summaryrefslogtreecommitdiffstats
path: root/plugins/sslutils.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/sslutils.c')
-rw-r--r--plugins/sslutils.c135
1 files changed, 76 insertions, 59 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 4f9c793c..6bc0ba81 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -1,29 +1,29 @@
1/***************************************************************************** 1/*****************************************************************************
2* 2*
3* Monitoring Plugins SSL utilities 3* Monitoring Plugins SSL utilities
4* 4*
5* License: GPL 5* License: GPL
6* Copyright (c) 2005-2010 Monitoring Plugins Development Team 6* Copyright (c) 2005-2010 Monitoring Plugins Development Team
7* 7*
8* Description: 8* Description:
9* 9*
10* This file contains common functions for plugins that require SSL. 10* This file contains common functions for plugins that require SSL.
11* 11*
12* 12*
13* This program is free software: you can redistribute it and/or modify 13* This program is free software: you can redistribute it and/or modify
14* it under the terms of the GNU General Public License as published by 14* it under the terms of the GNU General Public License as published by
15* the Free Software Foundation, either version 3 of the License, or 15* the Free Software Foundation, either version 3 of the License, or
16* (at your option) any later version. 16* (at your option) any later version.
17* 17*
18* This program is distributed in the hope that it will be useful, 18* This program is distributed in the hope that it will be useful,
19* but WITHOUT ANY WARRANTY; without even the implied warranty of 19* but WITHOUT ANY WARRANTY; without even the implied warranty of
20* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 20* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21* GNU General Public License for more details. 21* GNU General Public License for more details.
22* 22*
23* You should have received a copy of the GNU General Public License 23* You should have received a copy of the GNU General Public License
24* along with this program. If not, see <http://www.gnu.org/licenses/>. 24* along with this program. If not, see <http://www.gnu.org/licenses/>.
25* 25*
26* 26*
27*****************************************************************************/ 27*****************************************************************************/
28 28
29#define MAX_CN_LENGTH 256 29#define MAX_CN_LENGTH 256
@@ -31,9 +31,8 @@
31#include "netutils.h" 31#include "netutils.h"
32 32
33#ifdef HAVE_SSL 33#ifdef HAVE_SSL
34static SSL_CTX *c=NULL; 34static SSL_CTX *ctx=NULL;
35static SSL *s=NULL; 35static SSL *s=NULL;
36static int initialized=0;
37 36
38int np_net_ssl_init(int sd) { 37int np_net_ssl_init(int sd) {
39 return np_net_ssl_init_with_hostname(sd, NULL); 38 return np_net_ssl_init_with_hostname(sd, NULL);
@@ -48,24 +47,24 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
48} 47}
49 48
50int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { 49int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) {
51 SSL_METHOD *method = NULL;
52 long options = 0; 50 long options = 0;
53 51
52 if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
53 printf("%s\n", _("CRITICAL - Cannot create SSL context."));
54 return STATE_CRITICAL;
55 }
56
54 switch (version) { 57 switch (version) {
55 case MP_SSLv2: /* SSLv2 protocol */ 58 case MP_SSLv2: /* SSLv2 protocol */
56#if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2)
57 printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); 59 printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
58 return STATE_UNKNOWN; 60 return STATE_UNKNOWN;
59#else
60 method = SSLv2_client_method();
61 break;
62#endif
63 case MP_SSLv3: /* SSLv3 protocol */ 61 case MP_SSLv3: /* SSLv3 protocol */
64#if defined(OPENSSL_NO_SSL3) 62#if defined(OPENSSL_NO_SSL3)
65 printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); 63 printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
66 return STATE_UNKNOWN; 64 return STATE_UNKNOWN;
67#else 65#else
