summaryrefslogtreecommitdiffstats
path: root/plugins/sslutils.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/sslutils.c')
-rw-r--r--plugins/sslutils.c444
1 files changed, 286 insertions, 158 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 6bc0ba81..0e6d7525 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -1,42 +1,43 @@
1/***************************************************************************** 1/*****************************************************************************
2* 2 *
3* Monitoring Plugins SSL utilities 3 * Monitoring Plugins SSL utilities
4* 4 *
5* License: GPL 5 * License: GPL
6* Copyright (c) 2005-2010 Monitoring Plugins Development Team 6 * Copyright (c) 2005-2024 Monitoring Plugins Development Team
7* 7 *
8* Description: 8 * Description:
9* 9 *
10* This file contains common functions for plugins that require SSL. 10 * This file contains common functions for plugins that require SSL.
11* 11 *
12* 12 *
13* This program is free software: you can redistribute it and/or modify 13 * This program is free software: you can redistribute it and/or modify
14* it under the terms of the GNU General Public License as published by 14 * it under the terms of the GNU General Public License as published by
15* the Free Software Foundation, either version 3 of the License, or 15 * the Free Software Foundation, either version 3 of the License, or
16* (at your option) any later version. 16 * (at your option) any later version.
17* 17 *
18* This program is distributed in the hope that it will be useful, 18 * This program is distributed in the hope that it will be useful,
19* but WITHOUT ANY WARRANTY; without even the implied warranty of 19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21* GNU General Public License for more details. 21 * GNU General Public License for more details.
22* 22 *
23* You should have received a copy of the GNU General Public License 23 * You should have received a copy of the GNU General Public License
24* along with this program. If not, see <http://www.gnu.org/licenses/>. 24 * along with this program. If not, see <http://www.gnu.org/licenses/>.
25* 25 *
26* 26 *
27*****************************************************************************/ 27 *****************************************************************************/
28 28
29#include "output.h"
29#define MAX_CN_LENGTH 256 30#define MAX_CN_LENGTH 256
30#include "common.h" 31#include "common.h"
31#include "netutils.h" 32#include "netutils.h"
33#include "../lib/monitoringplug.h"
34#include "states.h"
32 35
33#ifdef HAVE_SSL 36#ifdef HAVE_SSL
34static SSL_CTX *ctx=NULL; 37static SSL_CTX *ctx = NULL;
35static SSL *s=NULL; 38static SSL *s = NULL;
36 39
37int np_net_ssl_init(int sd) { 40int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); }
38 return np_net_ssl_init_with_hostname(sd, NULL);
39}
40 41
41int np_net_ssl_init_with_hostname(int sd, char *host_name) { 42int np_net_ssl_init_with_hostname(int sd, char *host_name) {
42 return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); 43 return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
@@ -46,7 +47,8 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
46 return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL); 47 return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL);
47} 48}
48 49
49int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { 50int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert,
51 char *privkey) {
50 long options = 0; 52 long options = 0;
51 53
52 if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) { 54 if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
@@ -59,272 +61,398 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
59 printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); 61 printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
60 return STATE_UNKNOWN; 62 return STATE_UNKNOWN;
61 case MP_SSLv3: /* SSLv3 protocol */ 63 case MP_SSLv3: /* SSLv3 protocol */
62#if defined(OPENSSL_NO_SSL3) 64# if defined(OPENSSL_NO_SSL3)
63 printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); 65 printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
