diff options
Diffstat (limited to 'plugins/sslutils.c')
-rw-r--r-- | plugins/sslutils.c | 135 |
1 files changed, 76 insertions, 59 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 4f9c793c..6bc0ba81 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
@@ -1,29 +1,29 @@ | |||
1 | /***************************************************************************** | 1 | /***************************************************************************** |
2 | * | 2 | * |
3 | * Monitoring Plugins SSL utilities | 3 | * Monitoring Plugins SSL utilities |
4 | * | 4 | * |
5 | * License: GPL | 5 | * License: GPL |
6 | * Copyright (c) 2005-2010 Monitoring Plugins Development Team | 6 | * Copyright (c) 2005-2010 Monitoring Plugins Development Team |
7 | * | 7 | * |
8 | * Description: | 8 | * Description: |
9 | * | 9 | * |
10 | * This file contains common functions for plugins that require SSL. | 10 | * This file contains common functions for plugins that require SSL. |
11 | * | 11 | * |
12 | * | 12 | * |
13 | * This program is free software: you can redistribute it and/or modify | 13 | * This program is free software: you can redistribute it and/or modify |
14 | * it under the terms of the GNU General Public License as published by | 14 | * it under the terms of the GNU General Public License as published by |
15 | * the Free Software Foundation, either version 3 of the License, or | 15 | * the Free Software Foundation, either version 3 of the License, or |
16 | * (at your option) any later version. | 16 | * (at your option) any later version. |
17 | * | 17 | * |
18 | * This program is distributed in the hope that it will be useful, | 18 | * This program is distributed in the hope that it will be useful, |
19 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | 19 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
20 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 20 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
21 | * GNU General Public License for more details. | 21 | * GNU General Public License for more details. |
22 | * | 22 | * |
23 | * You should have received a copy of the GNU General Public License | 23 | * You should have received a copy of the GNU General Public License |
24 | * along with this program. If not, see <http://www.gnu.org/licenses/>. | 24 | * along with this program. If not, see <http://www.gnu.org/licenses/>. |
25 | * | 25 | * |
26 | * | 26 | * |
27 | *****************************************************************************/ | 27 | *****************************************************************************/ |
28 | 28 | ||
29 | #define MAX_CN_LENGTH 256 | 29 | #define MAX_CN_LENGTH 256 |
@@ -31,9 +31,8 @@ | |||
31 | #include "netutils.h" | 31 | #include "netutils.h" |
32 | 32 | ||
33 | #ifdef HAVE_SSL | 33 | #ifdef HAVE_SSL |
34 | static SSL_CTX *c=NULL; | 34 | static SSL_CTX *ctx=NULL; |
35 | static SSL *s=NULL; | 35 | static SSL *s=NULL; |
36 | static int initialized=0; | ||
37 | 36 | ||
38 | int np_net_ssl_init(int sd) { | 37 | int np_net_ssl_init(int sd) { |
39 | return np_net_ssl_init_with_hostname(sd, NULL); | 38 | return np_net_ssl_init_with_hostname(sd, NULL); |
@@ -48,24 +47,24 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi | |||
48 | } | 47 | } |
49 | 48 | ||
50 | int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { | 49 | int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { |
51 | SSL_METHOD *method = NULL; | ||
52 | long options = 0; | 50 | long options = 0; |
53 | 51 | ||
52 | if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) { | ||
53 | printf("%s\n", _("CRITICAL - Cannot create SSL context.")); | ||
54 | return STATE_CRITICAL; | ||
55 | } | ||
56 | |||
54 | switch (version) { | 57 | switch (version) { |
55 | case MP_SSLv2: /* SSLv2 protocol */ | 58 | case MP_SSLv2: /* SSLv2 protocol */ |
56 | #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) | ||
57 | printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); | 59 | printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); |
58 | return STATE_UNKNOWN; | 60 | return STATE_UNKNOWN; |
59 | #else | ||
60 | method = SSLv2_client_method(); | ||
61 | break; | ||
62 | #endif | ||
63 | case MP_SSLv3: /* SSLv3 protocol */ | 61 | case MP_SSLv3: /* SSLv3 protocol */ |
64 | #if defined(OPENSSL_NO_SSL3) | 62 | #if defined(OPENSSL_NO_SSL3) |
65 | printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); | 63 | printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); |
66 | return STATE_UNKNOWN; | 64 | return STATE_UNKNOWN; |
67 | #else | 65 | #else |
68 | method = SSLv3_client_method(); | 66 | SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); |
67 | SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION); | ||
