summaryrefslogtreecommitdiffstats
path: root/plugins
diff options
context:
space:
mode:
authorSven Nierlein <sven@nierlein.de>2021-04-07 17:51:38 +0200
committerGitHub <noreply@github.com>2021-04-07 17:51:38 +0200
commitf6fd14e886e2c5f6bf141e9542cf6212a1a6f5b5 (patch)
tree6c447eec21bc28fbd7cd4b78493b110889116c94 /plugins
parentb145ea19981a1ac07c8d8a0eaeb7f1450f4b1914 (diff)
parent6993c216955a54845d98dc568534613334c0b545 (diff)
downloadmonitoring-plugins-f6fd14e.tar.gz
Merge pull request #1669 from bazzisoft/verify-cert
Add an option to check_curl to verify the peer certificate & host using the system CA's
Diffstat (limited to 'plugins')
-rw-r--r--plugins/check_curl.c17
-rw-r--r--plugins/t/check_curl.t5
2 files changed, 18 insertions, 4 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index ee9c8b1d..8125ee84 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -195,6 +195,7 @@ int ssl_version = CURL_SSLVERSION_DEFAULT;
195char *client_cert = NULL; 195char *client_cert = NULL;
196char *client_privkey = NULL; 196char *client_privkey = NULL;
197char *ca_cert = NULL; 197char *ca_cert = NULL;
198int verify_peer_and_host = FALSE;
198int is_openssl_callback = FALSE; 199int is_openssl_callback = FALSE;
199#if defined(HAVE_SSL) && defined(USE_OPENSSL) 200#if defined(HAVE_SSL) && defined(USE_OPENSSL)
200X509 *cert = NULL; 201X509 *cert = NULL;
@@ -489,9 +490,11 @@ check_http (void)
489 if (client_privkey) 490 if (client_privkey)
490 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLKEY, client_privkey), "CURLOPT_SSLKEY"); 491 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLKEY, client_privkey), "CURLOPT_SSLKEY");
491 if (ca_cert) { 492 if (ca_cert) {
493 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CAINFO, ca_cert), "CURLOPT_CAINFO");
494 }
495 if (ca_cert || verify_peer_and_host) {
492 /* per default if we have a CA verify both the peer and the 496 /* per default if we have a CA verify both the peer and the
493 * hostname in the certificate, can be switched off later */ 497 * hostname in the certificate, can be switched off later */
494 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CAINFO, ca_cert), "CURLOPT_CAINFO");
495 handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1), "CURLOPT_SSL_VERIFYPEER"); 498 handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1), "CURLOPT_SSL_VERIFYPEER");
496 handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2), "CURLOPT_SSL_VERIFYHOST"); 499 handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2), "CURLOPT_SSL_VERIFYHOST");
497 } else { 500 } else {
@@ -1159,6 +1162,7 @@ process_arguments (int argc, char **argv)
1159 {"client-cert", required_argument, 0, 'J'}, 1162 {"client-cert", required_argument, 0, 'J'},
1160 {"private-key", required_argument, 0, 'K'}, 1163 {"private-key", required_argument, 0, 'K'},
1161 {"ca-cert", required_argument, 0, CA_CERT_OPTION}, 1164 {"ca-cert", required_argument, 0, CA_CERT_OPTION},
1165 {"verify-cert", no_argument, 0, 'D'},
1162 {"useragent", required_argument, 0, 'A'}, 1166 {"useragent", required_argument, 0, 'A'},
1163 {"header", required_argument, 0, 'k'}, 1167 {"header", required_argument, 0, 'k'},
1164 {"no-body", no_argument, 0, 'N'}, 1168 {"no-body", no_argument, 0, 'N'},
@@ -1193,7 +1197,7 @@ process_arguments (int argc, char **argv)
1193 server_url = strdup(DEFAULT_SERVER_URL); 1197 server_url = strdup(DEFAULT_SERVER_URL);