64 return STATE_UNKNOWN; 66 return STATE_UNKNOWN;
65#else 67# else
66 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); 68 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
67 SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION); 69 SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
68 break; 70 break;
69#endif 71# endif
70 case MP_TLSv1: /* TLSv1 protocol */ 72 case MP_TLSv1: /* TLSv1 protocol */
71#if defined(OPENSSL_NO_TLS1) 73# if defined(OPENSSL_NO_TLS1)
72 printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); 74 printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
73 return STATE_UNKNOWN; 75 return STATE_UNKNOWN;
74#else 76# else
75 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); 77 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
76 SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION); 78 SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
77 break; 79 break;
78#endif 80# endif
79 case MP_TLSv1_1: /* TLSv1.1 protocol */ 81 case MP_TLSv1_1: /* TLSv1.1 protocol */
80#if !defined(SSL_OP_NO_TLSv1_1) 82# if !defined(SSL_OP_NO_TLSv1_1)
81 printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); 83 printf("%s\n",
84 _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
82 return STATE_UNKNOWN; 85 return STATE_UNKNOWN;
83#else 86# else
84 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); 87 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
85 SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION); 88 SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
86 break; 89 break;
87#endif 90# endif
88 case MP_TLSv1_2: /* TLSv1.2 protocol */ 91 case MP_TLSv1_2: /* TLSv1.2 protocol */
89#if !defined(SSL_OP_NO_TLSv1_2) 92# if !defined(SSL_OP_NO_TLSv1_2)
90 printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); 93 printf("%s\n",
94 _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
91 return STATE_UNKNOWN; 95 return STATE_UNKNOWN;
92#else 96# else
93 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); 97 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
94 SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); 98 SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
95 break; 99 break;
96#endif 100# endif
97 case MP_TLSv1_2_OR_NEWER: 101 case MP_TLSv1_2_OR_NEWER:
98#if !defined(SSL_OP_NO_TLSv1_1) 102# if !defined(SSL_OP_NO_TLSv1_1)
99 printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); 103 printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
100 return STATE_UNKNOWN; 104 return STATE_UNKNOWN;
101#else 105# else
102 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); 106 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
103 break; 107 break;
104#endif 108# endif
105 case MP_TLSv1_1_OR_NEWER: 109 case MP_TLSv1_1_OR_NEWER:
106#if !defined(SSL_OP_NO_TLSv1) 110# if !defined(SSL_OP_NO_TLSv1)
107 printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); 111 printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
108 return STATE_UNKNOWN; 112 return STATE_UNKNOWN;
109#else 113# else
110 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); 114 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
111 break; 115 break;
112#endif 116# endif
113 case MP_TLSv1_OR_NEWER: 117 case MP_TLSv1_OR_NEWER:
114#if defined(SSL_OP_NO_SSLv3) 118# if defined(SSL_OP_NO_SSLv3)
115 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); 119 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
116 break; 120 break;
117#endif 121# endif
118 case MP_SSLv3_OR_NEWER: 122 case MP_SSLv3_OR_NEWER:
119#if defined(SSL_OP_NO_SSLv2) 123# if defined(SSL_OP_NO_SSLv2)
120 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); 124 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
121 break; 125 break;
122#endif 126# endif
123 } 127 }
124 128
125 if (cert && privkey) { 129 if (cert && privkey) {
126#ifdef USE_OPENSSL 130# ifdef USE_OPENSSL
127 if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) { 131 if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) {
128#elif USE_GNUTLS 132# elif USE_GNUTLS
