AM_CFLAGS) $(MYSQLCFLAGS) | |||
92 | check_mysql_query_CPPFLAGS = $(AM_CPPFLAGS) $(MYSQLINCLUDE) | 92 | check_mysql_query_CPPFLAGS = $(AM_CPPFLAGS) $(MYSQLINCLUDE) |
93 | check_mysql_query_LDADD = $(NETLIBS) $(MYSQLLIBS) | 93 | check_mysql_query_LDADD = $(NETLIBS) $(MYSQLLIBS) |
94 | check_nagios_LDADD = $(BASEOBJS) | 94 | check_nagios_LDADD = $(BASEOBJS) |
95 | check_nt_LDADD = $(NETLIBS) | 95 | check_nt_LDADD = $(NETLIBS) |
96 | check_ntp_LDADD = $(NETLIBS) $(MATHLIBS) | 96 | check_ntp_LDADD = $(NETLIBS) $(MATHLIBS) |
97 | check_ntp_peer_LDADD = $(NETLIBS) $(MATHLIBS) | 97 | check_ntp_peer_LDADD = $(NETLIBS) $(MATHLIBS) |
98 | check_nwstat_LDADD = $(NETLIBS) | 98 | check_nwstat_LDADD = $(NETLIBS) |
diff --git a/plugins/check_curl.c b/plugins/check_curl.c index c6a7ab85..e14fb19b 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c | |||
@@ -93,6 +93,7 @@ unsigned short server_port = HTTP_PORT; | |||
93 | char output_string_search[30] = ""; | 93 | char output_string_search[30] = ""; |
94 | char *warning_thresholds = NULL; | 94 | char *warning_thresholds = NULL; |
95 | char *critical_thresholds = NULL; | 95 | char *critical_thresholds = NULL; |
96 | int days_till_exp_warn, days_till_exp_crit; | ||
96 | thresholds *thlds; | 97 | thresholds *thlds; |
97 | char user_agent[DEFAULT_BUFFER_SIZE]; | 98 | char user_agent[DEFAULT_BUFFER_SIZE]; |
98 | int verbose = 0; | 99 | int verbose = 0; |
@@ -122,6 +123,7 @@ int ssl_version = CURL_SSLVERSION_DEFAULT; | |||
122 | char *client_cert = NULL; | 123 | char *client_cert = NULL; |
123 | char *client_privkey = NULL; | 124 | char *client_privkey = NULL; |
124 | char *ca_cert = NULL; | 125 | char *ca_cert = NULL; |
126 | X509 *cert = NULL; | ||
125 | 127 | ||
126 | int process_arguments (int, char**); | 128 | int process_arguments (int, char**); |
127 | int check_http (void); | 129 | int check_http (void); |
@@ -162,6 +164,19 @@ main (int argc, char **argv) | |||
162 | return result; | 164 | return result; |
163 | } | 165 | } |
164 | 166 | ||
167 | int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) | ||
168 | { | ||
169 | cert = X509_STORE_CTX_get_current_cert(x509_ctx); | ||
170 | return 1; | ||
171 | } | ||
172 | |||
173 | CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm) | ||
174 | { | ||
175 | SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback); | ||
176 | |||
177 | return CURLE_OK; | ||
178 | } | ||
179 | |||
165 | int | 180 | int |
166 | check_http (void) | 181 | check_http (void) |
167 | { | 182 | { |
@@ -177,6 +192,9 @@ check_http (void) | |||
177 | if (verbose >= 3) | 192 | if (verbose >= 3) |
178 | curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE); | 193 | curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE); |
179 | 194 | ||
195 | /* print everything on stdout like check_http would do */ | ||
196 | curl_easy_setopt(curl, CURLOPT_STDERR, stdout); | ||
197 | |||
180 | /* initialize buffer for body of the answer */ | 198 | /* initialize buffer for body of the answer */ |
181 | if (curlhelp_initbuffer(&body_buf) < 0) | 199 | if (curlhelp_initbuffer(&body_buf) < 0) |
182 | die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n"); | 200 | die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n"); |
@@ -242,14 +260,16 @@ check_http (void) | |||
242 | curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2); | 260 | curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2); |
243 | curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2); | 261 | curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2); |
244 | 262 | ||
245 | /* backward-compatible behaviour, be tolerant in checks */ | 263 | /* backward-compatible behaviour, be tolerant in checks |
