summaryrefslogtreecommitdiffstats
path: root/plugins/sslutils.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/sslutils.c')
-rw-r--r--plugins/sslutils.c162
1 files changed, 124 insertions, 38 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index d0ae4741..14f6579d 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -1,29 +1,29 @@
1/***************************************************************************** 1/*****************************************************************************
2* 2*
3* Monitoring Plugins SSL utilities 3* Monitoring Plugins SSL utilities
4* 4*
5* License: GPL 5* License: GPL
6* Copyright (c) 2005-2010 Monitoring Plugins Development Team 6* Copyright (c) 2005-2010 Monitoring Plugins Development Team
7* 7*
8* Description: 8* Description:
9* 9*
10* This file contains common functions for plugins that require SSL. 10* This file contains common functions for plugins that require SSL.
11* 11*
12* 12*
13* This program is free software: you can redistribute it and/or modify 13* This program is free software: you can redistribute it and/or modify
14* it under the terms of the GNU General Public License as published by 14* it under the terms of the GNU General Public License as published by
15* the Free Software Foundation, either version 3 of the License, or 15* the Free Software Foundation, either version 3 of the License, or
16* (at your option) any later version. 16* (at your option) any later version.
17* 17*
18* This program is distributed in the hope that it will be useful, 18* This program is distributed in the hope that it will be useful,
19* but WITHOUT ANY WARRANTY; without even the implied warranty of 19* but WITHOUT ANY WARRANTY; without even the implied warranty of
20* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 20* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21* GNU General Public License for more details. 21* GNU General Public License for more details.
22* 22*
23* You should have received a copy of the GNU General Public License 23* You should have received a copy of the GNU General Public License
24* along with this program. If not, see <http://www.gnu.org/licenses/>. 24* along with this program. If not, see <http://www.gnu.org/licenses/>.
25* 25*
26* 26*
27*****************************************************************************/ 27*****************************************************************************/
28 28
29#define MAX_CN_LENGTH 256 29#define MAX_CN_LENGTH 256
@@ -48,29 +48,79 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
48} 48}
49 49
50int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { 50int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) {
51 SSL_METHOD *method = NULL; 51 const SSL_METHOD *method = NULL;
52 long options = 0;
52 53
53 switch (version) { 54 switch (version) {
54 case 0: /* Deafult to auto negotiation */ 55 case MP_SSLv2: /* SSLv2 protocol */
55 method = SSLv23_client_method();
56 break;
57 case 1: /* TLSv1 protocol */
58 method = TLSv1_client_method();
59 break;
60 case 2: /* SSLv2 protocol */
61#if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) 56#if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2)
62 printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library."))); 57 printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
63 return STATE_CRITICAL; 58 return STATE_UNKNOWN;
64#else 59#else
65 method = SSLv2_client_method(); 60 method = SSLv2_client_method();
66#endif
67 break; 61 break;
68 case 3: /* SSLv3 protocol */ 62#endif
63 case MP_SSLv3: /* SSLv3 protocol */
64#if defined(OPENSSL_NO_SSL3)
65 printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
66 return STATE_UNKNOWN;
67#else
69 method = SSLv3_client_method(); 68 method = SSLv3_client_method();
70 break; 69 break;
71 default: /* Unsupported */ 70#endif
72 printf("%s\n", _("CRITICAL - Unsupported SSL protocol version.")); 71 case MP_TLSv1: /* TLSv1 protocol */
73 return STATE_CRITICAL; 72#if defined(OPENSSL_NO_TLS1)
73 printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
74 return STATE_UNKNOWN;
75#else
76 method = TLSv1_client_method();
77 break;
78#endif
79 case MP_TLSv1_1: /* TLSv1.1 protocol */
80#if !defined(SSL_OP_NO_TLSv1_1)
81 printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
82 return STATE_UNKNOWN;
83#else
84 method = TLSv1_1_client_method();
85 break;
86#endif
87 case MP_TLSv1_2: /* TLSv1.2 protocol */
88#if !defined(SSL_OP_NO_TLSv1_2)
89 printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
90 return STATE_UNKNOWN;
91#else
92 method = TLSv1_2_client_method();
93 break;
94#endif
95 case MP_TLSv1_2_OR_NEWER:
96#if !defined(SSL_OP_NO_TLSv1_1)
97 printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
98 return STATE_UNKNOWN;
99#else
100 options |= SSL_OP_NO_TLSv1_1;
101#endif
102 /* FALLTHROUGH */
103 case MP_TLSv1_1_OR_NEWER:
104#if !defined(SSL_OP_NO_TLSv1)
105 printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
106 return STATE_UNKNOWN;
107#else
108 options |= SSL_OP_NO_TLSv1;
109#endif
110 /* FALLTHROUGH */
111 case MP_TLSv1_OR_NEWER:
112#if defined(SSL_OP_NO_SSLv3)
113 options |= SSL_OP_NO_SSLv3;
114#endif
115 /* FALLTHROUGH */
116 case MP_SSLv3_OR_NEWER:
117#if defined(SSL_OP_NO_SSLv2)