69 | break; | 68 | break; |
70 | #endif | 69 | #endif |
71 | case MP_TLSv1: /* TLSv1 protocol */ | 70 | case MP_TLSv1: /* TLSv1 protocol */ |
@@ -73,7 +72,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
73 | printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); | 72 | printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); |
74 | return STATE_UNKNOWN; | 73 | return STATE_UNKNOWN; |
75 | #else | 74 | #else |
76 | method = TLSv1_client_method(); | 75 | SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); |
76 | SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION); | ||
77 | break; | 77 | break; |
78 | #endif | 78 | #endif |
79 | case MP_TLSv1_1: /* TLSv1.1 protocol */ | 79 | case MP_TLSv1_1: /* TLSv1.1 protocol */ |
@@ -81,7 +81,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
81 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); | 81 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); |
82 | return STATE_UNKNOWN; | 82 | return STATE_UNKNOWN; |
83 | #else | 83 | #else |
84 | method = TLSv1_1_client_method(); | 84 | SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); |
85 | SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION); | ||
85 | break; | 86 | break; |
86 | #endif | 87 | #endif |
87 | case MP_TLSv1_2: /* TLSv1.2 protocol */ | 88 | case MP_TLSv1_2: /* TLSv1.2 protocol */ |
@@ -89,7 +90,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
89 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); | 90 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); |
90 | return STATE_UNKNOWN; | 91 | return STATE_UNKNOWN; |
91 | #else | 92 | #else |
92 | method = TLSv1_2_client_method(); | 93 | SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); |
94 | SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); | ||
93 | break; | 95 | break; |
94 | #endif | 96 | #endif |
95 | case MP_TLSv1_2_OR_NEWER: | 97 | case MP_TLSv1_2_OR_NEWER: |
@@ -97,47 +99,43 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
97 | printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); | 99 | printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); |
98 | return STATE_UNKNOWN; | 100 | return STATE_UNKNOWN; |
99 | #else | 101 | #else |
100 | options |= SSL_OP_NO_TLSv1_1; | 102 | SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); |
103 | break; | ||
101 | #endif | 104 | #endif |
102 | /* FALLTHROUGH */ | ||
103 | case MP_TLSv1_1_OR_NEWER: | 105 | case MP_TLSv1_1_OR_NEWER: |
104 | #if !defined(SSL_OP_NO_TLSv1) | 106 | #if !defined(SSL_OP_NO_TLSv1) |
105 | printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); | 107 | printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); |
106 | return STATE_UNKNOWN; | 108 | return STATE_UNKNOWN; |
107 | #else | 109 | #else |
108 | options |= SSL_OP_NO_TLSv1; | 110 | SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); |
111 | break; | ||
109 | #endif | 112 | #endif |
110 | /* FALLTHROUGH */ | ||
111 | case MP_TLSv1_OR_NEWER: | 113 | case MP_TLSv1_OR_NEWER: |
112 | #if defined(SSL_OP_NO_SSLv3) | 114 | #if defined(SSL_OP_NO_SSLv3) |
113 | options |= SSL_OP_NO_SSLv3; | 115 | SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); |
116 | break; | ||
114 | #endif | 117 | #endif |
115 | /* FALLTHROUGH */ | ||
116 | case MP_SSLv3_OR_NEWER: | 118 | case MP_SSLv3_OR_NEWER: |
117 | #if defined(SSL_OP_NO_SSLv2) | 119 | #if defined(SSL_OP_NO_SSLv2) |
118 | options |= SSL_OP_NO_SSLv2; | 120 | SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); |
121 | break; | ||
119 | #endif | 122 | #endif |
120 | case MP_SSLv2_OR_NEWER: | ||
121 | /* FALLTHROUGH */ | ||
122 | default: /* Default to auto negotiation */ | ||
123 | method = SSLv23_client_method(); | ||
124 | } | ||
125 | if (!initialized) { | ||
126 | /* Initialize SSL context */ | ||
127 | SSLeay_add_ssl_algorithms(); | ||
128 | SSL_load_error_strings(); | ||
129 | OpenSSL_add_all_algorithms(); | ||
130 | initialized = 1; | ||
131 | } | ||
132 | if ((c = SSL_CTX_new(method)) == NULL) { | ||
133 | printf("%s\n", _("CRITICAL - Cannot create SSL context.")); | ||
134 | return STATE_CRITICAL; | ||
135 | } | 123 | } |
124 | |||
136 | if (cert && privkey) { | 125 | if (cert && privkey) { |
137 | SSL_CTX_use_certificate_file(c, cert, SSL_FILETYPE_PEM); | ||
138 | SSL_CTX_use_PrivateKey_file(c, privkey, SSL_FILETYPE_PEM); | ||
139 | #ifdef USE_OPENSSL | 126 | #ifdef USE_OPENSSL |
140 | if (!SSL_CTX_check_private_key(c)) { | 127 | if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) { |
128 | #elif USE_GNUTLS | ||
129 | if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) { | ||
130 | #else | ||
131 | #error Unported for unknown SSL library | ||
132 | #endif | ||