129 if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) { 133 if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) {
130#else 134# else
131#error Unported for unknown SSL library 135# error Unported for unknown SSL library
132#endif 136# endif
133 printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n")); 137 printf("%s\n", _("CRITICAL - Unable to open certificate chain file!\n"));
134 return STATE_CRITICAL; 138 return STATE_CRITICAL;
135 } 139 }
136 SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM); 140 SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM);
137#ifdef USE_OPENSSL 141# ifdef USE_OPENSSL
138 if (!SSL_CTX_check_private_key(ctx)) { 142 if (!SSL_CTX_check_private_key(ctx)) {
139 printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n")); 143 printf("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
140 return STATE_CRITICAL; 144 return STATE_CRITICAL;
141 } 145 }
142#endif 146# endif
143 } 147 }
144#ifdef SSL_OP_NO_TICKET 148# ifdef SSL_OP_NO_TICKET
145 options |= SSL_OP_NO_TICKET; 149 options |= SSL_OP_NO_TICKET;
146#endif 150# endif
147 SSL_CTX_set_options(ctx, options); 151 SSL_CTX_set_options(ctx, options);
148 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); 152 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
149 if ((s = SSL_new(ctx)) != NULL) { 153 if ((s = SSL_new(ctx)) != NULL) {
150#ifdef SSL_set_tlsext_host_name 154# ifdef SSL_set_tlsext_host_name
151 if (host_name != NULL) 155 if (host_name != NULL) {
152 SSL_set_tlsext_host_name(s, host_name); 156 SSL_set_tlsext_host_name(s, host_name);
153#endif 157 }
158# endif
154 SSL_set_fd(s, sd); 159 SSL_set_fd(s, sd);
155 if (SSL_connect(s) == 1) { 160 if (SSL_connect(s) == 1) {
156 return OK; 161 return OK;
157 } else { 162 } else {
158 printf("%s\n", _("CRITICAL - Cannot make SSL connection.")); 163 printf("%s\n", _("CRITICAL - Cannot make SSL connection."));
159# ifdef USE_OPENSSL /* XXX look into ERR_error_string */ 164# ifdef USE_OPENSSL /* XXX look into ERR_error_string */
160 ERR_print_errors_fp(stdout); 165 ERR_print_errors_fp(stdout);
161# endif /* USE_OPENSSL */ 166# endif /* USE_OPENSSL */
162 } 167 }
163 } else { 168 } else {
164 printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake.")); 169 printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
165 } 170 }
166 return STATE_CRITICAL; 171 return STATE_CRITICAL;
167} 172}
168 173
169void np_net_ssl_cleanup() { 174void np_net_ssl_cleanup() {
170 if (s) { 175 if (s) {
171#ifdef SSL_set_tlsext_host_name 176# ifdef SSL_set_tlsext_host_name
172 SSL_set_tlsext_host_name(s, NULL); 177 SSL_set_tlsext_host_name(s, NULL);
173#endif 178# endif
174 SSL_shutdown(s); 179 SSL_shutdown(s);
175 SSL_free(s); 180 SSL_free(s);
176 if (ctx) { 181 if (ctx) {
177 SSL_CTX_free(ctx); 182 SSL_CTX_free(ctx);
178 ctx=NULL; 183 ctx = NULL;
179 } 184 }
180 s=NULL; 185 s = NULL;
181 } 186 }
182} 187}
183 188
184int np_net_ssl_write(const void *buf, int num) { 189int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num); }
185 return SSL_write(s, buf, num);
186}
187
188int np_net_ssl_read(void *buf, int num) {
189 return SSL_read(s, buf, num);
190}
191 190
192int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){ 191int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); }
193# ifdef USE_OPENSSL
194 X509_NAME *subj=NULL;
195 char timestamp[50] = "";
196 char cn[MAX_CN_LENGTH]= "";
197 char *tz;
198
199 int cnlen =-1;
200 int status=STATE_UNKNOWN;
201
202 ASN1_STRING *tm;
203 int offset;
204 struct tm stamp;
205 float time_left;
206 int days_left;
207 int time_remaining;
208 time_t tm_t;
209 192
193mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
194 int days_till_exp_crit) {
195# ifdef USE_OPENSSL
210 if (!certificate) { 196 if (!certificate) {
211 printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); 197 printf("%s\n", _("CRITICAL - No server certificate present to inspect."));
212 return STATE_CRITICAL; 198 return STATE_CRITICAL;
213 } 199 }
214 200
215 /* Extract CN from certificate subject */ 201 /* Extract CN from certificate subject */
