1 files changed, 87 insertions, 56 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 0bc61ed..5425bb2 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -36,66 +36,97 @@ static SSL_CTX *c=NULL;
 static SSL *s=NULL;
 static int initialized=0;
-int np_net_ssl_init (int sd) {
+int np_net_ssl_init(int sd) {
-                return np_net_ssl_init_with_hostname(sd, NULL);
+        return np_net_ssl_init_with_hostname(sd, NULL);
 }
-int np_net_ssl_init_with_hostname (int sd, char *host_name) {
+int np_net_ssl_init_with_hostname(int sd, char *host_name) {
-                if (!initialized) {
+        return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
-                        /* Initialize SSL context */
+}
-                        SSLeay_add_ssl_algorithms ();
-                        SSL_load_error_strings ();
+int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
-                        OpenSSL_add_all_algorithms ();
+        const SSL_METHOD *method = NULL;
-                        initialized = 1;
-                }
+        switch (version) {
-                if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) {
+        case 0: /* Deafult to auto negotiation */
-                                printf ("%s\n", _("CRITICAL - Cannot create SSL context."));
+                method = SSLv23_client_method();
-                                return STATE_CRITICAL;
+                break;
-                }
+        case 1: /* TLSv1 protocol */
-                if ((s = SSL_new (c)) != NULL){
+                method = TLSv1_client_method();
+                break;
+        case 2: /* SSLv2 protocol */
+#if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2)
+                printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library.")));
+                return STATE_CRITICAL;
+#else
+                method = SSLv2_client_method();
+#endif
+                break;
+        case 3: /* SSLv3 protocol */
+                method = SSLv3_client_method();
+                break;
+        default: /* Unsupported */
+                printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));
+                return STATE_CRITICAL;
+        }
+        if (!initialized) {
+                /* Initialize SSL context */
+                SSLeay_add_ssl_algorithms();
+                SSL_load_error_strings();
+                OpenSSL_add_all_algorithms();
+                initialized = 1;
+        }
+        if ((c = SSL_CTX_new(method)) == NULL) {
+                printf("%s\n", _("CRITICAL - Cannot create SSL context."));
+                return STATE_CRITICAL;
+        }
+#ifdef SSL_OP_NO_TICKET
+        SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
+#endif
+        if ((s = SSL_new(c)) != NULL) {
 #ifdef SSL_set_tlsext_host_name
-                                if (host_name != NULL)
+                if (host_name != NULL)
-                                        SSL_set_tlsext_host_name(s, host_name);
+                        SSL_set_tlsext_host_name(s, host_name);
 #endif
-                                SSL_set_fd (s, sd);
+                SSL_set_fd(s, sd);
-                                if (SSL_connect(s) == 1){
+                if (SSL_connect(s) == 1) {
-                                                return OK;
+                        return OK;
-                                } else {
+                } else {
-                                                printf ("%s\n", _("CRITICAL - Cannot make SSL connection "));
+                        printf("%s\n", _("CRITICAL - Cannot make SSL connection."));
 #  ifdef USE_OPENSSL /* XXX look into ERR_error_string */
-                                                ERR_print_errors_fp (stdout);
+                        ERR_print_errors_fp(stdout);
 #  endif /* USE_OPENSSL */
-                                }
-                } else {
-                                printf ("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
                }
-                return STATE_CRITICAL;
+        } else {
+                        printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
+        }
+        return STATE_CRITICAL;
 }
-void np_net_ssl_cleanup (){
+void np_net_ssl_cleanup() {
-                if(s){
+        if (s) {
 #ifdef SSL_set_tlsext_host_name
