![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1a5a83b)
raw | patch | inline | side by side (parent: 1a5a83b)
| author | Thomas Guyot-Sionnest <dermoth@aei.ca> | |
| Fri, 4 Feb 2011 05:54:52 +0000 (00:54 -0500) | ||
| committer | Thomas Guyot-Sionnest <dermoth@aei.ca> | |
| Fri, 4 Feb 2011 05:54:52 +0000 (00:54 -0500) |
This patch adds a check for the certificate cn (hostname) to normal
certificate checks. It returns CRITICAL if th cn is missing, otherwise it
prints it in the normal output.
Patch by Stéphane Urbanovski
certificate checks. It returns CRITICAL if th cn is missing, otherwise it
prints it in the normal output.
Patch by Stéphane Urbanovski
| NEWS | patch | blob | history | |
| THANKS.in | patch | blob | history | |
| plugins/sslutils.c | patch | blob | history | |
| plugins/t/check_http.t | patch | blob | history | |
| plugins/tests/check_http.t | patch | blob | history |
index 540e0cfa83642a7256463777ed29c41f17c98d42..d7fea2735b029a844d4f128f219762c6de0cecfc 100644 (file)
--- a/NEWS
+++ b/NEWS
check_nt UPTIME accepts warning/critical thresholds (Ryan Kelly)
check_disk_smb now allows spaces in share names (#990948, #1370031, Debian #601699)
check_http now uses standard threshold functions (enables floating point and ranges)
+ check_http now checks for and prints the certificate cn (hostname) in SSL certificate checks (Stéphane Urbanovski)
FIXES
Fix check_disk free space calculation if blocksizes differ within a disk group (Bekar - #2973603)
diff --git a/THANKS.in b/THANKS.in
index ac2b1c24119b31a8fe287abd70b48589affcdebd..387a3794a4882c87eefda2b33b3ae2fc384d7d68 100644 (file)
--- a/THANKS.in
+++ b/THANKS.in
Craig Leres
Brian Landers
Ryan Kelly
+Stéphane Urbanovski
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 64f4d61c9179c9c5d93e5ff5e5bebe7a17ac7b98..0bc61ed330fafcdb0720045cdd04e83b080e9ce9 100644 (file)
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
* Nagios plugins SSL utilities
*
* License: GPL
-* Copyright (c) 2005-2007 Nagios Plugins Development Team
+* Copyright (c) 2005-2010 Nagios Plugins Development Team
*
* Description:
*
*
*****************************************************************************/
+#define MAX_CN_LENGTH 256
#define LOCAL_TIMEOUT_ALARM_HANDLER
#include "common.h"
#include "netutils.h"
int np_net_ssl_check_cert(int days_till_exp){
# ifdef USE_OPENSSL
X509 *certificate=NULL;
+ X509_NAME *subj=NULL;
+ char cn[MAX_CN_LENGTH]= "";
+ int cnlen =-1;
+ int status=STATE_UNKNOWN;
+
ASN1_STRING *tm;
int offset;
struct tm stamp;
return STATE_CRITICAL;
}
+ /* Extract CN from certificate subject */
+ subj=X509_get_subject_name(certificate);
+
+ if(! subj){
+ printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
+ return STATE_CRITICAL;
+ }
+ cnlen = X509_NAME_get_text_by_NID (subj, NID_commonName, cn, sizeof(cn));
+ if ( cnlen == -1 )
+ strcpy(cn , _("Unknown CN"));
+
/* Retrieve timestamp of certificate */
tm = X509_get_notAfter (certificate);
stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
if (days_left > 0 && days_left <= days_till_exp) {
- printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp);
- return STATE_WARNING;
+ printf (_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp);
+ status=STATE_WARNING;
} else if (time_left < 0) {
- printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp);
- return STATE_CRITICAL;
+ printf (_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
+ status=STATE_CRITICAL;
} else if (days_left == 0) {
- printf (_("WARNING - Certificate expires today (%s).\n"), timestamp);
- return STATE_WARNING;
+ printf (_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp);
+ status=STATE_WARNING;
+ } else {
+ printf (_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
+ status=STATE_OK;
}
-
- printf (_("OK - Certificate will expire on %s.\n"), timestamp);
X509_free (certificate);
- return STATE_OK;
+ return status;
# else /* ifndef USE_OPENSSL */
printf ("%s\n", _("WARNING - Plugin does not support checking certificates."));
return STATE_WARNING;
diff --git a/plugins/t/check_http.t b/plugins/t/check_http.t
index c43a64a997fd9b1551a4aedd2a4ea83d04d664a4..55a5a530028e2793fc78fca583309776f06fc222 100644 (file)
--- a/plugins/t/check_http.t
+++ b/plugins/t/check_http.t
$res = NPTest->testCmd( "./check_http -C 1 --ssl www.verisign.com" );
cmp_ok( $res->return_code, '==', 0, "Checking certificate for www.verisign.com");
- like ( $res->output, '/Certificate will expire on/', "Output OK" );
+ like ( $res->output, "/Certificate 'www.verisign.com' will expire on/", "Output OK" );
my $saved_cert_output = $res->output;
$res = NPTest->testCmd( "./check_http www.verisign.com -C 1" );
index 74eff1758acdcd3130362fb23a2ed6f7a1baa9e6..9ae6bbdcb21bfd0909b177dd1da0d312f962965a 100755 (executable)
$result = NPTest->testCmd( "$command -p $port_https -S -C 14" );
is( $result->return_code, 0, "$command -p $port_https -S -C 14" );
- is( $result->output, 'OK - Certificate will expire on 03/03/2019 21:41.', "output ok" );
+ is( $result->output, 'OK - Certificate \'Ton Voon\' will expire on 03/03/2019 21:41.', "output ok" );
$result = NPTest->testCmd( "$command -p $port_https -S -C 14000" );
is( $result->return_code, 1, "$command -p $port_https -S -C 14000" );
- like( $result->output, '/WARNING - Certificate expires in \d+ day\(s\) \(03/03/2019 21:41\)./', "output ok" );
+ like( $result->output, '/WARNING - Certificate \'Ton Voon\' expires in \d+ day\(s\) \(03/03/2019 21:41\)./', "output ok" );
# Expired cert tests
$result = NPTest->testCmd( "$command -p $port_https_expired -S -C 7" );
is( $result->return_code, 2, "$command -p $port_https_expired -S -C 7" );
is( $result->output,
- 'CRITICAL - Certificate expired on 03/05/2009 00:13.',
+ 'CRITICAL - Certificate \'Ton Voon\' expired on 03/05/2009 00:13.',
"output ok" );
}