upstream/monitoring-plugins
1
0
Fork 0
mirror of https://github.com/monitoring-plugins/monitoring-plugins.git synced 2026-05-28 04:35:40 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

all plugins now using centralized ssl functions in netutils.c

Browse source 
git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1257 f882894a-f735-0410-b71e-b25c423dba1c
This commit is contained in:
M. Sean Finney 2005-10-19 20:22:00 +00:00
parent 5dd7b5dff4
commit cf66a717e9
5 changed files with 134 additions and 572 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

297
plugins/check_http.c
View file

@ -37,38 +37,17 @@ enum {
HTTPS_PORT = 443
};
#ifdef HAVE_SSL_H
#include <rsa.h>
#include <crypto.h>
#include <x509.h>
#include <pem.h>
#include <ssl.h>
#include <err.h>
#include <rand.h>
#else
# ifdef HAVE_OPENSSL_SSL_H
# include <openssl/rsa.h>
# include <openssl/crypto.h>
# include <openssl/x509.h>
# include <openssl/pem.h>
# include <openssl/ssl.h>
# include <openssl/err.h>
# include <openssl/rand.h>
# endif
#endif
#ifdef HAVE_SSL
int check_cert = FALSE;
int days_till_exp;
char *randbuff;
SSL_CTX *ctx;
SSL *ssl;
X509 *server_cert;
int connect_SSL (void);
# ifdef USE_OPENSSL
int check_certificate (X509 **);
# endif
#endif
# define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
# define my_send(buf, len) ((use_ssl) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
#else /* ifndef HAVE_SSL */
# define my_recv(buf, len) read(sd, buf, len)
# define my_send(buf, len) send(sd, buf, len, 0)
#endif /* HAVE_SSL */
int no_body = FALSE;
int maximum_age = -1;
@ -132,8 +111,6 @@ int server_type_check(const char *type);
int server_port_check(int ssl_flag);
char *perfd_time (double microsec);
char *perfd_size (int page_len);
int my_recv (void);
int my_close (void);
void print_help (void);
void print_usage (void);
@ -168,29 +145,7 @@ main (int argc, char **argv)
(void) alarm (socket_timeout);
gettimeofday (&tv, NULL);
#ifdef USE_OPENSSL
if (use_ssl && check_cert == TRUE) {
if (connect_SSL () != OK)
die (STATE_CRITICAL, _("HTTP CRITICAL - Could not make SSL connection\n"));
if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) {
result = check_certificate (&server_cert);
X509_free (server_cert);
}
else {
printf (_("CRITICAL - Cannot retrieve server certificate.\n"));
result = STATE_CRITICAL;
}
SSL_shutdown (ssl);
SSL_free (ssl);
SSL_CTX_free (ctx);
close (sd);
}
else {
result = check_http ();
}
#else
result = check_http ();
#endif
return result;
}
@ -790,34 +745,27 @@ check_http (void)
long microsec;
double elapsed_time;
int page_len = 0;
int result = STATE_UNKNOWN;
#ifdef HAVE_SSL
int sslerr;
#endif
/* try to connect to the host at the given port number */
if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK)
die (STATE_CRITICAL, _("Unable to open TCP socket\n"));
#ifdef HAVE_SSL
if (use_ssl == TRUE) {
if (connect_SSL () != OK) {
die (STATE_CRITICAL, _("Unable to open TCP socket\n"));
np_net_ssl_init(sd);
if (check_cert == TRUE) {
result = np_net_ssl_check_cert(days_till_exp);
if(result != STATE_OK){
np_net_ssl_cleanup();
if(sd) close(sd);
return result;
}
}
# ifdef USE_OPENSSL
if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) {
X509_free (server_cert);
}
else {
printf (_("CRITICAL - Cannot retrieve server certificate.\n"));
return STATE_CRITICAL;
}
# endif /* USE_OPENSSL */
}
else {
#endif
if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK)
die (STATE_CRITICAL, _("Unable to open TCP socket\n"));
#ifdef HAVE_SSL
}
#endif
#endif /* HAVE_SSL */
asprintf (&buf, "%s %s HTTP/1.0\r\n%s\r\n", http_method, server_url, user_agent);
@ -853,28 +801,12 @@ check_http (void)
asprintf (&buf, "%s%s", buf, CRLF);
}
if (verbose)
printf ("%s\n", buf);
#ifdef HAVE_SSL
if (use_ssl == TRUE) {
if (SSL_write (ssl, buf, (int)strlen(buf)) == -1) {
# ifdef USE_OPENSSL
ERR_print_errors_fp (stderr);
# endif
return STATE_CRITICAL;
}
}
else {
#endif
send (sd, buf, strlen (buf), 0);
#ifdef HAVE_SSL
}
#endif
if (verbose) printf ("%s\n", buf);
my_send (buf, strlen (buf));
/* fetch the page */
full_page = strdup("");
while ((i = my_recv ()) > 0) {
while ((i = my_recv (buffer, MAX_INPUT_BUFFER-1)) > 0) {
buffer[i] = '\0';
asprintf (&full_page, "%s%s", full_page, buffer);