68 method = SSLv3_client_method(); 66 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
67 SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
69 break; 68 break;
70#endif 69#endif
71 case MP_TLSv1: /* TLSv1 protocol */ 70 case MP_TLSv1: /* TLSv1 protocol */
@@ -73,7 +72,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
73 printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); 72 printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
74 return STATE_UNKNOWN; 73 return STATE_UNKNOWN;
75#else 74#else
76 method = TLSv1_client_method(); 75 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
76 SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
77 break; 77 break;
78#endif 78#endif
79 case MP_TLSv1_1: /* TLSv1.1 protocol */ 79 case MP_TLSv1_1: /* TLSv1.1 protocol */
@@ -81,7 +81,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
81 printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); 81 printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
82 return STATE_UNKNOWN; 82 return STATE_UNKNOWN;
83#else 83#else
84 method = TLSv1_1_client_method(); 84 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
85 SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
85 break; 86 break;
86#endif 87#endif
87 case MP_TLSv1_2: /* TLSv1.2 protocol */ 88 case MP_TLSv1_2: /* TLSv1.2 protocol */
@@ -89,7 +90,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
89 printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); 90 printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
90 return STATE_UNKNOWN; 91 return STATE_UNKNOWN;
91#else 92#else
92 method = TLSv1_2_client_method(); 93 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
94 SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
93 break; 95 break;
94#endif 96#endif
95 case MP_TLSv1_2_OR_NEWER: 97 case MP_TLSv1_2_OR_NEWER:
@@ -97,47 +99,43 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
97 printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); 99 printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
98 return STATE_UNKNOWN; 100 return STATE_UNKNOWN;
99#else 101#else
100 options |= SSL_OP_NO_TLSv1_1; 102 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
103 break;
101#endif 104#endif
102 /* FALLTHROUGH */
103 case MP_TLSv1_1_OR_NEWER: 105 case MP_TLSv1_1_OR_NEWER:
104#if !defined(SSL_OP_NO_TLSv1) 106#if !defined(SSL_OP_NO_TLSv1)
105 printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); 107 printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
106 return STATE_UNKNOWN; 108 return STATE_UNKNOWN;
107#else 109#else
108 options |= SSL_OP_NO_TLSv1; 110 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
111 break;
109#endif 112#endif
110 /* FALLTHROUGH */
111 case MP_TLSv1_OR_NEWER: 113 case MP_TLSv1_OR_NEWER:
112#if defined(SSL_OP_NO_SSLv3) 114#if defined(SSL_OP_NO_SSLv3)
113 options |= SSL_OP_NO_SSLv3; 115 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
116 break;
114#endif 117#endif
115 /* FALLTHROUGH */
116 case MP_SSLv3_OR_NEWER: 118 case MP_SSLv3_OR_NEWER:
117#if defined(SSL_OP_NO_SSLv2) 119#if defined(SSL_OP_NO_SSLv2)
118 options |= SSL_OP_NO_SSLv2; 120 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
121 break;
119#endif 122#endif
120 case MP_SSLv2_OR_NEWER:
121 /* FALLTHROUGH */
122 default: /* Default to auto negotiation */
123 method = SSLv23_client_method();
124 }
125 if (!initialized) {
126 /* Initialize SSL context */
127 SSLeay_add_ssl_algorithms();
128 SSL_load_error_strings();
129 OpenSSL_add_all_algorithms();
130 initialized = 1;
131 }
132 if ((c = SSL_CTX_new(method)) == NULL) {
133 printf("%s\n", _("CRITICAL - Cannot create SSL context."));
134 return STATE_CRITICAL;
135 } 123 }
124
136 if (cert && privkey) { 125 if (cert && privkey) {
137 SSL_CTX_use_certificate_file(c, cert, SSL_FILETYPE_PEM);
138 SSL_CTX_use_PrivateKey_file(c, privkey, SSL_FILETYPE_PEM);
139#ifdef USE_OPENSSL 126#ifdef USE_OPENSSL
140 if (!SSL_CTX_check_private_key(c)) { 127 if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) {
128#elif USE_GNUTLS
129 if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) {
130#else
