applied patch that adds both critical and warning thresholds to certificate expiration checks of check_tcp, check_http, check_smtp

2026-04-15 22:00:06 -04:00 · 2012-05-21 18:46:45 -07:00 · 2012-05-21 18:46:45 -07:00 · fa3d2a4074
commit fa3d2a4074
parent 88fdf3a8a8
5 changed files with 90 additions and 34 deletions
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@ -58,8 +58,8 @@ enum {

 #ifdef HAVE_SSL
 int check_cert = FALSE;
-int days_till_exp;
 int ssl_version;
+int days_till_exp_warn, days_till_exp_crit;
 char *randbuff;
 X509 *server_cert;
 #  define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
@ -178,6 +178,7 @@ process_arguments (int argc, char **argv)
 {
  int c = 1;
  char *p;
+  char *temp;

  enum {
    INVERT_REGEX = CHAR_MAX + 1,
@ -282,13 +283,25 @@ process_arguments (int argc, char **argv)
      break;
    case 'C': /* Check SSL cert validity */
 #ifdef HAVE_SSL
-      if (!is_intnonneg (optarg))
-        usage2 (_("Invalid certificate expiration period"), optarg);
-      else {
-        days_till_exp = atoi (optarg);
-        check_cert = TRUE;
+      if ((temp=strchr(optarg,','))!=NULL) {
+	*temp='\0';
+	if (!is_intnonneg (temp))
+	  usage2 (_("Invalid certificate expiration period"), optarg);
+	days_till_exp_warn = atoi(optarg);
+	*temp=',';
+	temp++;
+	if (!is_intnonneg (temp))
+	  usage2 (_("Invalid certificate expiration period"), temp);
+	days_till_exp_crit = atoi (temp);
      }
-     /* Fall through to -S option */
+      else {
+	days_till_exp_crit=0;
+        if (!is_intnonneg (optarg))
+          usage2 (_("Invalid certificate expiration period"), optarg);
+        days_till_exp_warn = atoi (optarg);
+      }
+      check_cert = TRUE;
+      /* Fall through to -S option */
 #endif
    case 'S': /* use SSL */
 #ifndef HAVE_SSL
@ -810,7 +823,7 @@ check_http (void)
    if (result != STATE_OK)
      return result;
    if (check_cert == TRUE) {
-      result = np_net_ssl_check_cert(days_till_exp);
+      result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
      np_net_ssl_cleanup();
      if (sd) close(sd);
      return result;
@ -1427,6 +1440,13 @@ print_help (void)
  printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
  printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when"));
  printf (" %s\n", _("the certificate is expired."));
+
+  printf (" %s\n\n", "CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14");
+  printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,"));
+  printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
+  printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned."));
+  printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days"));
+
 #endif

  printf (UT_SUPPORT);
@ -1444,6 +1464,6 @@ print_usage (void)
  printf ("       [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n");
  printf ("       [-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
  printf ("       [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");
-  printf ("       [-A string] [-k string] [-S <version>] [--sni] [-C <age>] [-T <content-type>]\n");
-  printf ("       [-j method]\n");
+  printf ("       [-A string] [-k string] [-S <version>] [--sni] [-C <warn_age>[,<crit_age>]]\n");
+  printf ("       [-T <content-type>] [-j method]\n");
 }
--- a/plugins/check_smtp.c
+++ b/plugins/check_smtp.c
@ -41,7 +41,7 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net";

 #ifdef HAVE_SSL
 int check_cert = FALSE;
-int days_till_exp;
+int days_till_exp_warn, days_till_exp_crit;
 #  define my_recv(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
 #  define my_send(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
 #else /* ifndef HAVE_SSL */
@ -275,7 +275,7 @@ main (int argc, char **argv)