pagesize += i;
@ -887,6 +819,7 @@ check_http (void)
if (i < 0 && errno != ECONNRESET) {
#ifdef HAVE_SSL
/*
if (use_ssl) {
sslerr=SSL_get_error(ssl, i);
if ( sslerr == SSL_ERROR_SSL ) {
@ -896,10 +829,13 @@ check_http (void)
}
}
else {
*/
#endif
die (STATE_CRITICAL, _("Error on receive\n"));
#ifdef HAVE_SSL
/* XXX
}
*/
#endif
}
@ -908,7 +844,10 @@ check_http (void)
die (STATE_CRITICAL, _("No data received %s\n"), timestamp);
/* close the connection */
my_close ();
#ifdef HAVE_SSL
np_net_ssl_cleanup();
#endif
if(sd) close(sd);
/* reset the alarm */
alarm (0);
@ -1248,143 +1187,6 @@ server_port_check (int ssl_flag)
return HTTP_PORT;
}
#ifdef HAVE_SSL
int connect_SSL (void)
{
SSL_METHOD *meth;
asprintf (&randbuff, "%s", "qwertyuiopasdfghjklqwertyuiopasdfghjkl");
RAND_seed (randbuff, (int)strlen(randbuff));
if (verbose)
printf(_("SSL seeding: %s\n"), (RAND_status()==1 ? _("OK") : _("Failed")) );
/* Initialize SSL context */
SSLeay_add_ssl_algorithms ();
meth = SSLv23_client_method ();
SSL_load_error_strings ();
if ((ctx = SSL_CTX_new (meth)) == NULL) {
printf (_("CRITICAL - Cannot create SSL context.\n"));
return STATE_CRITICAL;
}
/* Initialize alarm signal handling */
signal (SIGALRM, socket_timeout_alarm_handler);
/* Set socket timeout */
alarm (socket_timeout);
/* Save start time */
gettimeofday (&tv, NULL);
/* Make TCP connection */
if (my_tcp_connect (server_address, server_port, &sd) == STATE_OK) {
/* Do the SSL handshake */
if ((ssl = SSL_new (ctx)) != NULL) {
#ifdef USE_OPENSSL
SSL_set_cipher_list(ssl, "ALL");
#endif
SSL_set_fd (ssl, sd);
if (SSL_connect (ssl) != -1)
return OK;
#ifdef USE_OPENSSL
ERR_print_errors_fp (stderr);
#endif
}
else {
printf (_("CRITICAL - Cannot initiate SSL handshake.\n"));
}
SSL_free (ssl);
}
SSL_CTX_free (ctx);
close (sd);
return STATE_CRITICAL;
}
#endif
#ifdef USE_OPENSSL
int
check_certificate (X509 ** certificate)
{
ASN1_STRING *tm;
int offset;
struct tm stamp;
int days_left;
/* Retrieve timestamp of certificate */
tm = X509_get_notAfter (*certificate);
/* Generate tm structure to process timestamp */
if (tm->type == V_ASN1_UTCTIME) {
if (tm->length < 10) {
printf (_("CRITICAL - Wrong time format in certificate.\n"));
return STATE_CRITICAL;
}
else {
stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
if (stamp.tm_year < 50)
stamp.tm_year += 100;
offset = 0;
}
}
else {
if (tm->length < 12) {
printf (_("CRITICAL - Wrong time format in certificate.\n"));
return STATE_CRITICAL;
}
else {
stamp.tm_year =
(tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
(tm->data[2] - '0') * 10 + (tm->data[3] - '0');
stamp.tm_year -= 1900;
offset = 2;
}
}
stamp.tm_mon =
(tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
stamp.tm_mday =
(tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
stamp.tm_hour =
(tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
stamp.tm_min =
(tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
stamp.tm_sec = 0;
stamp.tm_isdst = -1;
days_left = (mktime (&stamp) - time (NULL)) / 86400;
snprintf
(timestamp, 17, "%02d/%02d/%04d %02d:%02d",
stamp.tm_mon + 1,
stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
if (days_left > 0 && days_left <= days_till_exp) {
printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp);
return STATE_WARNING;
}
if (days_left < 0) {
printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp);
return STATE_CRITICAL;
}
if (days_left == 0) {
printf (_("WARNING - Certificate expires today (%s).\n"), timestamp);
return STATE_WARNING;
}
printf (_("OK - Certificate will expire on %s.\n"), timestamp);
return STATE_OK;
}
#endif
char *perfd_time (double elapsed_time)
{
return fperfdata ("time", elapsed_time, "s",
@ -1403,47 +1205,6 @@ char *perfd_size (int page_len)
TRUE, 0, FALSE, 0);
}
int
my_recv (void)
{
int i;
#ifdef HAVE_SSL
if (use_ssl) {
i = SSL_read (ssl, buffer, MAX_INPUT_BUFFER - 1);
}
else {
i = recv (sd, buffer, MAX_INPUT_BUFFER - 1, 0);
}
#else
i = recv (sd, buffer, MAX_INPUT_BUFFER - 1, 0);
#endif
return i;
}
int
my_close (void)
{
#ifdef HAVE_SSL
if (use_ssl == TRUE) {
SSL_shutdown (ssl);
SSL_free (ssl);
SSL_CTX_free (ctx);
return 0;
}
else {
#endif
return close (sd);
#ifdef HAVE_SSL
}
#endif
}
void
print_help (void)
{