131#error Unported for unknown SSL library
132#endif
133 printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n"));
134 return STATE_CRITICAL;
135 }
136 SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM);
137#ifdef USE_OPENSSL
138 if (!SSL_CTX_check_private_key(ctx)) {
141 printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n")); 139 printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
142 return STATE_CRITICAL; 140 return STATE_CRITICAL;
143 } 141 }
@@ -146,9 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
146#ifdef SSL_OP_NO_TICKET 144#ifdef SSL_OP_NO_TICKET
147 options |= SSL_OP_NO_TICKET; 145 options |= SSL_OP_NO_TICKET;
148#endif 146#endif
149 SSL_CTX_set_options(c, options); 147 SSL_CTX_set_options(ctx, options);
150 SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); 148 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
151 if ((s = SSL_new(c)) != NULL) { 149 if ((s = SSL_new(ctx)) != NULL) {
152#ifdef SSL_set_tlsext_host_name 150#ifdef SSL_set_tlsext_host_name
153 if (host_name != NULL) 151 if (host_name != NULL)
154 SSL_set_tlsext_host_name(s, host_name); 152 SSL_set_tlsext_host_name(s, host_name);
@@ -175,9 +173,9 @@ void np_net_ssl_cleanup() {
175#endif 173#endif
176 SSL_shutdown(s); 174 SSL_shutdown(s);
177 SSL_free(s); 175 SSL_free(s);
178 if (c) { 176 if (ctx) {
179 SSL_CTX_free(c); 177 SSL_CTX_free(ctx);
180 c=NULL; 178 ctx=NULL;
181 } 179 }
182 s=NULL; 180 s=NULL;
183 } 181 }
@@ -191,13 +189,13 @@ int np_net_ssl_read(void *buf, int num) {
191 return SSL_read(s, buf, num); 189 return SSL_read(s, buf, num);
192} 190}
193 191
194int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ 192int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){
195# ifdef USE_OPENSSL 193# ifdef USE_OPENSSL
196 X509 *certificate=NULL;
197 X509_NAME *subj=NULL; 194 X509_NAME *subj=NULL;
198 char timestamp[50] = ""; 195 char timestamp[50] = "";
199 char cn[MAX_CN_LENGTH]= ""; 196 char cn[MAX_CN_LENGTH]= "";
200 197 char *tz;
198
201 int cnlen =-1; 199 int cnlen =-1;
202 int status=STATE_UNKNOWN; 200 int status=STATE_UNKNOWN;
203 201
@@ -209,7 +207,6 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
209 int time_remaining; 207 int time_remaining;
210 time_t tm_t; 208 time_t tm_t;
211 209
212 certificate=SSL_get_peer_certificate(s);
213 if (!certificate) { 210 if (!certificate) {
214 printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); 211 printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
215 return STATE_CRITICAL; 212 return STATE_CRITICAL;
@@ -264,10 +261,18 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
264 (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0'); 261 (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
265 stamp.tm_isdst = -1; 262 stamp.tm_isdst = -1;
266 263
267 time_left = difftime(timegm(&stamp), time(NULL)); 264 tm_t = timegm(&stamp);
265 time_left = difftime(tm_t, time(NULL));
268 days_left = time_left / 86400; 266 days_left = time_left / 86400;
269 tm_t = mktime (&stamp); 267 tz = getenv("TZ");
270 strftime(timestamp, 50, "%c", localtime(&tm_t)); 268 setenv("TZ", "GMT", 1);
269 tzset();
270 strftime(timestamp, 50, "%c %z", localtime(&tm_t));
271 if (tz)
272 setenv("TZ", tz, 1);
273 else
274 unsetenv("TZ");
275 tzset();
271 276
272 if (days_left > 0 && days_left <= days_till_exp_warn) { 277 if (days_left > 0 && days_left <= days_till_exp_warn) {
273 printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp); 278 printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);
@@ -310,4 +315,16 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
310# endif /* USE_OPENSSL */ 315# endif /* USE_OPENSSL */
311} 316}
312 317
318int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
319# ifdef USE_OPENSSL
320 X509 *certificate = NULL;
321 certificate=SSL_get_peer_certificate(s);
322 return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
323# else /* ifndef USE_OPENSSL */
324 printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
325 return STATE_WARNING;
326# endif /* USE_OPENSSL */
327}
328
329
313#endif /* HAVE_SSL */ 330#endif /* HAVE_SSL */