1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
|
diff -Naur -x '*~' -x '*.orig' -x '*.rej' nagios-plugins-1.4.16/plugins/check_ldap.c nagios-plugins-1.4.16-check_ldap_certificate/plugins/check_ldap.c
--- nagios-plugins-1.4.16/plugins/check_ldap.c 2012-06-27 19:32:47.000000000 +0200
+++ nagios-plugins-1.4.16-check_ldap_certificate/plugins/check_ldap.c 2012-07-06 12:57:15.562316155 +0200
@@ -72,6 +72,9 @@
int ssl_on_connect = FALSE;
int verbose = 0;
+int check_cert = FALSE;
+int days_till_exp_warn, days_till_exp_crit;
+
/* for ldap tls */
char *SERVICE = "LDAP";
@@ -157,6 +160,9 @@
printf (_("Could not init TLS at port %i!\n"), ld_port);
return STATE_CRITICAL;
}
+
+ if (check_cert == TRUE)
+ return ldap_check_cert(ld);
#else
printf (_("TLS not supported by the libraries!\n"));
return STATE_CRITICAL;
@@ -181,6 +187,9 @@
printf (_("Could not init startTLS at port %i!\n"), ld_port);
return STATE_CRITICAL;
}
+
+ if (check_cert == TRUE)
+ return ldap_check_cert(ld);
#else
printf (_("startTLS not supported by the library, needs LDAPv3!\n"));
return STATE_CRITICAL;
@@ -240,6 +249,7 @@
process_arguments (int argc, char **argv)
{
int c;
+ char *temp;
int option = 0;
/* initialize the long option struct */
@@ -258,6 +268,7 @@
#endif
{"starttls", no_argument, 0, 'T'},
{"ssl", no_argument, 0, 'S'},
+ {"certificate", required_argument, 0, 'C'},
{"use-ipv4", no_argument, 0, '4'},
{"use-ipv6", no_argument, 0, '6'},
{"port", required_argument, 0, 'p'},
@@ -276,7 +287,7 @@
}
while (1) {
- c = getopt_long (argc, argv, "hvV234TS6t:c:w:H:b:p:a:D:P:", longopts, &option);
+ c = getopt_long (argc, argv, "hvV234TS6t:c:w:H:b:p:a:D:P:C:", longopts, &option);
if (c == -1 || c == EOF)
break;
@@ -338,6 +349,33 @@
else
usage_va(_("%s cannot be combined with %s"), "-T/--starttls", "-S/--ssl");
break;
+ case 'C': /* Check SSL cert validity */
+#ifndef HAVE_SSL
+ usage4 (_("Invalid option - SSL is not available"));
+#else
+ if (starttls || ssl_on_connect || strstr(argv[0],"check_ldaps")) {
+ if ((temp=strchr(optarg,','))!=NULL) {
+ *temp = '\0';
+ if (!is_intnonneg (temp))
+ usage2 (_("Invalid certificate expiration period"), optarg);
+ days_till_exp_warn = atoi(optarg);
+ *temp = ',';
+ temp++;
+ if (!is_intnonneg (temp))
+ usage2 (_("Invalid certificate expiration period"), temp);
+ days_till_exp_crit = atoi (temp);
+ } else {
+ days_till_exp_crit = 0;
+ if (!is_intnonneg (optarg))
+ usage2 (_("Invalid certificate expiration period"), optarg);
+ days_till_exp_warn = atoi (optarg);
+ }
+ check_cert = TRUE;
+ } else {
+ usage_va(_("%s requires either %s or %s"), "-C/--certificate", "-S/--ssl", "-T/--starttls");
+ }
+ break;
+#endif
case 'S':
if (! starttls) {
ssl_on_connect = TRUE;
@@ -420,6 +458,9 @@
printf (" %s\n", "-S [--ssl]");
printf (" %s %i\n", _("use ldaps (ldap v2 ssl method). this also sets the default port to"), LDAPS_PORT);
+ printf (" %s\n", "-C [--certificate]");
+ printf (" %s\n", _("Minimum number of days a certificate has to be valid"));
+
#ifdef HAVE_LDAP_SET_OPTION
printf (" %s\n", "-2 [--ver2]");
printf (" %s\n", _("use ldap protocol version 2"));
@@ -455,7 +496,7 @@
{
printf ("%s\n", _("Usage:"));
printf (" %s -H <host> -b <base_dn> [-p <port>] [-a <attr>] [-D <binddn>]",progname);
- printf ("\n [-P <password>] [-w <warn_time>] [-c <crit_time>] [-t timeout]%s\n",
+ printf ("\n [-P <password>] [-w <warn_time>] [-c <crit_time>] [-t timeout] [-C <age>]%s\n",
#ifdef HAVE_LDAP_SET_OPTION