218
plugins/check_smtp.c
View file

@ -27,35 +27,14 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net";
#include "netutils.h"
#include "utils.h"
#ifdef HAVE_SSL_H
# include <rsa.h>
# include <crypto.h>
# include <x509.h>
# include <pem.h>
# include <ssl.h>
# include <err.h>
#else
# ifdef HAVE_OPENSSL_SSL_H
# include <openssl/rsa.h>
# include <openssl/crypto.h>
# include <openssl/x509.h>
# include <openssl/pem.h>
# include <openssl/ssl.h>
# include <openssl/err.h>
# endif
#endif
#ifdef HAVE_SSL
int check_cert = FALSE;
int days_till_exp;
SSL_CTX *ctx;
SSL *ssl;
X509 *server_cert;
int connect_STARTTLS (void);
# ifdef USE_OPENSSL
int check_certificate (X509 **);
# endif
# define my_recv(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
# define my_send(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
#else /* ifndef HAVE_SSL */
# define my_recv(buf, len) read(sd, buf, len)
# define my_send(buf, len) send(sd, buf, len, 0)
#endif
enum {
@ -77,7 +56,6 @@ int process_arguments (int, char **);
int validate_arguments (void);
void print_help (void);
void print_usage (void);
int myrecv(void);
int my_close(void);
#ifdef HAVE_REGEX_H
@ -111,7 +89,7 @@ int check_critical_time = FALSE;
int verbose = 0;
int use_ssl = FALSE;
short use_ehlo = FALSE;
short ssl_established = TRUE;
short ssl_established = 0;
char *localhostname = NULL;
int sd;
char buffer[MAX_INPUT_BUFFER];
@ -237,22 +215,20 @@ main (int argc, char **argv)
send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0);
return STATE_UNKNOWN;
}
if(connect_STARTTLS() != OK) {
result = np_net_ssl_init(sd);
if(result != STATE_OK) {
printf (_("CRITICAL - Cannot create SSL context.\n"));
np_net_ssl_cleanup();
close(sd);
return STATE_CRITICAL;
} else {
ssl_established = TRUE;
ssl_established = 1;
}
# ifdef USE_OPENSSL
if ( check_cert ) {
if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) {
result = check_certificate (&server_cert);
X509_free(server_cert);
}
else {
result = np_net_ssl_check_cert(days_till_exp);
if(result != STATE_OK){
printf (_("CRITICAL - Cannot retrieve server certificate.\n"));
result = STATE_CRITICAL;
}
my_close();
return result;
@ -272,26 +248,16 @@ main (int argc, char **argv)
* Use the -f option to provide a FROM address
*/
if (smtp_use_dummycmd) {
#ifdef HAVE_SSL
if (use_ssl)
SSL_write(ssl, cmd_str, strlen(cmd_str));
else
#endif
send(sd, cmd_str, strlen(cmd_str), 0);
myrecv();
my_send(cmd_str, strlen(cmd_str));
my_recv(buffer, MAX_INPUT_BUFFER-1);
if (verbose)
printf("%s", buffer);
}
while (n < ncommands) {
asprintf (&cmd_str, "%s%s", commands[n], "\r\n");
#ifdef HAVE_SSL
if (use_ssl)
SSL_write(ssl,cmd_str, strlen(cmd_str));
else
#endif
send(sd, cmd_str, strlen(cmd_str), 0);
myrecv();
my_send(cmd_str, strlen(cmd_str));
my_recv(buffer, MAX_INPUT_BUFFER-1);
if (verbose)
printf("%s", buffer);
strip (buffer);
@ -328,12 +294,7 @@ main (int argc, char **argv)
}
/* tell the server we're done */
#ifdef HAVE_SSL
if (use_ssl)
SSL_write(ssl,SMTP_QUIT, strlen (SMTP_QUIT));
else
#endif
send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0);
my_send (SMTP_QUIT, strlen (SMTP_QUIT));
