diff options
| -rw-r--r-- | plugins/check_curl.c | 61 |
1 files changed, 39 insertions, 22 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c index 261c534a..6575af71 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c | |||
| @@ -158,18 +158,21 @@ int onredirect = STATE_OK; | |||
| 158 | int use_ssl = FALSE; | 158 | int use_ssl = FALSE; |
| 159 | int use_sni = TRUE; | 159 | int use_sni = TRUE; |
| 160 | int check_cert = FALSE; | 160 | int check_cert = FALSE; |
| 161 | union { | 161 | typedef union { |
| 162 | struct curl_slist* to_info; | 162 | struct curl_slist* to_info; |
| 163 | struct curl_certinfo* to_certinfo; | 163 | struct curl_certinfo* to_certinfo; |
| 164 | } cert_ptr; | 164 | } cert_ptr_union; |
| 165 | cert_ptr_union cert_ptr; | ||
| 165 | int ssl_version = CURL_SSLVERSION_DEFAULT; | 166 | int ssl_version = CURL_SSLVERSION_DEFAULT; |
| 166 | char *client_cert = NULL; | 167 | char *client_cert = NULL; |
| 167 | char *client_privkey = NULL; | 168 | char *client_privkey = NULL; |
| 168 | char *ca_cert = NULL; | 169 | char *ca_cert = NULL; |
| 169 | int is_openssl_callback = FALSE; | 170 | int is_openssl_callback = FALSE; |
| 170 | #ifdef HAVE_SSL | 171 | #ifdef HAVE_SSL |
| 172 | #ifdef USE_OPENSSL | ||
| 171 | X509 *cert = NULL; | 173 | X509 *cert = NULL; |
| 172 | #endif | 174 | #endif /* USE_OPENSSL */ |
| 175 | #endif /* HAVE_SSL */ | ||
| 173 | int no_body = FALSE; | 176 | int no_body = FALSE; |
| 174 | int maximum_age = -1; | 177 | int maximum_age = -1; |
| 175 | int address_family = AF_UNSPEC; | 178 | int address_family = AF_UNSPEC; |
| @@ -189,6 +192,7 @@ int curlhelp_buffer_read_callback (void *, size_t , size_t , void *); | |||
| 189 | void curlhelp_freereadbuffer (curlhelp_read_curlbuf *); | 192 | void curlhelp_freereadbuffer (curlhelp_read_curlbuf *); |
| 190 | curlhelp_ssl_library curlhelp_get_ssl_library (CURL*); | 193 | curlhelp_ssl_library curlhelp_get_ssl_library (CURL*); |
| 191 | const char* curlhelp_get_ssl_library_string (curlhelp_ssl_library); | 194 | const char* curlhelp_get_ssl_library_string (curlhelp_ssl_library); |
| 195 | int net_noopenssl_check_certificate (cert_ptr_union*, int, int); | ||
| 192 | 196 | ||
| 193 | int curlhelp_parse_statusline (const char*, curlhelp_statusline *); | 197 | int curlhelp_parse_statusline (const char*, curlhelp_statusline *); |
| 194 | void curlhelp_free_statusline (curlhelp_statusline *); | 198 | void curlhelp_free_statusline (curlhelp_statusline *); |
| @@ -229,6 +233,7 @@ main (int argc, char **argv) | |||
| 229 | } | 233 | } |
| 230 | 234 | ||
| 231 | #ifdef HAVE_SSL | 235 | #ifdef HAVE_SSL |
| 236 | #ifdef USE_OPENSSL | ||
| 232 | 237 | ||
| 233 | int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) | 238 | int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) |
| 234 | { | 239 | { |
| @@ -247,6 +252,7 @@ CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm) | |||
| 247 | return CURLE_OK; | 252 | return CURLE_OK; |
| 248 | } | 253 | } |
| 249 | 254 | ||
| 255 | #endif /* USE_OPENSSL */ | ||
| 250 | #endif /* HAVE_SSL */ | 256 | #endif /* HAVE_SSL */ |
| 251 | 257 | ||
| 252 | /* Checks if the server 'reply' is one of the expected 'statuscodes' */ | 258 | /* Checks if the server 'reply' is one of the expected 'statuscodes' */ |
| @@ -535,33 +541,19 @@ check_http (void) | |||