-                                SSL_set_tlsext_host_name(s, NULL);
+                SSL_set_tlsext_host_name(s, NULL);
 #endif
-                                SSL_shutdown (s);
+                SSL_shutdown(s);
-                                SSL_free (s);
+                SSL_free(s);
-                                if(c) {
+                if (c) {
-                                        SSL_CTX_free (c);
+                        SSL_CTX_free(c);
-                                        c=NULL;
+                        c=NULL;
-                                }
-                                s=NULL;
                }
+                s=NULL;
+        }
 }
-int np_net_ssl_write(const void *buf, int num){
+int np_net_ssl_write(const void *buf, int num) {
        return SSL_write(s, buf, num);
 }
-int np_net_ssl_read(void *buf, int num){
+int np_net_ssl_read(void *buf, int num) {
        return SSL_read(s, buf, num);
 }
-int np_net_ssl_check_cert(int days_till_exp){
+int np_net_ssl_check_cert(int days_till_exp) {
 #  ifdef USE_OPENSSL
        X509 *certificate=NULL;
        X509_NAME *subj=NULL;
@@ -111,29 +142,29 @@ int np_net_ssl_check_cert(int days_till_exp){
        char timestamp[17] = "";
        certificate=SSL_get_peer_certificate(s);
-        if(! certificate){
+        if (!certificate) {
-                printf ("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
+                printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
                return STATE_CRITICAL;
        }
        /* Extract CN from certificate subject */
        subj=X509_get_subject_name(certificate);
-        if(! subj){
+        if (!subj) {
-                printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
+                printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
                return STATE_CRITICAL;
        }
-        cnlen = X509_NAME_get_text_by_NID (subj, NID_commonName, cn, sizeof(cn));
+        cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
-        if ( cnlen == -1 )
+        if (cnlen == -1)
-                strcpy(cn , _("Unknown CN"));
+                strcpy(cn, _("Unknown CN"));
        /* Retrieve timestamp of certificate */
-        tm = X509_get_notAfter (certificate);
+        tm = X509_get_notAfter(certificate);
        /* Generate tm structure to process timestamp */
        if (tm->type == V_ASN1_UTCTIME) {
                if (tm->length < 10) {
-                        printf ("%s\n", _("CRITICAL - Wrong time format in certificate."));
+                        printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
                        return STATE_CRITICAL;
                } else {
                        stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
@@ -143,7 +174,7 @@ int np_net_ssl_check_cert(int days_till_exp){
                }
        } else {
                if (tm->length < 12) {
-                        printf ("%s\n", _("CRITICAL - Wrong time format in certificate."));
+                        printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
                        return STATE_CRITICAL;
                } else {
                        stamp.tm_year =
@@ -172,22 +203,22 @@ int np_net_ssl_check_cert(int days_till_exp){
                 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
        if (days_left > 0 && days_left <= days_till_exp) {
-                printf (_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp);
+                printf(_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp);
                status=STATE_WARNING;
        } else if (time_left < 0) {
-                printf (_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
+                printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
                status=STATE_CRITICAL;
        } else if (days_left == 0) {
-                printf (_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp);
+                printf(_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp);
                status=STATE_WARNING;
        } else {
-                printf (_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
+                printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
                status=STATE_OK;
        }
-        X509_free (certificate);
+        X509_free(certificate);