/* finally close the connection */
close (sd);
@ -626,150 +587,11 @@ Usage: %s -H host [-p port] [-e expect] [-C command] [-f from addr]\n\
[-w warn] [-c crit] [-t timeout] [-S] [-D days] [-n] [-v] [-4|-6]\n", progname);
}
#ifdef HAVE_SSL
int
connect_STARTTLS (void)
{
SSL_METHOD *meth;
/* Initialize SSL context */
SSLeay_add_ssl_algorithms ();
meth = SSLv23_client_method ();
SSL_load_error_strings ();
if ((ctx = SSL_CTX_new (meth)) == NULL)
{
printf(_("CRITICAL - Cannot create SSL context.\n"));
return STATE_CRITICAL;
}
/* do the SSL handshake */
if ((ssl = SSL_new (ctx)) != NULL)
{
SSL_set_fd (ssl, sd);
/* original version checked for -1
I look for success instead (1) */
if (SSL_connect (ssl) == 1)
return OK;
# ifdef USE_OPENSSL
ERR_print_errors_fp (stderr);
# endif
}
else
{
printf (_("CRITICAL - Cannot initiate SSL handshake.\n"));
}
my_close();
return STATE_CRITICAL;
}
# ifdef USE_OPENSSL
int
check_certificate (X509 ** certificate)
{
ASN1_STRING *tm;
int offset;
struct tm stamp;
int days_left;
/* Retrieve timestamp of certificate */
tm = X509_get_notAfter (*certificate);
/* Generate tm structure to process timestamp */
if (tm->type == V_ASN1_UTCTIME) {
if (tm->length < 10) {
printf (_("CRITICAL - Wrong time format in certificate.\n"));
return STATE_CRITICAL;
}
else {
stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
if (stamp.tm_year < 50)
stamp.tm_year += 100;
offset = 0;
}
}
else {
if (tm->length < 12) {
printf (_("CRITICAL - Wrong time format in certificate.\n"));
return STATE_CRITICAL;
}
else {
stamp.tm_year =
(tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
(tm->data[2] - '0') * 10 + (tm->data[3] - '0');
stamp.tm_year -= 1900;
offset = 2;
}
}
stamp.tm_mon =
(tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
stamp.tm_mday =
(tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
stamp.tm_hour =
(tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
stamp.tm_min =
(tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
stamp.tm_sec = 0;
stamp.tm_isdst = -1;
days_left = (mktime (&stamp) - time (NULL)) / 86400;
snprintf
(timestamp, sizeof(timestamp), "%02d/%02d/%04d %02d:%02d",
stamp.tm_mon + 1,
stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
if (days_left > 0 && days_left <= days_till_exp) {
printf ("Certificate expires in %d day(s) (%s).\n", days_left, timestamp);
return STATE_WARNING;
}
if (days_left < 0) {
printf ("Certificate expired on %s.\n", timestamp);
return STATE_CRITICAL;
}
if (days_left == 0) {
printf ("Certificate expires today (%s).\n", timestamp);
return STATE_WARNING;
}
printf ("Certificate will expire on %s.\n", timestamp);
return STATE_OK;
}
# endif /* USE_OPENSSL */
#endif
int
myrecv (void)
{
int i;
#ifdef HAVE_SSL
if (use_ssl) {
i = SSL_read (ssl, buffer, MAXBUF - 1);
}
else {
#endif
i = read (sd, buffer, MAXBUF - 1);
#ifdef HAVE_SSL
}
#endif
return i;
}
int
my_close (void)
{
#ifdef HAVE_SSL
if (use_ssl == TRUE && ssl_established == TRUE) {
SSL_shutdown (ssl);
SSL_free (ssl);
SSL_CTX_free (ctx);
return 0;
}
else {
#endif
return close(sd);
#ifdef HAVE_SSL
}
np_net_ssl_cleanup();
#endif
return close(sd);
}