 #  ifdef USE_OPENSSL
 		  if ( check_cert ) {
-		    result = np_net_ssl_check_cert(days_till_exp);
+                    result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
 		    my_close();
 		    return result;
 		  }
@ -454,6 +454,7 @@ int
 process_arguments (int argc, char **argv)
 {
 	int c;
+	char* temp;

 	int option = 0;
 	static struct option longopts[] = {
@ -600,12 +601,26 @@ process_arguments (int argc, char **argv)
 		case 'D':
 		/* Check SSL cert validity */
 #ifdef USE_OPENSSL
-			if (!is_intnonneg (optarg))
-				usage2 ("Invalid certificate expiration period",optarg);
-				days_till_exp = atoi (optarg);
-				check_cert = TRUE;
+                        if ((temp=strchr(optarg,','))!=NULL) {
+                            *temp='\0';
+                            if (!is_intnonneg (temp))
+                               usage2 ("Invalid certificate expiration period", optarg);
+                            days_till_exp_warn = atoi(optarg);
+                            *temp=',';
+                            temp++;
+                            if (!is_intnonneg (temp))
+                                usage2 (_("Invalid certificate expiration period"), temp);
+                            days_till_exp_crit = atoi (temp);
+                        }
+                        else {
+                            days_till_exp_crit=0;
+                            if (!is_intnonneg (optarg))
+                                usage2 ("Invalid certificate expiration period", optarg);
+                            days_till_exp_warn = atoi (optarg);
+                        }
+			check_cert = TRUE;
 #else
-				usage (_("SSL support not available - install OpenSSL and recompile"));
+			usage (_("SSL support not available - install OpenSSL and recompile"));
 #endif
 			break;
 		case '4':
@ -802,7 +817,7 @@ print_help (void)
  printf (" %s\n", "-F, --fqdn=STRING");
  printf ("    %s\n", _("FQDN used for HELO"));
 #ifdef HAVE_SSL
-  printf (" %s\n", "-D, --certificate=INTEGER");
+  printf (" %s\n", "-D, --certificate=INTEGER[,INTEGER]");
  printf ("    %s\n", _("Minimum number of days a certificate has to be valid."));
  printf (" %s\n", "-S, --starttls");
  printf ("    %s\n", _("Use STARTTLS for the connection."));
@ -838,8 +853,8 @@ void
 print_usage (void)
 {
  printf ("%s\n", _("Usage:"));
-  printf ("%s -H host [-p port] [-e expect] [-C command] [-f from addr]", progname);
-  printf ("[-A authtype -U authuser -P authpass] [-w warn] [-c crit] [-t timeout]\n");
-  printf ("[-F fqdn] [-S] [-D days] [-v] [-4|-6] [-q]\n");
+  printf ("%s -H host [-p port] [-4|-6] [-e expect] [-C command] [-f from addr]", progname);
+  printf ("[-A authtype -U authuser -P authpass] [-w warn] [-c crit] [-t timeout] [-q]\n");
+  printf ("[-F fqdn] [-S] [-D warn days cert expire[,crit days cert expire]] [-v] \n");
 }

--- a/plugins/check_tcp.c
+++ b/plugins/check_tcp.c
@ -39,7 +39,7 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net";

 #ifdef HAVE_SSL
 static int check_cert = FALSE;
-static int days_till_exp;
+static int days_till_exp_warn, days_till_exp_crit;
 # define my_recv(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
 # define my_send(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
 #else
@ -235,7 +235,7 @@ main (int argc, char **argv)
 	if (flags & FLAG_SSL){
 		result = np_net_ssl_init(sd);
 		if (result == STATE_OK && check_cert == TRUE) {
-			result = np_net_ssl_check_cert(days_till_exp);
+			result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
 		}
 	}
 	if(result != STATE_OK || check_cert == TRUE){
@ -380,6 +380,7 @@ process_arguments (int argc, char **argv)
 {
 	int c;
 	int escape = 0;
+	char *temp;