246 | if (!check_cert) { | 264 | * TODO: depending on more options have aspects we want |
247 | /* TODO: depending on more options have aspects we want | 265 | * to be less tolerant about ssl verfications |
248 | * to be tolerant about | 266 | */ |
249 | * curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1 ); | 267 | curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0); |
250 | */ | 268 | curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0); |
251 | curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0); | 269 | |
252 | curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0); | 270 | /* set callback to extract certificate */ |
271 | if(check_cert) { | ||
272 | curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun); | ||
253 | } | 273 | } |
254 | 274 | ||
255 | /* set default or user-given user agent identification */ | 275 | /* set default or user-given user agent identification */ |
@@ -308,6 +328,16 @@ check_http (void) | |||
308 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); | 328 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); |
309 | } | 329 | } |
310 | 330 | ||
331 | /* certificate checks */ | ||
332 | #ifdef HAVE_SSL | ||
333 | if (use_ssl == TRUE) { | ||
334 | if (check_cert == TRUE) { | ||
335 | result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit); | ||
336 | return(result); | ||
337 | } | ||
338 | } | ||
339 | #endif /* HAVE_SSL */ | ||
340 | |||
311 | /* we got the data and we executed the request in a given time, so we can append | 341 | /* we got the data and we executed the request in a given time, so we can append |
312 | * performance data to the answer always | 342 | * performance data to the answer always |
313 | */ | 343 | */ |
@@ -439,6 +469,7 @@ int | |||
439 | process_arguments (int argc, char **argv) | 469 | process_arguments (int argc, char **argv) |
440 | { | 470 | { |
441 | int c = 1; | 471 | int c = 1; |
472 | char *temp; | ||
442 | 473 | ||
443 | enum { | 474 | enum { |
444 | INVERT_REGEX = CHAR_MAX + 1, | 475 | INVERT_REGEX = CHAR_MAX + 1, |
@@ -537,8 +568,23 @@ process_arguments (int argc, char **argv) | |||
537 | break; | 568 | break; |
538 | case 'C': /* Check SSL cert validity */ | 569 | case 'C': /* Check SSL cert validity */ |
539 | #ifdef LIBCURL_FEATURE_SSL | 570 | #ifdef LIBCURL_FEATURE_SSL |
540 | /* TODO: C:, check age of certificate for backward compatible | 571 | if ((temp=strchr(optarg,','))!=NULL) { |
541 | * behaviour, but we would later add more check conditions */ | 572 | *temp='\0'; |
573 | if (!is_intnonneg (optarg)) | ||
574 | usage2 (_("Invalid certificate expiration period"), optarg); | ||
575 | days_till_exp_warn = atoi(optarg); | ||
576 | *temp=','; | ||
577 | temp++; | ||
578 | if (!is_intnonneg (temp)) | ||
579 | usage2 (_("Invalid certificate expiration period"), temp); | ||
580 | days_till_exp_crit = atoi (temp); | ||
581 | } | ||
582 | else { | ||
583 | days_till_exp_crit=0; | ||
584 | if (!is_intnonneg (optarg)) | ||
585 | usage2 (_("Invalid certificate expiration period"), optarg); | ||
586 | days_till_exp_warn = atoi (optarg); | ||
587 | } | ||
542 | check_cert = TRUE; | 588 | check_cert = TRUE; |
543 | goto enable_ssl; | 589 | goto enable_ssl; |
544 | #endif | 590 | #endif |
diff --git a/plugins/sslutils.c b/plugins/sslutils.c index e38947e3..14f6579d 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
@@ -1,29 +1,29 @@ | |||
1 | /***************************************************************************** | 1 | /***************************************************************************** |
2 | * | 2 | * |
3 | * Monitoring Plugins SSL utilities | 3 | * Monitoring Plugins SSL utilities |
4 | * | 4 | * |
5 | * License: GPL | 5 | * License: GPL |