216 subj=X509_get_subject_name(certificate); 202 X509_NAME *subj = X509_get_subject_name(certificate);
217 203
218 if (!subj) { 204 if (!subj) {
219 printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject.")); 205 printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject."));
220 return STATE_CRITICAL; 206 return STATE_CRITICAL;
221 } 207 }
222 cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn)); 208
223 if (cnlen == -1) 209 char cn[MAX_CN_LENGTH] = "";
210 int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
211 if (cnlen == -1) {
224 strcpy(cn, _("Unknown CN")); 212 strcpy(cn, _("Unknown CN"));
213 }
225 214
226 /* Retrieve timestamp of certificate */ 215 /* Retrieve timestamp of certificate */
227 tm = X509_get_notAfter(certificate); 216 ASN1_STRING *tm = X509_get_notAfter(certificate);
228 217
218 int offset = 0;
219 struct tm stamp = {};
229 /* Generate tm structure to process timestamp */ 220 /* Generate tm structure to process timestamp */
230 if (tm->type == V_ASN1_UTCTIME) { 221 if (tm->type == V_ASN1_UTCTIME) {
231 if (tm->length < 10) { 222 if (tm->length < 10) {
232 printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); 223 printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
233 return STATE_CRITICAL; 224 return STATE_CRITICAL;
234 } else {
235 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
236 if (stamp.tm_year < 50)
237 stamp.tm_year += 100;
238 offset = 0;
239 } 225 }
226 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
227 if (stamp.tm_year < 50) {
228 stamp.tm_year += 100;
229 }
230 offset = 0;
231
240 } else { 232 } else {
241 if (tm->length < 12) { 233 if (tm->length < 12) {
242 printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); 234 printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
243 return STATE_CRITICAL; 235 return STATE_CRITICAL;
244 } else {
245 stamp.tm_year =
246 (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
247 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
248 stamp.tm_year -= 1900;
249 offset = 2;
250 } 236 }
237 stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
238 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
239 stamp.tm_year -= 1900;
240 offset = 2;
251 } 241 }
252 stamp.tm_mon = 242 stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
253 (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; 243 stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
254 stamp.tm_mday = 244 stamp.tm_hour = (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
255 (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); 245 stamp.tm_min = (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
256 stamp.tm_hour = 246 stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
257 (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
258 stamp.tm_min =
259 (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
260 stamp.tm_sec =
261 (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
262 stamp.tm_isdst = -1; 247 stamp.tm_isdst = -1;
263 248
264 tm_t = timegm(&stamp); 249 time_t tm_t = timegm(&stamp);
265 time_left = difftime(tm_t, time(NULL)); 250 float time_left = difftime(tm_t, time(NULL));
266 days_left = time_left / 86400; 251 int days_left = time_left / 86400;
267 tz = getenv("TZ"); 252 char *tz = getenv("TZ");
268 setenv("TZ", "GMT", 1); 253 setenv("TZ", "GMT", 1);
269 tzset(); 254 tzset();
255
256 char timestamp[50] = "";
270 strftime(timestamp, 50, "%c %z", localtime(&tm_t)); 257 strftime(timestamp, 50, "%c %z", localtime(&tm_t));
271 if (tz) 258 if (tz) {
272 setenv("TZ", tz, 1); 259 setenv("TZ", tz, 1);
273 else 260 } else {
274 unsetenv("TZ"); 261 unsetenv("TZ");
262 }
263
275 tzset(); 264 tzset();
276 265
266 int time_remaining;
267 mp_state_enum status = STATE_UNKNOWN;
277 if (days_left > 0 && days_left <= days_till_exp_warn) { 268 if (days_left > 0 && days_left <= days_till_exp_warn) {
278 printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp); 269 printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"),
279 if (days_left > days_till_exp_crit) 270 (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, days_left, timestamp);
