1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
*** nagios-plugins-1.4-beta1/plugins/check_http.c 2004-12-24 03:54:24.000000000 +0900
--- check_http.c 2005-01-26 15:31:53.374334612 +0900
***************
*** 66,71 ****
--- 66,73 ----
X509 *server_cert;
int connect_SSL (void);
int check_certificate (X509 **);
+ # define VERIFY_CERTIFICATE 10
+ # define CAFILE 11
#endif
int no_body = FALSE;
int maximum_age = -1;
***************
*** 111,116 ****
--- 113,123 ----
char *http_opt_headers;
int onredirect = STATE_OK;
int use_ssl = FALSE;
+ int verify_certificate = FALSE;
+ int use_cafile = FALSE;
+ int CAfile = FALSE;
+ int cert_verify_result;
+ char *trusted_ca_file=NULL;
int verbose = FALSE;
int sd;
int min_page_len = 0;
***************
*** 206,211 ****
--- 213,220 ----
{"link", no_argument, 0, 'L'},
{"nohtml", no_argument, 0, 'n'},
{"ssl", no_argument, 0, 'S'},
+ {"certverify", no_argument, 0, VERIFY_CERTIFICATE},
+ {"CAfile", required_argument, 0, CAFILE},
{"verbose", no_argument, 0, 'v'},
{"post", required_argument, 0, 'P'},
{"IP-address", required_argument, 0, 'I'},
***************
*** 315,320 ****
--- 324,351 ----
usage4 (_("Invalid option - SSL is not available"));
#endif
break;
+ #ifdef HAVE_SSL
+ case VERIFY_CERTIFICATE :
+ use_ssl = TRUE;
+ verify_certificate = TRUE;
+ if (specify_port == FALSE)
+ server_port = HTTPS_PORT;
+ #else
+ usage4 (_("Invalid option - SSL is not available"));
+ #endif
+ break;
+
+ #ifdef HAVE_SSL
+ case CAFILE :
+ if (!verify_certificate) usage2(_("Verify Certificate option not enabled"),optarg);
+ use_cafile = TRUE;
+ trusted_ca_file = strdup (optarg);
+ #else
+ usage4 (_("Invalid option - SSL is not available"));
+ #endif
+ break;
+
+
case 'f': /* onredirect */
if (!strcmp (optarg, "follow"))
onredirect = STATE_DEPENDENT;
***************
*** 732,738 ****
--- 763,771 ----
die (STATE_CRITICAL, _("Unable to open TCP socket\n"));
}
+ SSL_get_peer_cert_chain(ssl); /* We don't really mind if there is no cert chain as only the peer cert is needed */
if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) {
+ cert_verify_result = SSL_get_verify_result( ssl );
X509_free (server_cert);
}
else {
***************
*** 740,745 ****
--- 773,785 ----
return STATE_CRITICAL;
}
+ if (verify_certificate) {
+ if (cert_verify_result != X509_V_OK) {
+ printf ("CRITICAL - Certificate error : %s\n", X509_verify_cert_error_string(cert_verify_result) );
+ return STATE_CRITICAL;
+ }
+ }
+
}
else {
#endif
***************
*** 1191,1196 ****
--- 1231,1246 ----
return STATE_CRITICAL;
}
+ if (use_cafile) {
+ SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(trusted_ca_file));
+ if (!SSL_CTX_load_verify_locations(ctx, trusted_ca_file, NULL)) {
+ printf (_("CRITICAL - Cannot load CAfile.\n"));
+ }else {
+ SSL_CTX_set_default_verify_paths(ctx);
+ }
+ }
+
+
/* Initialize alarm signal handling */
signal (SIGALRM, socket_timeout_alarm_handler);
***************
*** 1477,1482 ****
--- 1527,1540 ----
STATE_OK is returned. When the certificate is still valid, but for less than\n\
14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when\n\
the certificate is expired.\n"));
+
+ printf (_("\n\
+ CHECK CERTIFICATE VALIDITY: check_http www.myhost.com --certverify \n\n\
+ Checks to see the validity of a certificate, will return a critical on any \n\
+ certificate error including self signed, untrusted issuer, decryption errors\n\
+ or certificate revocation.\n\
+ Full list : http://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS\n\n"));
+
#endif
printf (_(UT_SUPPORT));
|