diff options
-rw-r--r-- | plugins/check_curl.c | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c index 7f45b5a7..d3bddacd 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c | |||
@@ -214,6 +214,7 @@ char *client_privkey = NULL; | |||
214 | char *ca_cert = NULL; | 214 | char *ca_cert = NULL; |
215 | bool verify_peer_and_host = false; | 215 | bool verify_peer_and_host = false; |
216 | bool is_openssl_callback = false; | 216 | bool is_openssl_callback = false; |
217 | bool add_sslctx_verify_fun = false; | ||
217 | #if defined(HAVE_SSL) && defined(USE_OPENSSL) | 218 | #if defined(HAVE_SSL) && defined(USE_OPENSSL) |
218 | X509 *cert = NULL; | 219 | X509 *cert = NULL; |
219 | #endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */ | 220 | #endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */ |
@@ -299,7 +300,7 @@ main (int argc, char **argv) | |||
299 | 300 | ||
300 | int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) | 301 | int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) |
301 | { | 302 | { |
302 | (void) preverify_ok; | 303 | (void) preverify_ok; |
303 | /* TODO: we get all certificates of the chain, so which ones | 304 | /* TODO: we get all certificates of the chain, so which ones |
304 | * should we test? | 305 | * should we test? |
305 | * TODO: is the last certificate always the server certificate? | 306 | * TODO: is the last certificate always the server certificate? |
@@ -324,9 +325,18 @@ int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) | |||
324 | 325 | ||
325 | CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm) | 326 | CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm) |
326 | { | 327 | { |
327 | (void) curl; // ignore unused parameter | 328 | (void) curl; // ignore unused parameter |
328 | (void) parm; // ignore unused parameter | 329 | (void) parm; // ignore unused parameter |
329 | SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback); | 330 | if(add_sslctx_verify_fun) { |
331 | SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback); | ||
332 | } | ||
333 | |||
334 | // workaround for issue: | ||
335 | // OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0 | ||
336 | // see discussion https://github.com/openssl/openssl/discussions/22690 | ||
337 | #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF | ||
338 | SSL_CTX_set_options(sslctx, SSL_OP_IGNORE_UNEXPECTED_EOF); | ||
339 | #endif | ||
330 | 340 | ||
331 | return CURLE_OK; | 341 | return CURLE_OK; |
332 | } | 342 | } |
@@ -678,9 +688,8 @@ check_http (void) | |||
678 | * OpenSSL-style libraries only!) */ | 688 | * OpenSSL-style libraries only!) */ |
679 | #ifdef USE_OPENSSL | 689 | #ifdef USE_OPENSSL |
680 | /* libcurl and monitoring plugins built with OpenSSL, good */ | 690 | /* libcurl and monitoring plugins built with OpenSSL, good */ |
681 | handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION"); | 691 | add_sslctx_verify_fun = true; |
682 | is_openssl_callback = true; | 692 | is_openssl_callback = true; |
683 | #else /* USE_OPENSSL */ | ||
684 | #endif /* USE_OPENSSL */ | 693 | #endif /* USE_OPENSSL */ |
685 | /* libcurl is built with OpenSSL, monitoring plugins, so falling | 694 | /* libcurl is built with OpenSSL, monitoring plugins, so falling |
686 | * back to manually extracting certificate information */ | 695 | * back to manually extracting certificate information */ |
@@ -713,12 +722,18 @@ check_http (void) | |||
713 | #else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */ | 722 | #else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */ |
714 | /* old libcurl, our only hope is OpenSSL, otherwise we are out of luck */ | 723 | /* old libcurl, our only hope is OpenSSL, otherwise we are out of luck */ |
715 | if (ssl_library == CURLHELP_SSL_LIBRARY_OPENSSL || ssl_library == CURLHELP_SSL_LIBRARY_LIBRESSL) | 724 | if (ssl_library == CURLHELP_SSL_LIBRARY_OPENSSL || ssl_library == CURLHELP_SSL_LIBRARY_LIBRESSL) |
716 | handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION"); | 725 | add_sslctx_verify_fun = true; |
717 | else | 726 | else |
718 | die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (no CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library or libcurl too old and has no CURLOPT_CERTINFO)\n"); | 727 | die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (no CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library or libcurl too old and has no CURLOPT_CERTINFO)\n"); |
719 | #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */ | 728 | #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */ |
720 | } | 729 | } |
721 | 730 | ||
731 | #if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 10, 6) /* required for CURLOPT_SSL_CTX_FUNCTION */ | ||
732 | // ssl ctx function is not available with all ssl backends | ||
733 | if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, NULL) != CURLE_UNKNOWN_OPTION) | ||
734 | handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION"); | ||
735 | #endif | ||
736 | |||
722 | #endif /* LIBCURL_FEATURE_SSL */ | 737 | #endif /* LIBCURL_FEATURE_SSL */ |
723 | 738 | ||
724 | /* set default or user-given user agent identification */ | 739 | /* set default or user-given user agent identification */ |