112
plugins/check_tcp.c
View file

@ -32,10 +32,6 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net";
static int check_cert = FALSE;
static int days_till_exp;
static char *randbuff = "";
static X509 *server_cert;
# ifdef USE_OPENSSL
static int check_certificate (X509 **);
# endif /* USE_OPENSSL */
# define my_recv(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
# define my_send(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
#else
@ -43,7 +39,6 @@ static int check_certificate (X509 **);
# define my_send(buf, len) send(sd, buf, len, 0)
#endif
/* int my_recv(char *, size_t); */
static int process_arguments (int, char **);
void print_help (void);
@ -217,34 +212,19 @@ main (int argc, char **argv)
#ifdef HAVE_SSL
if (flags & FLAG_SSL){
result = np_net_ssl_init(sd);
if(result != STATE_OK) return result;
/* XXX does np_net_ssl take care of printing an error?
die (STATE_CRITICAL,_("CRITICAL - Could not make SSL connection\n"));
*/
}
# ifdef USE_OPENSSL /* XXX gnutls does cert checking differently */
/*
if (flags & FLAG_SSL && check_cert == TRUE) {
if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) {
result = check_certificate (&server_cert);
X509_free(server_cert);
}
else {
printf(_("CRITICAL - Cannot retrieve server certificate.\n"));
result = STATE_CRITICAL;
if (result == STATE_OK && check_cert == TRUE) {
result = np_net_ssl_check_cert(days_till_exp);
if(result != STATE_OK) {
printf(_("CRITICAL - Cannot retrieve server certificate.\n"));
}
}
}
*/
# endif /* USE_OPENSSL */
#endif
if(result != STATE_OK){
#ifdef HAVE_SSL
np_net_ssl_cleanup();
#endif
if(sd) close(sd);
return result;
}
#endif /* HAVE_SSL */
if (server_send != NULL) { /* Something to send? */
my_send(server_send, strlen(server_send));
@ -567,86 +547,6 @@ process_arguments (int argc, char **argv)
}
/* SSL-specific functions */
#ifdef HAVE_SSL
# ifdef USE_OPENSSL /* XXX */
static int
check_certificate (X509 ** certificate)
{
ASN1_STRING *tm;
int offset;
struct tm stamp;
int days_left;
/* Retrieve timestamp of certificate */
tm = X509_get_notAfter (*certificate);
/* Generate tm structure to process timestamp */
if (tm->type == V_ASN1_UTCTIME) {
if (tm->length < 10) {
printf (_("CRITICAL - Wrong time format in certificate.\n"));
return STATE_CRITICAL;
}
else {
stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
if (stamp.tm_year < 50)
stamp.tm_year += 100;
offset = 0;
}
}
else {
if (tm->length < 12) {
printf (_("CRITICAL - Wrong time format in certificate.\n"));
return STATE_CRITICAL;
}
else {
stamp.tm_year =
(tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
(tm->data[2] - '0') * 10 + (tm->data[3] - '0');
stamp.tm_year -= 1900;
offset = 2;
}
}
stamp.tm_mon =
(tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
stamp.tm_mday =
(tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
stamp.tm_hour =
(tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
stamp.tm_min =
(tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
stamp.tm_sec = 0;
stamp.tm_isdst = -1;
days_left = (mktime (&stamp) - time (NULL)) / 86400;
snprintf
(timestamp, 16, "%02d/%02d/%04d %02d:%02d",
stamp.tm_mon + 1,
stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
if (days_left > 0 && days_left <= days_till_exp) {
printf (_("Certificate expires in %d day(s) (%s).\n"), days_left, timestamp);
return STATE_WARNING;
}
if (days_left < 0) {
printf (_("Certificate expired on %s.\n"), timestamp);
return STATE_CRITICAL;
}
if (days_left == 0) {
printf (_("Certificate expires today (%s).\n"), timestamp);
return STATE_WARNING;
}
printf (_("Certificate will expire on %s.\n"), timestamp);
return STATE_OK;
}
# endif /* USE_OPENSSL */
#endif /* HAVE_SSL */
void
print_help (void)
{

