summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--plugins/check_curl.c29
1 files changed, 22 insertions, 7 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index 7f45b5a7..d3bddacd 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -214,6 +214,7 @@ char *client_privkey = NULL;
214char *ca_cert = NULL; 214char *ca_cert = NULL;
215bool verify_peer_and_host = false; 215bool verify_peer_and_host = false;
216bool is_openssl_callback = false; 216bool is_openssl_callback = false;
217bool add_sslctx_verify_fun = false;
217#if defined(HAVE_SSL) && defined(USE_OPENSSL) 218#if defined(HAVE_SSL) && defined(USE_OPENSSL)
218X509 *cert = NULL; 219X509 *cert = NULL;
219#endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */ 220#endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */
@@ -299,7 +300,7 @@ main (int argc, char **argv)
299 300
300int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) 301int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
301{ 302{
302 (void) preverify_ok; 303 (void) preverify_ok;
303 /* TODO: we get all certificates of the chain, so which ones 304 /* TODO: we get all certificates of the chain, so which ones
304 * should we test? 305 * should we test?
305 * TODO: is the last certificate always the server certificate? 306 * TODO: is the last certificate always the server certificate?
@@ -324,9 +325,18 @@ int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
324 325
325CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm) 326CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm)
326{ 327{
327 (void) curl; // ignore unused parameter 328 (void) curl; // ignore unused parameter
328 (void) parm; // ignore unused parameter 329 (void) parm; // ignore unused parameter
329 SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback); 330 if(add_sslctx_verify_fun) {
331 SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback);
332 }
333
334 // workaround for issue:
335 // OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0
336 // see discussion https://github.com/openssl/openssl/discussions/22690
337#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
338 SSL_CTX_set_options(sslctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
339#endif
330 340
331 return CURLE_OK; 341 return CURLE_OK;
332} 342}
@@ -678,9 +688,8 @@ check_http (void)
678 * OpenSSL-style libraries only!) */ 688 * OpenSSL-style libraries only!) */
679#ifdef USE_OPENSSL 689#ifdef USE_OPENSSL
680 /* libcurl and monitoring plugins built with OpenSSL, good */ 690 /* libcurl and monitoring plugins built with OpenSSL, good */
681 handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION"); 691 add_sslctx_verify_fun = true;
682 is_openssl_callback = true; 692 is_openssl_callback = true;
683#else /* USE_OPENSSL */
684#endif /* USE_OPENSSL */ 693#endif /* USE_OPENSSL */
685 /* libcurl is built with OpenSSL, monitoring plugins, so falling 694 /* libcurl is built with OpenSSL, monitoring plugins, so falling
686 * back to manually extracting certificate information */ 695 * back to manually extracting certificate information */
@@ -713,12 +722,18 @@ check_http (void)
713#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */ 722#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
714 /* old libcurl, our only hope is OpenSSL, otherwise we are out of luck */ 723 /* old libcurl, our only hope is OpenSSL, otherwise we are out of luck */
715 if (ssl_library == CURLHELP_SSL_LIBRARY_OPENSSL || ssl_library == CURLHELP_SSL_LIBRARY_LIBRESSL) 724 if (ssl_library == CURLHELP_SSL_LIBRARY_OPENSSL || ssl_library == CURLHELP_SSL_LIBRARY_LIBRESSL)
716 handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION"); 725 add_sslctx_verify_fun = true;
717 else 726 else
718 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (no CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library or libcurl too old and has no CURLOPT_CERTINFO)\n"); 727 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (no CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library or libcurl too old and has no CURLOPT_CERTINFO)\n");
719#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */ 728#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
720 } 729 }
721 730
731#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 10, 6) /* required for CURLOPT_SSL_CTX_FUNCTION */
732 // ssl ctx function is not available with all ssl backends
733 if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, NULL) != CURLE_UNKNOWN_OPTION)
734 handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
735#endif
736
722#endif /* LIBCURL_FEATURE_SSL */ 737#endif /* LIBCURL_FEATURE_SSL */
723 738
724 /* set default or user-given user agent identification */ 739 /* set default or user-given user agent identification */