271 if (days_left > days_till_exp_crit) {
280 status = STATE_WARNING; 272 status = STATE_WARNING;
281 else 273 } else {
282 status = STATE_CRITICAL; 274 status = STATE_CRITICAL;
275 }
283 } else if (days_left == 0 && time_left > 0) { 276 } else if (days_left == 0 && time_left > 0) {
284 if (time_left >= 3600) 277 if (time_left >= 3600) {
285 time_remaining = (int) time_left / 3600; 278 time_remaining = (int)time_left / 3600;
286 else 279 } else {
287 time_remaining = (int) time_left / 60; 280 time_remaining = (int)time_left / 60;
281 }
288 282
289 printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"), 283 printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"),
290 (days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining, 284 (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining,
291 time_left >= 3600 ? "hours" : "minutes", timestamp); 285 time_left >= 3600 ? "hours" : "minutes", timestamp);
292 286
293 if ( days_left > days_till_exp_crit) 287 if (days_left > days_till_exp_crit) {
294 status = STATE_WARNING; 288 status = STATE_WARNING;
295 else 289 } else {
296 status = STATE_CRITICAL; 290 status = STATE_CRITICAL;
291 }
297 } else if (time_left < 0) { 292 } else if (time_left < 0) {
298 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); 293 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
299 status=STATE_CRITICAL; 294 status = STATE_CRITICAL;
300 } else if (days_left == 0) { 295 } else if (days_left == 0) {
301 printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp); 296 printf(_("%s - Certificate '%s' just expired (%s).\n"),
302 if (days_left > days_till_exp_crit) 297 (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp);
298 if (days_left > days_till_exp_crit) {
303 status = STATE_WARNING; 299 status = STATE_WARNING;
304 else 300 } else {
305 status = STATE_CRITICAL; 301 status = STATE_CRITICAL;
302 }
306 } else { 303 } else {
307 printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); 304 printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
308 status = STATE_OK; 305 status = STATE_OK;
309 } 306 }
310 X509_free(certificate); 307 X509_free(certificate);
311 return status; 308 return status;
312# else /* ifndef USE_OPENSSL */ 309# else /* ifndef USE_OPENSSL */
313 printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); 310 printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
314 return STATE_WARNING; 311 return STATE_WARNING;
315# endif /* USE_OPENSSL */ 312# endif /* USE_OPENSSL */
316} 313}
317 314
318int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ 315mp_state_enum np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) {
319# ifdef USE_OPENSSL 316# ifdef USE_OPENSSL
320 X509 *certificate = NULL; 317 X509 *certificate = NULL;
321 certificate=SSL_get_peer_certificate(s); 318 certificate = SSL_get_peer_certificate(s);
322 return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit)); 319 return (np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
323# else /* ifndef USE_OPENSSL */ 320# else /* ifndef USE_OPENSSL */
324 printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); 321 printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
325 return STATE_WARNING; 322 return STATE_WARNING;
326# endif /* USE_OPENSSL */ 323# endif /* USE_OPENSSL */
327} 324}
328 325
326mp_subcheck mp_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
327 int days_till_exp_crit) {
328 mp_subcheck sc_cert = mp_subcheck_init();
329# ifdef USE_OPENSSL
330 if (!certificate) {
331 xasprintf(&sc_cert.output, _("No server certificate present to inspect"));
332 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
333 return sc_cert;
334 }
335
336 /* Extract CN from certificate subject */
337 X509_NAME *subj = X509_get_subject_name(certificate);
338
339 if (!subj) {
340 xasprintf(&sc_cert.output, _("Cannot retrieve certificate subject"));
341 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
342 return sc_cert;
343 }
344
345 char commonName[MAX_CN_LENGTH] = "";
346 int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, commonName, sizeof(commonName));