        return status;
 #  else /* ifndef USE_OPENSSL */
-        printf ("%s\n", _("WARNING - Plugin does not support checking certificates."));
+        printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
        return STATE_WARNING;
 #  endif /* USE_OPENSSL */
 }

diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 0bc61ed..5425bb2 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c
@@ -36,66 +36,97 @@ static SSL_CTX *c=NULL;
36	static SSL *s=NULL;	36	static SSL *s=NULL;
37	static int initialized=0;	37	static int initialized=0;
38		38
39	int np_net_ssl_init (int sd) {	39	int np_net_ssl_init(int sd) {
40	return np_net_ssl_init_with_hostname(sd, NULL);	40	return np_net_ssl_init_with_hostname(sd, NULL);
41	}	41	}
42		42
43	int np_net_ssl_init_with_hostname (int sd, char *host_name) {	43	int np_net_ssl_init_with_hostname(int sd, char *host_name) {
44	if (!initialized) {	44	return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
45	/* Initialize SSL context */	45	}
46	SSLeay_add_ssl_algorithms ();	46
47	SSL_load_error_strings ();	47	int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
48	OpenSSL_add_all_algorithms ();	48	const SSL_METHOD *method = NULL;
49	initialized = 1;	49
50	}	50	switch (version) {
51	if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) {	51	case 0: /* Deafult to auto negotiation */
52	printf ("%s\n", _("CRITICAL - Cannot create SSL context."));	52	method = SSLv23_client_method();
53	return STATE_CRITICAL;	53	break;
54	}	54	case 1: /* TLSv1 protocol */
55	if ((s = SSL_new (c)) != NULL){	55	method = TLSv1_client_method();
		56	break;
		57	case 2: /* SSLv2 protocol */
		58	#if defined(USE_GNUTLS) \|\| defined(OPENSSL_NO_SSL2)
		59	printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library.")));
		60	return STATE_CRITICAL;
		61	#else
		62	method = SSLv2_client_method();
		63	#endif
		64	break;
		65	case 3: /* SSLv3 protocol */
		66	method = SSLv3_client_method();
		67	break;
		68	default: /* Unsupported */
		69	printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));
		70	return STATE_CRITICAL;
		71	}
		72	if (!initialized) {
		73	/* Initialize SSL context */
		74	SSLeay_add_ssl_algorithms();
		75	SSL_load_error_strings();
		76	OpenSSL_add_all_algorithms();
		77	initialized = 1;
		78	}
		79	if ((c = SSL_CTX_new(method)) == NULL) {
		80	printf("%s\n", _("CRITICAL - Cannot create SSL context."));
		81	return STATE_CRITICAL;
		82	}
		83	#ifdef SSL_OP_NO_TICKET
		84	SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
		85	#endif
		86	if ((s = SSL_new(c)) != NULL) {
56	#ifdef SSL_set_tlsext_host_name	87	#ifdef SSL_set_tlsext_host_name
57	if (host_name != NULL)	88	if (host_name != NULL)
58	SSL_set_tlsext_host_name(s, host_name);	89	SSL_set_tlsext_host_name(s, host_name);
59	#endif	90	#endif
60	SSL_set_fd (s, sd);	91	SSL_set_fd(s, sd);
61	if (SSL_connect(s) == 1){	92	if (SSL_connect(s) == 1) {
62	return OK;	93	return OK;
63	} else {	94	} else {
64	printf ("%s\n", _("CRITICAL - Cannot make SSL connection "));	95	printf("%s\n", _("CRITICAL - Cannot make SSL connection."));
65	# ifdef USE_OPENSSL /* XXX look into ERR_error_string */	96	# ifdef USE_OPENSSL /* XXX look into ERR_error_string */
66	ERR_print_errors_fp (stdout);	97	ERR_print_errors_fp(stdout);
67	# endif /* USE_OPENSSL */	98	# endif /* USE_OPENSSL */
68	}
69	} else {
70	printf ("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
71	}	99	}
72	return STATE_CRITICAL;	100	} else {
		101	printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
		102	}
		103	return STATE_CRITICAL;
73	}	104	}
74		105
75	void np_net_ssl_cleanup (){	106	void np_net_ssl_cleanup() {
76	if(s){	107	if (s) {
77	#ifdef SSL_set_tlsext_host_name	108	#ifdef SSL_set_tlsext_host_name
78	SSL_set_tlsext_host_name(s, NULL);	109	SSL_set_tlsext_host_name(s, NULL);
79	#endif	110	#endif
80	SSL_shutdown (s);	111	SSL_shutdown(s);
81	SSL_free (s);	112	SSL_free(s);
82	if(c) {	113	if (c) {
83	SSL_CTX_free (c);	114	SSL_CTX_free(c);
84	c=NULL;	115	c=NULL;
85	}
86	s=NULL;
87	}	116	}
		117	s=NULL;
		118	}
88	}	119	}
89		120
90	int np_net_ssl_write(const void *buf, int num){	121	int np_net_ssl_write(const void *buf, int num) {
91	return SSL_write(s, buf, num);	122	return SSL_write(s, buf, num);
92	}	123	}
93		124
94	int np_net_ssl_read(void *buf, int num){	125	int np_net_ssl_read(void *buf, int num) {
