From 4611e41bc50d15275b316c6f21b688997a9c78c4 Mon Sep 17 00:00:00 2001 From: Thomas Guyot-Sionnest Date: Fri, 4 Feb 2011 00:54:52 -0500 Subject: [PATCH] check_http: check for and print the certificate cn MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This patch adds a check for the certificate cn (hostname) to normal certificate checks. It returns CRITICAL if th cn is missing, otherwise it prints it in the normal output. Patch by Stéphane Urbanovski --- NEWS | 1 + THANKS.in | 1 + plugins/sslutils.c | 38 ++++++++++++++++++++++++++++---------- plugins/t/check_http.t | 2 +- plugins/tests/check_http.t | 6 +++--- 5 files changed, 34 insertions(+), 14 deletions(-) diff --git a/NEWS b/NEWS index 540e0cf..d7fea27 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,7 @@ This file documents the major additions and syntax changes between releases. check_nt UPTIME accepts warning/critical thresholds (Ryan Kelly) check_disk_smb now allows spaces in share names (#990948, #1370031, Debian #601699) check_http now uses standard threshold functions (enables floating point and ranges) + check_http now checks for and prints the certificate cn (hostname) in SSL certificate checks (Stéphane Urbanovski) FIXES Fix check_disk free space calculation if blocksizes differ within a disk group (Bekar - #2973603) diff --git a/THANKS.in b/THANKS.in index ac2b1c2..387a379 100644 --- a/THANKS.in +++ b/THANKS.in @@ -266,3 +266,4 @@ Stephane Chazelas Craig Leres Brian Landers Ryan Kelly +Stéphane Urbanovski diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 64f4d61..0bc61ed 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c @@ -3,7 +3,7 @@ * Nagios plugins SSL utilities * * License: GPL -* Copyright (c) 2005-2007 Nagios Plugins Development Team +* Copyright (c) 2005-2010 Nagios Plugins Development Team * * Description: * @@ -26,6 +26,7 @@ * *****************************************************************************/ +#define MAX_CN_LENGTH 256 #define LOCAL_TIMEOUT_ALARM_HANDLER #include "common.h" #include "netutils.h" @@ -97,6 +98,11 @@ int np_net_ssl_read(void *buf, int num){ int np_net_ssl_check_cert(int days_till_exp){ # ifdef USE_OPENSSL X509 *certificate=NULL; + X509_NAME *subj=NULL; + char cn[MAX_CN_LENGTH]= ""; + int cnlen =-1; + int status=STATE_UNKNOWN; + ASN1_STRING *tm; int offset; struct tm stamp; @@ -110,6 +116,17 @@ int np_net_ssl_check_cert(int days_till_exp){ return STATE_CRITICAL; } + /* Extract CN from certificate subject */ + subj=X509_get_subject_name(certificate); + + if(! subj){ + printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject.")); + return STATE_CRITICAL; + } + cnlen = X509_NAME_get_text_by_NID (subj, NID_commonName, cn, sizeof(cn)); + if ( cnlen == -1 ) + strcpy(cn , _("Unknown CN")); + /* Retrieve timestamp of certificate */ tm = X509_get_notAfter (certificate); @@ -155,19 +172,20 @@ int np_net_ssl_check_cert(int days_till_exp){ stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); if (days_left > 0 && days_left <= days_till_exp) { - printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp); - return STATE_WARNING; + printf (_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp); + status=STATE_WARNING; } else if (time_left < 0) { - printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp); - return STATE_CRITICAL; + printf (_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); + status=STATE_CRITICAL; } else if (days_left == 0) { - printf (_("WARNING - Certificate expires today (%s).\n"), timestamp); - return STATE_WARNING; + printf (_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp); + status=STATE_WARNING; + } else { + printf (_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); + status=STATE_OK; } - - printf (_("OK - Certificate will expire on %s.\n"), timestamp); X509_free (certificate); - return STATE_OK; + return status; # else /* ifndef USE_OPENSSL */ printf ("%s\n", _("WARNING - Plugin does not support checking certificates.")); return STATE_WARNING; diff --git a/plugins/t/check_http.t b/plugins/t/check_http.t index c43a64a..55a5a53 100644 --- a/plugins/t/check_http.t +++ b/plugins/t/check_http.t @@ -102,7 +102,7 @@ SKIP: { $res = NPTest->testCmd( "./check_http -C 1 --ssl www.verisign.com" ); cmp_ok( $res->return_code, '==', 0, "Checking certificate for www.verisign.com"); - like ( $res->output, '/Certificate will expire on/', "Output OK" ); + like ( $res->output, "/Certificate 'www.verisign.com' will expire on/", "Output OK" ); my $saved_cert_output = $res->output; $res = NPTest->testCmd( "./check_http www.verisign.com -C 1" ); diff --git a/plugins/tests/check_http.t b/plugins/tests/check_http.t index 74eff17..9ae6bbd 100755 --- a/plugins/tests/check_http.t +++ b/plugins/tests/check_http.t @@ -182,17 +182,17 @@ SKIP: { $result = NPTest->testCmd( "$command -p $port_https -S -C 14" ); is( $result->return_code, 0, "$command -p $port_https -S -C 14" ); - is( $result->output, 'OK - Certificate will expire on 03/03/2019 21:41.', "output ok" ); + is( $result->output, 'OK - Certificate \'Ton Voon\' will expire on 03/03/2019 21:41.', "output ok" ); $result = NPTest->testCmd( "$command -p $port_https -S -C 14000" ); is( $result->return_code, 1, "$command -p $port_https -S -C 14000" ); - like( $result->output, '/WARNING - Certificate expires in \d+ day\(s\) \(03/03/2019 21:41\)./', "output ok" ); + like( $result->output, '/WARNING - Certificate \'Ton Voon\' expires in \d+ day\(s\) \(03/03/2019 21:41\)./', "output ok" ); # Expired cert tests $result = NPTest->testCmd( "$command -p $port_https_expired -S -C 7" ); is( $result->return_code, 2, "$command -p $port_https_expired -S -C 7" ); is( $result->output, - 'CRITICAL - Certificate expired on 03/05/2009 00:13.', + 'CRITICAL - Certificate \'Ton Voon\' expired on 03/05/2009 00:13.', "output ok" ); } -- 2.30.2