118 options |= SSL_OP_NO_SSLv2;
119#endif
120 case MP_SSLv2_OR_NEWER:
121 /* FALLTHROUGH */
122 default: /* Default to auto negotiation */
123 method = SSLv23_client_method();
74 } 124 }
75 if (!initialized) { 125 if (!initialized) {
76 /* Initialize SSL context */ 126 /* Initialize SSL context */
@@ -94,8 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
94#endif 144#endif
95 } 145 }
96#ifdef SSL_OP_NO_TICKET 146#ifdef SSL_OP_NO_TICKET
97 SSL_CTX_set_options(c, SSL_OP_NO_TICKET); 147 options |= SSL_OP_NO_TICKET;
98#endif 148#endif
149 SSL_CTX_set_options(c, options);
99 SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); 150 SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY);
100 if ((s = SSL_new(c)) != NULL) { 151 if ((s = SSL_new(c)) != NULL) {
101#ifdef SSL_set_tlsext_host_name 152#ifdef SSL_set_tlsext_host_name
@@ -142,9 +193,22 @@ int np_net_ssl_read(void *buf, int num) {
142 193
143int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ 194int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
144# ifdef USE_OPENSSL 195# ifdef USE_OPENSSL
145 X509 *certificate=NULL; 196 X509 *certificate = NULL;
197 certificate=SSL_get_peer_certificate(s);
198 return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
199# else /* ifndef USE_OPENSSL */
200 printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
201 return STATE_WARNING;
202# endif /* USE_OPENSSL */
203}
204
205int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){
206# ifdef USE_OPENSSL
146 X509_NAME *subj=NULL; 207 X509_NAME *subj=NULL;
208 char timestamp[50] = "";
147 char cn[MAX_CN_LENGTH]= ""; 209 char cn[MAX_CN_LENGTH]= "";
210 char *tz;
211
148 int cnlen =-1; 212 int cnlen =-1;
149 int status=STATE_UNKNOWN; 213 int status=STATE_UNKNOWN;
150 214
@@ -153,10 +217,9 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
153 struct tm stamp; 217 struct tm stamp;
154 float time_left; 218 float time_left;
155 int days_left; 219 int days_left;
156 char timestamp[50] = ""; 220 int time_remaining;
157 time_t tm_t; 221 time_t tm_t;
158 222
159 certificate=SSL_get_peer_certificate(s);
160 if (!certificate) { 223 if (!certificate) {
161 printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); 224 printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
162 return STATE_CRITICAL; 225 return STATE_CRITICAL;
@@ -207,32 +270,55 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
207 (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); 270 (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
208 stamp.tm_min = 271 stamp.tm_min =
209 (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); 272 (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
210 stamp.tm_sec = 0; 273 stamp.tm_sec =
274 (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
211 stamp.tm_isdst = -1; 275 stamp.tm_isdst = -1;
212 276
213 time_left = difftime(timegm(&stamp), time(NULL)); 277 tm_t = timegm(&stamp);
278 time_left = difftime(tm_t, time(NULL));
214 days_left = time_left / 86400; 279 days_left = time_left / 86400;
215 tm_t = mktime (&stamp); 280 tz = getenv("TZ");
216 strftime(timestamp, 50, "%c", localtime(&tm_t)); 281 setenv("TZ", "GMT", 1);
282 tzset();
283 strftime(timestamp, 50, "%c %z", localtime(&tm_t));
284 if (tz)
285 setenv("TZ", tz, 1);
286 else
287 unsetenv("TZ");
288 tzset();
217 289
218 if (days_left > 0 && days_left <= days_till_exp_warn) { 290 if (days_left > 0 && days_left <= days_till_exp_warn) {
219 printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp); 291 printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);
220 if (days_left > days_till_exp_crit) 292 if (days_left > days_till_exp_crit)
221 return STATE_WARNING; 293 status = STATE_WARNING;
222 else 294 else
223 return STATE_CRITICAL; 295 status = STATE_CRITICAL;
296 } else if (days_left == 0 && time_left > 0) {
297 if (time_left >= 3600)
298 time_remaining = (int) time_left / 3600;
299 else
300 time_remaining = (int) time_left / 60;
301
302 printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"),
303 (days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining,
304 time_left >= 3600 ? "hours" : "minutes", timestamp);
305
306 if ( days_left > days_till_exp_crit)
307 status = STATE_WARNING;
308 else
309 status = STATE_CRITICAL;
224 } else if (time_left < 0) { 310 } else if (time_left < 0) {
225 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); 311 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
226 status=STATE_CRITICAL; 312 status=STATE_CRITICAL;
227 } else if (days_left == 0) { 313 } else if (days_left == 0) {
228 printf (_("%s - Certificate '%s' expires today (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp); 314 printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp);
229 if (days_left > days_till_exp_crit) 315 if (days_left > days_till_exp_crit)
230 return STATE_WARNING; 316 status = STATE_WARNING;
231 else 317 else
232 return STATE_CRITICAL; 318 status = STATE_CRITICAL;
233 } else { 319 } else {
234 printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); 320 printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
235 status=STATE_OK; 321 status = STATE_OK;
236 } 322 }
237 X509_free(certificate); 323 X509_free(certificate);
238 return status; 324 return status;