95	return SSL_read(s, buf, num);	126	return SSL_read(s, buf, num);
96	}	127	}
97		128
98	int np_net_ssl_check_cert(int days_till_exp){	129	int np_net_ssl_check_cert(int days_till_exp) {
99	# ifdef USE_OPENSSL	130	# ifdef USE_OPENSSL
100	X509 *certificate=NULL;	131	X509 *certificate=NULL;
101	X509_NAME *subj=NULL;	132	X509_NAME *subj=NULL;
@@ -111,29 +142,29 @@ int np_net_ssl_check_cert(int days_till_exp){
111	char timestamp[17] = "";	142	char timestamp[17] = "";
112		143
113	certificate=SSL_get_peer_certificate(s);	144	certificate=SSL_get_peer_certificate(s);
114	if(! certificate){	145	if (!certificate) {
115	printf ("%s\n",_("CRITICAL - Cannot retrieve server certificate."));	146	printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
116	return STATE_CRITICAL;	147	return STATE_CRITICAL;
117	}	148	}
118		149
119	/* Extract CN from certificate subject */	150	/* Extract CN from certificate subject */
120	subj=X509_get_subject_name(certificate);	151	subj=X509_get_subject_name(certificate);
121		152
122	if(! subj){	153	if (!subj) {
123	printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));	154	printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
124	return STATE_CRITICAL;	155	return STATE_CRITICAL;
125	}	156	}
126	cnlen = X509_NAME_get_text_by_NID (subj, NID_commonName, cn, sizeof(cn));	157	cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
127	if ( cnlen == -1 )	158	if (cnlen == -1)
128	strcpy(cn , _("Unknown CN"));	159	strcpy(cn, _("Unknown CN"));
129		160
130	/* Retrieve timestamp of certificate */	161	/* Retrieve timestamp of certificate */
131	tm = X509_get_notAfter (certificate);	162	tm = X509_get_notAfter(certificate);
132		163
133	/* Generate tm structure to process timestamp */	164	/* Generate tm structure to process timestamp */
134	if (tm->type == V_ASN1_UTCTIME) {	165	if (tm->type == V_ASN1_UTCTIME) {
135	if (tm->length < 10) {	166	if (tm->length < 10) {
136	printf ("%s\n", _("CRITICAL - Wrong time format in certificate."));	167	printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
137	return STATE_CRITICAL;	168	return STATE_CRITICAL;
138	} else {	169	} else {
139	stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');	170	stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
@@ -143,7 +174,7 @@ int np_net_ssl_check_cert(int days_till_exp){
143	}	174	}
144	} else {	175	} else {
145	if (tm->length < 12) {	176	if (tm->length < 12) {
146	printf ("%s\n", _("CRITICAL - Wrong time format in certificate."));	177	printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
147	return STATE_CRITICAL;	178	return STATE_CRITICAL;
148	} else {	179	} else {
149	stamp.tm_year =	180	stamp.tm_year =
@@ -172,22 +203,22 @@ int np_net_ssl_check_cert(int days_till_exp){
172	stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);	203	stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
173		204
174	if (days_left > 0 && days_left <= days_till_exp) {	205	if (days_left > 0 && days_left <= days_till_exp) {
175	printf (_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp);	206	printf(_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp);
176	status=STATE_WARNING;	207	status=STATE_WARNING;
177	} else if (time_left < 0) {	208	} else if (time_left < 0) {
178	printf (_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);	209	printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
179	status=STATE_CRITICAL;	210	status=STATE_CRITICAL;
180	} else if (days_left == 0) {	211	} else if (days_left == 0) {
181	printf (_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp);	212	printf(_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp);
182	status=STATE_WARNING;	213	status=STATE_WARNING;
183	} else {	214	} else {
184	printf (_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);	215	printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
185	status=STATE_OK;	216	status=STATE_OK;
186	}	217	}
187	X509_free (certificate);	218	X509_free(certificate);
188	return status;	219	return status;
189	# else /* ifndef USE_OPENSSL */	220	# else /* ifndef USE_OPENSSL */
190	printf ("%s\n", _("WARNING - Plugin does not support checking certificates."));	221	printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
191	return STATE_WARNING;	222	return STATE_WARNING;
192	# endif /* USE_OPENSSL */	223	# endif /* USE_OPENSSL */
193	}	224	}