6 | * Copyright (c) 2005-2010 Monitoring Plugins Development Team | 6 | * Copyright (c) 2005-2010 Monitoring Plugins Development Team |
7 | * | 7 | * |
8 | * Description: | 8 | * Description: |
9 | * | 9 | * |
10 | * This file contains common functions for plugins that require SSL. | 10 | * This file contains common functions for plugins that require SSL. |
11 | * | 11 | * |
12 | * | 12 | * |
13 | * This program is free software: you can redistribute it and/or modify | 13 | * This program is free software: you can redistribute it and/or modify |
14 | * it under the terms of the GNU General Public License as published by | 14 | * it under the terms of the GNU General Public License as published by |
15 | * the Free Software Foundation, either version 3 of the License, or | 15 | * the Free Software Foundation, either version 3 of the License, or |
16 | * (at your option) any later version. | 16 | * (at your option) any later version. |
17 | * | 17 | * |
18 | * This program is distributed in the hope that it will be useful, | 18 | * This program is distributed in the hope that it will be useful, |
19 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | 19 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
20 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 20 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
21 | * GNU General Public License for more details. | 21 | * GNU General Public License for more details. |
22 | * | 22 | * |
23 | * You should have received a copy of the GNU General Public License | 23 | * You should have received a copy of the GNU General Public License |
24 | * along with this program. If not, see <http://www.gnu.org/licenses/>. | 24 | * along with this program. If not, see <http://www.gnu.org/licenses/>. |
25 | * | 25 | * |
26 | * | 26 | * |
27 | *****************************************************************************/ | 27 | *****************************************************************************/ |
28 | 28 | ||
29 | #define MAX_CN_LENGTH 256 | 29 | #define MAX_CN_LENGTH 256 |
@@ -193,12 +193,22 @@ int np_net_ssl_read(void *buf, int num) { | |||
193 | 193 | ||
194 | int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ | 194 | int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ |
195 | # ifdef USE_OPENSSL | 195 | # ifdef USE_OPENSSL |
196 | X509 *certificate=NULL; | 196 | X509 *certificate = NULL; |
197 | certificate=SSL_get_peer_certificate(s); | ||
198 | return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit)); | ||
199 | # else /* ifndef USE_OPENSSL */ | ||
200 | printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); | ||
201 | return STATE_WARNING; | ||
202 | # endif /* USE_OPENSSL */ | ||
203 | } | ||
204 | |||
205 | int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){ | ||
206 | # ifdef USE_OPENSSL | ||
197 | X509_NAME *subj=NULL; | 207 | X509_NAME *subj=NULL; |
198 | char timestamp[50] = ""; | 208 | char timestamp[50] = ""; |
199 | char cn[MAX_CN_LENGTH]= ""; | 209 | char cn[MAX_CN_LENGTH]= ""; |
200 | char *tz; | 210 | char *tz; |
201 | 211 | ||
202 | int cnlen =-1; | 212 | int cnlen =-1; |
203 | int status=STATE_UNKNOWN; | 213 | int status=STATE_UNKNOWN; |
204 | 214 | ||
@@ -210,7 +220,6 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ | |||
210 | int time_remaining; | 220 | int time_remaining; |
211 | time_t tm_t; | 221 | time_t tm_t; |
212 | 222 | ||
213 | certificate=SSL_get_peer_certificate(s); | ||
214 | if (!certificate) { | 223 | if (!certificate) { |
215 | printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); | 224 | printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); |
216 | return STATE_CRITICAL; | 225 | return STATE_CRITICAL; |