133 | printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n")); | ||
134 | return STATE_CRITICAL; | ||
135 | } | ||
136 | SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM); | ||
137 | #ifdef USE_OPENSSL | ||
138 | if (!SSL_CTX_check_private_key(ctx)) { | ||
141 | printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n")); | 139 | printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n")); |
142 | return STATE_CRITICAL; | 140 | return STATE_CRITICAL; |
143 | } | 141 | } |
@@ -146,9 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
146 | #ifdef SSL_OP_NO_TICKET | 144 | #ifdef SSL_OP_NO_TICKET |
147 | options |= SSL_OP_NO_TICKET; | 145 | options |= SSL_OP_NO_TICKET; |
148 | #endif | 146 | #endif |
149 | SSL_CTX_set_options(c, options); | 147 | SSL_CTX_set_options(ctx, options); |
150 | SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); | 148 | SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); |
151 | if ((s = SSL_new(c)) != NULL) { | 149 | if ((s = SSL_new(ctx)) != NULL) { |
152 | #ifdef SSL_set_tlsext_host_name | 150 | #ifdef SSL_set_tlsext_host_name |
153 | if (host_name != NULL) | 151 | if (host_name != NULL) |
154 | SSL_set_tlsext_host_name(s, host_name); | 152 | SSL_set_tlsext_host_name(s, host_name); |
@@ -175,9 +173,9 @@ void np_net_ssl_cleanup() { | |||
175 | #endif | 173 | #endif |
176 | SSL_shutdown(s); | 174 | SSL_shutdown(s); |
177 | SSL_free(s); | 175 | SSL_free(s); |
178 | if (c) { | 176 | if (ctx) { |
179 | SSL_CTX_free(c); | 177 | SSL_CTX_free(ctx); |
180 | c=NULL; | 178 | ctx=NULL; |
181 | } | 179 | } |
182 | s=NULL; | 180 | s=NULL; |
183 | } | 181 | } |
@@ -191,13 +189,13 @@ int np_net_ssl_read(void *buf, int num) { | |||
191 | return SSL_read(s, buf, num); | 189 | return SSL_read(s, buf, num); |
192 | } | 190 | } |
193 | 191 | ||
194 | int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ | 192 | int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){ |
195 | # ifdef USE_OPENSSL | 193 | # ifdef USE_OPENSSL |
196 | X509 *certificate=NULL; | ||
197 | X509_NAME *subj=NULL; | 194 | X509_NAME *subj=NULL; |
198 | char timestamp[50] = ""; | 195 | char timestamp[50] = ""; |
199 | char cn[MAX_CN_LENGTH]= ""; | 196 | char cn[MAX_CN_LENGTH]= ""; |
200 | 197 | char *tz; | |
198 | |||
201 | int cnlen =-1; | 199 | int cnlen =-1; |
202 | int status=STATE_UNKNOWN; | 200 | int status=STATE_UNKNOWN; |
203 | 201 | ||
@@ -209,7 +207,6 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ | |||
209 | int time_remaining; | 207 | int time_remaining; |
210 | time_t tm_t; | 208 | time_t tm_t; |
211 | 209 | ||
212 | certificate=SSL_get_peer_certificate(s); | ||
213 | if (!certificate) { | 210 | if (!certificate) { |
214 | printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); | 211 | printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); |
215 | return STATE_CRITICAL; | 212 | return STATE_CRITICAL; |
@@ -264,10 +261,18 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ | |||
264 | (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0'); | 261 | (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0'); |
265 | stamp.tm_isdst = -1; | 262 | stamp.tm_isdst = -1; |
266 | 263 | ||
267 | time_left = difftime(timegm(&stamp), time(NULL)); | 264 | tm_t = timegm(&stamp); |
265 | time_left = difftime(tm_t, time(NULL)); | ||
268 | days_left = time_left / 86400; | 266 | days_left = time_left / 86400; |
269 | tm_t = mktime (&stamp); | 267 | tz = getenv("TZ"); |
270 | strftime(timestamp, 50, "%c", localtime(&tm_t)); | 268 | setenv("TZ", "GMT", 1); |
269 | tzset(); | ||
270 | strftime(timestamp, 50, "%c %z", localtime(&tm_t)); | ||
271 | if (tz) | ||
272 | setenv("TZ", tz, 1); | ||
273 | else | ||
274 | unsetenv("TZ"); | ||
275 | tzset(); | ||
271 | 276 | ||
272 | if (days_left > 0 && days_left <= days_till_exp_warn) { | 277 | if (days_left > 0 && days_left <= days_till_exp_warn) { |
273 | printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp); | 278 | printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp); |
@@ -310,4 +315,16 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ | |||
310 | # endif /* USE_OPENSSL */ | 315 | # endif /* USE_OPENSSL */ |
311 | } | 316 | } |
312 | 317 | ||
318 | int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ | ||
319 | # ifdef USE_OPENSSL | ||
320 | X509 *certificate = NULL; | ||
321 | certificate=SSL_get_peer_certificate(s); | ||
322 | return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit)); | ||
323 | # else /* ifndef USE_OPENSSL */ | ||
324 | printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); | ||
325 | return STATE_WARNING; | ||
326 | # endif /* USE_OPENSSL */ | ||
327 | } | ||
328 | |||
329 | |||
313 | #endif /* HAVE_SSL */ | 330 | #endif /* HAVE_SSL */ |