summaryrefslogtreecommitdiffstats
path: root/plugins
diff options
context:
space:
mode:
Diffstat (limited to 'plugins')
-rw-r--r--plugins/check_curl.c47
1 files changed, 41 insertions, 6 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index 6575af71..878276e6 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -531,24 +531,59 @@ check_http (void)
531 if (use_ssl == TRUE) { 531 if (use_ssl == TRUE) {
532 if (check_cert == TRUE) { 532 if (check_cert == TRUE) {
533 if (is_openssl_callback) { 533 if (is_openssl_callback) {
534#ifdef HAVE_SSL 534#ifdef USE_OPENSSL
535 /* check certificate with OpenSSL functions, curl has been built against OpenSSL 535 /* check certificate with OpenSSL functions, curl has been built against OpenSSL
536 * and we actually have OpenSSL in the monitoring tools 536 * and we actually have OpenSSL in the monitoring tools
537 */ 537 */
538 result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit); 538 result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
539 return result; 539 return result;
540#else /* HAVE_SSL */ 540#else /* USE_OPENSSL */
541 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n"); 541 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n");
542#endif /* HAVE_SSL */ 542#endif /* USE_OPENSSL */
543 } else { 543 } else {
544 /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal, 544 int i;
545 * so we use the libcurl CURLINFO data 545 struct curl_slist *slist;
546 */ 546
547 cert_ptr.to_info = NULL; 547 cert_ptr.to_info = NULL;
548 res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info); 548 res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info);
549 if (!res && cert_ptr.to_info) { 549 if (!res && cert_ptr.to_info) {
550#ifdef USE_OPENSSL
551 /* We have no OpenSSL in libcurl, but we can use OpenSSL for X509 cert parsing
552 * We only check the first certificate and assume it's the one of the server
553 */
554 const char* raw_cert = NULL;
555 for (i = 0; i < cert_ptr.to_certinfo->num_of_certs; i++) {
556 for (slist = cert_ptr.to_certinfo->certinfo[i]; slist; slist = slist->next) {
557 if (verbose >= 2)
558 printf ("%d ** %s\n", i, slist->data);
559 if (strncmp (slist->data, "Cert:", 5) == 0) {
560 raw_cert = &slist->data[5];
561 goto GOT_FIRST_CERT;
562 }
563 }
564 }
565GOT_FIRST_CERT:
566 if (!raw_cert) {
567 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates from CERTINFO information - certificate data was empty"));
568 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
569 }
570 BIO* cert_BIO = BIO_new (BIO_s_mem());
571 BIO_write (cert_BIO, raw_cert, strlen(raw_cert));
572 cert = PEM_read_bio_X509 (cert_BIO, NULL, NULL, NULL);
573 if (!cert) {
574 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot read certificate from CERTINFO information - BIO error"));
575 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
576 }
577 BIO_free (cert_BIO);
578 result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
579 return result;
580#else /* USE_OPENSSL */
581 /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal,
582 * so we use the libcurl CURLINFO data
583 */
550 result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit); 584 result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit);
551 return result; 585 return result;
586#endif /* USE_OPENSSL */
552 } else { 587 } else {
553 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"), 588 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"),
554 res, curl_easy_strerror(res)); 589 res, curl_easy_strerror(res));