"\n [-2|-3] [-4|-6]"
#else
@@ -463,3 +504,16 @@
#endif
);
}
+
+int ldap_check_cert (LDAP *ld)
+{
+ SSL *ssl;
+ int rc;
+
+ rc = ldap_get_option(ld, LDAP_OPT_X_TLS_SSL_CTX, &ssl);
+ if (rc == LDAP_OPT_ERROR || ssl == NULL) {
+ printf ("%s\n",_("CRITICAL - Cannot retrieve ssl session from connection."));
+ return STATE_CRITICAL;
+ }
+ return np_net_ssl_check_cert_real(ssl, days_till_exp_warn, days_till_exp_crit);
+}
diff -Naur -x '*~' -x '*.orig' -x '*.rej' nagios-plugins-1.4.16/plugins/Makefile.am nagios-plugins-1.4.16-check_ldap_certificate/plugins/Makefile.am
--- nagios-plugins-1.4.16/plugins/Makefile.am 2012-06-27 19:32:47.000000000 +0200
+++ nagios-plugins-1.4.16-check_ldap_certificate/plugins/Makefile.am 2012-07-04 11:03:00.888343446 +0200
@@ -72,7 +72,7 @@
check_game_LDADD = $(BASEOBJS) runcmd.o
check_http_LDADD = $(SSLOBJS) $(NETLIBS) $(SSLLIBS)
check_hpjd_LDADD = $(NETLIBS) popen.o
-check_ldap_LDADD = $(NETLIBS) $(LDAPLIBS)
+check_ldap_LDADD = $(SSLOBJS) $(NETLIBS) $(LDAPLIBS) $(SSLLIBS)
check_load_LDADD = $(BASEOBJS) popen.o
check_mrtg_LDADD = $(BASEOBJS)
check_mrtgtraf_LDADD = $(BASEOBJS)
@@ -118,7 +118,7 @@
check_http_DEPENDENCIES = check_http.c $(SSLOBJS) $(NETOBJS) $(DEPLIBS)
check_hpjd_DEPENDENCIES = check_hpjd.c $(NETOBJS) popen.o $(DEPLIBS)
check_ide_smart_DEPENDENCIES = check_ide_smart.c $(BASEOBJS) $(DEPLIBS)
-check_ldap_DEPENDENCIES = check_ldap.c $(NETOBJS) $(DEPLIBS)
+check_ldap_DEPENDENCIES = check_ldap.c $(SSLOBJS) $(NETOBJS) $(DEPLIBS)
check_load_DEPENDENCIES = check_load.c $(BASEOBJS) popen.o $(DEPLIBS)
check_mrtg_DEPENDENCIES = check_mrtg.c $(DEPLIBS)
check_mrtgtraf_DEPENDENCIES = check_mrtgtraf.c $(DEPLIBS)
diff -Naur -x '*~' -x '*.orig' -x '*.rej' nagios-plugins-1.4.16/plugins/netutils.h nagios-plugins-1.4.16-check_ldap_certificate/plugins/netutils.h
--- nagios-plugins-1.4.16/plugins/netutils.h 2012-06-27 19:32:47.000000000 +0200
+++ nagios-plugins-1.4.16-check_ldap_certificate/plugins/netutils.h 2012-07-04 11:03:56.291891100 +0200
@@ -104,6 +104,7 @@
int np_net_ssl_write(const void *buf, int num);
int np_net_ssl_read(void *buf, int num);
int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit);
+int np_net_ssl_check_cert_real(SSL *ssl, int days_till_exp_warn, int days_till_exp_crit);
#endif /* HAVE_SSL */
#endif /* _NETUTILS_H_ */
diff -Naur -x '*~' -x '*.orig' -x '*.rej' nagios-plugins-1.4.16/plugins/sslutils.c nagios-plugins-1.4.16-check_ldap_certificate/plugins/sslutils.c
--- nagios-plugins-1.4.16/plugins/sslutils.c 2012-06-27 19:32:47.000000000 +0200
+++ nagios-plugins-1.4.16-check_ldap_certificate/plugins/sslutils.c 2012-07-06 13:11:37.469453627 +0200
@@ -128,6 +128,15 @@
int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
# ifdef USE_OPENSSL
+ return np_net_ssl_check_cert_real(s, days_till_exp_warn, days_till_exp_crit);
+# else /* ifndef USE_OPENSSL */
+ printf ("%s\n", _("WARNING - Plugin does not support checking certificates."));
+ return STATE_WARNING;
+# endif /* USE_OPENSSL */
+}
+
+int np_net_ssl_check_cert_real(SSL *ssl, int days_till_exp_warn, int days_till_exp_crit){
+# ifdef USE_OPENSSL
X509 *certificate=NULL;
X509_NAME *subj=NULL;
char cn[MAX_CN_LENGTH]= "";
@@ -141,7 +150,7 @@
int days_left;
char timestamp[17] = "";
- certificate=SSL_get_peer_certificate(s);
+ certificate=SSL_get_peer_certificate(ssl);
if (!certificate) {
printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
return STATE_CRITICAL;
|