78
plugins/netutils.c
View file

@ -281,6 +281,84 @@ int np_net_ssl_read(void *buf, int num){
return SSL_read(s, buf, num);
}
int np_net_ssl_check_cert(int days_till_exp){
# ifdef USE_OPENSSL
X509 *certificate=NULL;
ASN1_STRING *tm;
int offset;
struct tm stamp;
int days_left;
char timestamp[17] = "";
certificate=SSL_get_peer_certificate(s);
if(! certificate){
printf (_("CRITICAL - Cannot retrieve server certificate.\n"));
return STATE_CRITICAL;
}
/* Retrieve timestamp of certificate */
tm = X509_get_notAfter (certificate);
/* Generate tm structure to process timestamp */
if (tm->type == V_ASN1_UTCTIME) {
if (tm->length < 10) {
printf (_("CRITICAL - Wrong time format in certificate.\n"));
return STATE_CRITICAL;
} else {
stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
if (stamp.tm_year < 50)
stamp.tm_year += 100;
offset = 0;
}
} else {
if (tm->length < 12) {
printf (_("CRITICAL - Wrong time format in certificate.\n"));
return STATE_CRITICAL;
} else {
stamp.tm_year =
(tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
(tm->data[2] - '0') * 10 + (tm->data[3] - '0');
stamp.tm_year -= 1900;
offset = 2;
}
}
stamp.tm_mon =
(tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
stamp.tm_mday =
(tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
stamp.tm_hour =
(tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
stamp.tm_min =
(tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
stamp.tm_sec = 0;
stamp.tm_isdst = -1;
days_left = (mktime (&stamp) - time (NULL)) / 86400;
snprintf
(timestamp, 17, "%02d/%02d/%04d %02d:%02d",
stamp.tm_mon + 1,
stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
if (days_left > 0 && days_left <= days_till_exp) {
printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp);
return STATE_WARNING;
} else if (days_left < 0) {
printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp);
return STATE_CRITICAL;
} else if (days_left == 0) {
printf (_("WARNING - Certificate expires today (%s).\n"), timestamp);
return STATE_WARNING;
}
printf (_("OK - Certificate will expire on %s.\n"), timestamp);
X509_free (certificate);
return STATE_OK;
# else /* ifndef USE_OPENSSL */
printf (_("WARNING - Plugin does not support checking certificates.\n"));
return STATE_WARNING;
# endif /* USE_OPENSSL */
}
#endif /* HAVE_SSL */
int

1
plugins/netutils.h
View file

@ -89,6 +89,7 @@ int np_net_ssl_init(int sd);
void np_net_ssl_cleanup();
int np_net_ssl_write(const void *buf, int num);
int np_net_ssl_read(void *buf, int num);
int np_net_ssl_check_cert(int days_till_exp);
#endif /* HAVE_SSL */
#endif /* _NETUTILS_H_ */