| 535 | die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n"); | 541 | die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n"); |
| 536 | #endif /* HAVE_SSL */ | 542 | #endif /* HAVE_SSL */ |
| 537 | } else { | 543 | } else { |
| 538 | /* going with the libcurl CURLINFO data */ | 544 | /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal, |
| 539 | if (verbose >= 2) | 545 | * so we use the libcurl CURLINFO data |
| 540 | printf ("**** REQUEST CERTIFICATES ****\n"); | 546 | */ |
| 541 | cert_ptr.to_info = NULL; | 547 | cert_ptr.to_info = NULL; |
| 542 | res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info); | 548 | res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info); |
| 543 | if (!res && cert_ptr.to_info) { | 549 | if (!res && cert_ptr.to_info) { |
| 544 | int i; | 550 | result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit); |
| 545 | for (i = 0; i < cert_ptr.to_certinfo->num_of_certs; i++) { | 551 | return result; |
| 546 | struct curl_slist *slist; | ||
| 547 | for (slist = cert_ptr.to_certinfo->certinfo[i]; slist; slist = slist->next) { | ||
| 548 | if (verbose >= 2) | ||
| 549 | printf ("%d ** %s\n", i, slist->data); | ||
| 550 | } | ||
| 551 | } | ||
| 552 | } else { | 552 | } else { |
| 553 | snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"), | 553 | snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"), |
| 554 | res, curl_easy_strerror(res)); | 554 | res, curl_easy_strerror(res)); |
| 555 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); | 555 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); |
| 556 | } | 556 | } |
| 557 | if (verbose >= 2) | ||
| 558 | printf ("**** REQUEST CERTIFICATES ****\n"); | ||
| 559 | /* TODO: either convert data to X509 certs we can check with np_net_ssl_check_certificate | ||
| 560 | * or do something on our own.. | ||
| 561 | * result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit); | ||
| 562 | * return result; | ||
| 563 | */ | ||
| 564 | die (STATE_UNKNOWN, "HTTP UNKNOWN - CERTINFO certificate checks not implemented yet\n"); | ||
| 565 | } | 557 | } |
| 566 | } | 558 | } |
| 567 | } | 559 | } |
| @@ -1723,3 +1715,28 @@ curlhelp_get_ssl_library_string (curlhelp_ssl_library ssl_library) | |||
| 1723 | return "unknown"; | 1715 | return "unknown"; |
| 1724 | } | 1716 | } |
| 1725 | } | 1717 | } |
| 1718 | |||
| 1719 | #ifdef LIBCURL_FEATURE_SSL | ||
| 1720 | int | ||
| 1721 | net_noopenssl_check_certificate (cert_ptr_union* cert_ptr, int days_till_exp_warn, int days_till_exp_crit) | ||
| 1722 | { | ||
| 1723 | int i; | ||
| 1724 | struct curl_slist *slist; | ||
| 1725 | |||
| 1726 | if (verbose >= 2) | ||
| 1727 | printf ("**** REQUEST CERTIFICATES ****\n"); | ||
| 1728 | |||
| 1729 | for (i = 0; i < cert_ptr->to_certinfo->num_of_certs; i++) { | ||
| 1730 | for (slist = cert_ptr->to_certinfo->certinfo[i]; slist; slist = slist->next) { | ||
| 1731 | if (verbose >= 2) | ||
| 1732 | printf ("%d ** %s\n", i, slist->data); | ||
| 1733 | } | ||
| 1734 | } | ||
| 1735 | |||
| 1736 | if (verbose >= 2) | ||
| 1737 | printf ("**** REQUEST CERTIFICATES ****\n"); | ||
| 1738 | |||
| 1739 | printf("%s\n", _("WARNING - Plugin does not support checking certificates without OpenSSL.")); | ||
| 1740 | return STATE_WARNING; | ||
| 1741 | } | ||
| 1742 | #endif /* LIBCURL_FEATURE_SSL */ | ||