 	int option = 0;
 	static struct option longopts[] = {
@ -552,9 +553,22 @@ process_arguments (int argc, char **argv)
 		case 'D': /* Check SSL cert validity - days 'til certificate expiration */
 #ifdef HAVE_SSL
 #  ifdef USE_OPENSSL /* XXX */
-			if (!is_intnonneg (optarg))
+			if ((temp=strchr(optarg,','))!=NULL) {
+			    *temp='\0';
+			    if (!is_intnonneg (temp))
+                               usage2 (_("Invalid certificate expiration period"), optarg);				 days_till_exp_warn = atoi(optarg);
+			    *temp=',';
+			    temp++;
+			    if (!is_intnonneg (temp))
+				usage2 (_("Invalid certificate expiration period"), temp);
+			    days_till_exp_crit = atoi (temp);
+			}
+			else {
+			    days_till_exp_crit=0;
+			    if (!is_intnonneg (optarg))
 				usage2 (_("Invalid certificate expiration period"), optarg);
-			days_till_exp = atoi (optarg);
+			    days_till_exp_warn = atoi (optarg);
+			}
 			check_cert = TRUE;
 			flags |= FLAG_SSL;
 			break;
@ -626,8 +640,9 @@ print_help (void)
  printf ("    %s\n", _("Seconds to wait between sending string and polling for response"));

 #ifdef HAVE_SSL
-	printf (" %s\n", "-D, --certificate=INTEGER");
+	printf (" %s\n", "-D, --certificate=INTEGER[,INTEGER]");
  printf ("    %s\n", _("Minimum number of days a certificate has to be valid."));
+  printf ("    %s\n", _("1st is #days for warning, 2nd is critical (if not specified - 0)."));
  printf (" %s\n", "-S, --ssl");
  printf ("    %s\n", _("Use SSL for the connection."));
 #endif
@ -649,6 +664,6 @@ print_usage (void)
  printf ("%s -H host -p port [-w <warning time>] [-c <critical time>] [-s <send string>]\n",progname);
  printf ("[-e <expect string>] [-q <quit string>][-m <maximum bytes>] [-d <delay>]\n");
  printf ("[-t <timeout seconds>] [-r <refuse state>] [-M <mismatch state>] [-v] [-4|-6] [-j]\n");
-  printf ("[-D <days to cert expiry>] [-S <use SSL>] [-E]\n");
+  printf ("[-D <warn days cert expire>[,<crit days cert expire>]] [-S <use SSL>] [-E]\n");
 }

--- a/plugins/netutils.h
+++ b/plugins/netutils.h
@ -103,7 +103,7 @@ int np_net_ssl_init_with_hostname(int sd, char *host_name);
 void np_net_ssl_cleanup();
 int np_net_ssl_write(const void *buf, int num);
 int np_net_ssl_read(void *buf, int num);
-int np_net_ssl_check_cert(int days_till_exp);
+int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit);
 #endif /* HAVE_SSL */

 #endif /* _NETUTILS_H_ */
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@ -126,7 +126,7 @@ int np_net_ssl_read(void *buf, int num) {
 	return SSL_read(s, buf, num);
 }

-int np_net_ssl_check_cert(int days_till_exp) {
+int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
 #  ifdef USE_OPENSSL
 	X509 *certificate=NULL;
 	X509_NAME *subj=NULL;
@ -202,15 +202,21 @@ int np_net_ssl_check_cert(int days_till_exp) {
 		 stamp.tm_mon + 1,
 		 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);

-	if (days_left > 0 && days_left <= days_till_exp) {
-		printf(_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp);
-		status=STATE_WARNING;
+	if (days_left > 0 && days_left <= days_till_exp_warn) {
+		printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"CRITICAL":"WARNING", cn, days_left, timestamp);
+		if (days_left > days_till_exp_crit)
+			return STATE_WARNING;
+		else
+			return STATE_CRITICAL;
 	} else if (time_left < 0) {
 		printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
 		status=STATE_CRITICAL;
 	} else if (days_left == 0) {
-		printf(_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp);
-		status=STATE_WARNING;
+		printf (_("%s - Certificate '%s' expires today (%s).\n"), (days_left>days_till_exp_crit)?"CRITICAL":"WARNING", cn, timestamp);
+		if (days_left > days_till_exp_crit)
+			return STATE_WARNING;
+		else
+			return STATE_CRITICAL;
 	} else {
 		printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
 		status=STATE_OK;