1194 1198
1195 while (1) { 1199 while (1) {
1196 c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:nlLS::m:M:NE", longopts, &option); 1200 c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:DnlLS::m:M:NE", longopts, &option);
1197 if (c == -1 || c == EOF || c == 1) 1201 if (c == -1 || c == EOF || c == 1)
1198 break; 1202 break;
1199 1203
@@ -1333,6 +1337,11 @@ process_arguments (int argc, char **argv)
1333 ca_cert = optarg; 1337 ca_cert = optarg;
1334 goto enable_ssl; 1338 goto enable_ssl;
1335#endif 1339#endif
1340#ifdef LIBCURL_FEATURE_SSL
1341 case 'D': /* verify peer certificate & host */
1342 verify_peer_and_host = TRUE;
1343 goto enable_ssl;
1344#endif
1336 case 'S': /* use SSL */ 1345 case 'S': /* use SSL */
1337#ifdef LIBCURL_FEATURE_SSL 1346#ifdef LIBCURL_FEATURE_SSL
1338 enable_ssl: 1347 enable_ssl:
@@ -1703,6 +1712,8 @@ print_help (void)
1703 printf (" %s\n", _("matching the client certificate")); 1712 printf (" %s\n", _("matching the client certificate"));
1704 printf (" %s\n", "--ca-cert=FILE"); 1713 printf (" %s\n", "--ca-cert=FILE");
1705 printf (" %s\n", _("CA certificate file to verify peer against")); 1714 printf (" %s\n", _("CA certificate file to verify peer against"));
1715 printf (" %s\n", "-D, --verify-cert");
1716 printf (" %s\n", _("Verify the peer's SSL certificate and hostname"));
1706#endif 1717#endif
1707 1718
1708 printf (" %s\n", "-e, --expect=STRING"); 1719 printf (" %s\n", "-e, --expect=STRING");
@@ -1836,7 +1847,7 @@ print_usage (void)
1836{ 1847{
1837 printf ("%s\n", _("Usage:")); 1848 printf ("%s\n", _("Usage:"));
1838 printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname); 1849 printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname);
1839 printf (" [-J <client certificate file>] [-K <private key>] [--ca-cert <CA certificate file>]\n"); 1850 printf (" [-J <client certificate file>] [-K <private key>] [--ca-cert <CA certificate file>] [-D]\n");
1840 printf (" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-E] [-a auth]\n"); 1851 printf (" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-E] [-a auth]\n");
1841 printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport|curl>]\n"); 1852 printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport|curl>]\n");
1842 printf (" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n"); 1853 printf (" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
diff --git a/plugins/t/check_curl.t b/plugins/t/check_curl.t
index cc65f037..a4f1dfb3 100644
--- a/plugins/t/check_curl.t
+++ b/plugins/t/check_curl.t
@@ -9,7 +9,7 @@ use Test::More;
9use POSIX qw/mktime strftime/; 9use POSIX qw/mktime strftime/;
10use NPTest; 10use NPTest;
11 11
12plan tests => 57; 12plan tests => 58;
13 13
14my $successOutput = '/OK.*HTTP.*second/'; 14my $successOutput = '/OK.*HTTP.*second/';
15 15
@@ -94,6 +94,9 @@ SKIP: {
94 94
95 $res = NPTest->testCmd("./$plugin -v -H $host_tls_http:443 -S -p 443"); 95 $res = NPTest->testCmd("./$plugin -v -H $host_tls_http:443 -S -p 443");
96 like( $res->output, '/^Host: '.$host_tls_http.'\s*$/ms', "Host Header OK" ); 96 like( $res->output, '/^Host: '.$host_tls_http.'\s*$/ms', "Host Header OK" );
97
98 $res = NPTest->testCmd("./$plugin -v -H $host_tls_http -D -p 443");
99 like( $res->output, '/(^Host: '.$host_tls_http.'\s*$)|(cURL returned 60)/ms', "Host Header OK" );
97}; 100};
98 101
99SKIP: { 102SKIP: {