347 if (cnlen == -1) {
348 strcpy(commonName, _("Unknown CN"));
349 }
329 350
351 /* Retrieve timestamp of certificate */
352 ASN1_STRING *expiry_timestamp = X509_get_notAfter(certificate);
353
354 int offset = 0;
355 struct tm stamp = {};
356 /* Generate tm structure to process timestamp */
357 if (expiry_timestamp->type == V_ASN1_UTCTIME) {
358 if (expiry_timestamp->length < 10) {
359 xasprintf(&sc_cert.output, _("Wrong time format in certificate"));
360 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
361 return sc_cert;
362 }
363
364 stamp.tm_year = (expiry_timestamp->data[0] - '0') * 10 + (expiry_timestamp->data[1] - '0');
365 if (stamp.tm_year < 50) {
366 stamp.tm_year += 100;
367 }
368
369 offset = 0;
370 } else {
371 if (expiry_timestamp->length < 12) {
372 xasprintf(&sc_cert.output, _("Wrong time format in certificate"));
373 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
374 return sc_cert;
375 }
376 stamp.tm_year = (expiry_timestamp->data[0] - '0') * 1000 +
377 (expiry_timestamp->data[1] - '0') * 100 +
378 (expiry_timestamp->data[2] - '0') * 10 + (expiry_timestamp->data[3] - '0');
379 stamp.tm_year -= 1900;
380 offset = 2;
381 }
382
383 stamp.tm_mon = (expiry_timestamp->data[2 + offset] - '0') * 10 +
384 (expiry_timestamp->data[3 + offset] - '0') - 1;
385 stamp.tm_mday = (expiry_timestamp->data[4 + offset] - '0') * 10 +
386 (expiry_timestamp->data[5 + offset] - '0');
387 stamp.tm_hour = (expiry_timestamp->data[6 + offset] - '0') * 10 +
388 (expiry_timestamp->data[7 + offset] - '0');
389 stamp.tm_min = (expiry_timestamp->data[8 + offset] - '0') * 10 +
390 (expiry_timestamp->data[9 + offset] - '0');
391 stamp.tm_sec = (expiry_timestamp->data[10 + offset] - '0') * 10 +
392 (expiry_timestamp->data[11 + offset] - '0');
393 stamp.tm_isdst = -1;
394
395 time_t tm_t = timegm(&stamp);
396 double time_left = difftime(tm_t, time(NULL));
397 int days_left = (int)(time_left / 86400);
398 char *timeZone = getenv("TZ");
399 setenv("TZ", "GMT", 1);
400 tzset();
401
402 char timestamp[50] = "";
403 strftime(timestamp, 50, "%c %z", localtime(&tm_t));
404 if (timeZone) {
405 setenv("TZ", timeZone, 1);
406 } else {
407 unsetenv("TZ");
408 }
409
410 tzset();
411
412 int time_remaining;
413 if (days_left > 0 && days_left <= days_till_exp_warn) {
414 xasprintf(&sc_cert.output, _("Certificate '%s' expires in %d day(s) (%s)"), commonName,
415 days_left, timestamp);
416 if (days_left > days_till_exp_crit) {
417 sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
418 } else {
419 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
420 }
421 } else if (days_left == 0 && time_left > 0) {
422 if (time_left >= 3600) {
423 time_remaining = (int)time_left / 3600;
424 } else {
425 time_remaining = (int)time_left / 60;
426 }
427
428 xasprintf(&sc_cert.output, _("Certificate '%s' expires in %u %s (%s)"), commonName,
429 time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp);
430
431 if (days_left > days_till_exp_crit) {
432 sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
433 } else {
434 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
435 }
436 } else if (time_left < 0) {
437 xasprintf(&sc_cert.output, _("Certificate '%s' expired on %s"), commonName, timestamp);
438 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
439 } else if (days_left == 0) {
440 xasprintf(&sc_cert.output, _("Certificate '%s' just expired (%s)"), commonName, timestamp);
441 if (days_left > days_till_exp_crit) {
442 sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
443 } else {
444 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
445 }
446 } else {
447 xasprintf(&sc_cert.output, _("Certificate '%s' will expire on %s"), commonName, timestamp);
448 sc_cert = mp_set_subcheck_state(sc_cert, STATE_OK);
449 }
450 X509_free(certificate);
451 return sc_cert;
452# else /* ifndef USE_OPENSSL */
453 xasprintf(&sc_cert.output, _("Plugin does not support checking certificates"));
454 sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
455 return sc_cert;
456# endif /* USE_OPENSSL */
457}
330#endif /* HAVE_SSL */ 458#endif /* HAVE_SSL */