1 /*****************************************************************************
3 * Nagios plugins SSL utilities
6 * Copyright (c) 2005-2010 Nagios Plugins Development Team
10 * This file contains common functions for plugins that require SSL.
13 * This program is free software: you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation, either version 3 of the License, or
16 * (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program. If not, see <http://www.gnu.org/licenses/>.
27 *****************************************************************************/
29 #define MAX_CN_LENGTH 256
30 #define LOCAL_TIMEOUT_ALARM_HANDLER
35 static SSL_CTX
*c
=NULL
;
37 static int initialized
=0;
39 int np_net_ssl_init(int sd
) {
40 return np_net_ssl_init_with_hostname(sd
, NULL
);
43 int np_net_ssl_init_with_hostname(int sd
, char *host_name
) {
44 return np_net_ssl_init_with_hostname_and_version(sd
, host_name
, 0);
47 int np_net_ssl_init_with_hostname_and_version(int sd
, char *host_name
, int version
) {
48 const SSL_METHOD
*method
= NULL
;
51 case 0: /* Deafult to auto negotiation */
52 method
= SSLv23_client_method();
54 case 1: /* TLSv1 protocol */
55 method
= TLSv1_client_method();
57 case 2: /* SSLv2 protocol */
58 #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2)
59 printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library.")));
60 return STATE_CRITICAL
;
62 method
= SSLv2_client_method();
65 case 3: /* SSLv3 protocol */
66 method
= SSLv3_client_method();
68 default: /* Unsupported */
69 printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));
70 return STATE_CRITICAL
;
73 /* Initialize SSL context */
74 SSLeay_add_ssl_algorithms();
75 SSL_load_error_strings();
76 OpenSSL_add_all_algorithms();
79 if ((c
= SSL_CTX_new(method
)) == NULL
) {
80 printf("%s\n", _("CRITICAL - Cannot create SSL context."));
81 return STATE_CRITICAL
;
83 #ifdef SSL_OP_NO_TICKET
84 SSL_CTX_set_options(c
, SSL_OP_NO_TICKET
);
86 if ((s
= SSL_new(c
)) != NULL
) {
87 #ifdef SSL_set_tlsext_host_name
88 if (host_name
!= NULL
)
89 SSL_set_tlsext_host_name(s
, host_name
);
92 if (SSL_connect(s
) == 1) {
95 printf("%s\n", _("CRITICAL - Cannot make SSL connection."));
96 # ifdef USE_OPENSSL /* XXX look into ERR_error_string */
97 ERR_print_errors_fp(stdout
);
98 # endif /* USE_OPENSSL */
101 printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
103 return STATE_CRITICAL
;
106 void np_net_ssl_cleanup() {
108 #ifdef SSL_set_tlsext_host_name
109 SSL_set_tlsext_host_name(s
, NULL
);
121 int np_net_ssl_write(const void *buf
, int num
) {
122 return SSL_write(s
, buf
, num
);
125 int np_net_ssl_read(void *buf
, int num
) {
126 return SSL_read(s
, buf
, num
);
129 int np_net_ssl_check_cert(int days_till_exp_warn
, int days_till_exp_crit
){
131 X509
*certificate
=NULL
;
132 X509_NAME
*subj
=NULL
;
133 char cn
[MAX_CN_LENGTH
]= "";
135 int status
=STATE_UNKNOWN
;
142 char timestamp
[17] = "";
144 certificate
=SSL_get_peer_certificate(s
);
146 printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
147 return STATE_CRITICAL
;
150 /* Extract CN from certificate subject */
151 subj
=X509_get_subject_name(certificate
);
154 printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
155 return STATE_CRITICAL
;
157 cnlen
= X509_NAME_get_text_by_NID(subj
, NID_commonName
, cn
, sizeof(cn
));
159 strcpy(cn
, _("Unknown CN"));
161 /* Retrieve timestamp of certificate */
162 tm
= X509_get_notAfter(certificate
);
164 /* Generate tm structure to process timestamp */
165 if (tm
->type
== V_ASN1_UTCTIME
) {
166 if (tm
->length
< 10) {
167 printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
168 return STATE_CRITICAL
;
170 stamp
.tm_year
= (tm
->data
[0] - '0') * 10 + (tm
->data
[1] - '0');
171 if (stamp
.tm_year
< 50)
172 stamp
.tm_year
+= 100;
176 if (tm
->length
< 12) {
177 printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
178 return STATE_CRITICAL
;
181 (tm
->data
[0] - '0') * 1000 + (tm
->data
[1] - '0') * 100 +
182 (tm
->data
[2] - '0') * 10 + (tm
->data
[3] - '0');
183 stamp
.tm_year
-= 1900;
188 (tm
->data
[2 + offset
] - '0') * 10 + (tm
->data
[3 + offset
] - '0') - 1;
190 (tm
->data
[4 + offset
] - '0') * 10 + (tm
->data
[5 + offset
] - '0');
192 (tm
->data
[6 + offset
] - '0') * 10 + (tm
->data
[7 + offset
] - '0');
194 (tm
->data
[8 + offset
] - '0') * 10 + (tm
->data
[9 + offset
] - '0');
198 time_left
= difftime(timegm(&stamp
), time(NULL
));
199 days_left
= time_left
/ 86400;
201 (timestamp
, 17, "%02d/%02d/%04d %02d:%02d",
203 stamp
.tm_mday
, stamp
.tm_year
+ 1900, stamp
.tm_hour
, stamp
.tm_min
);
205 if (days_left
> 0 && days_left
<= days_till_exp_warn
) {
206 printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left
>days_till_exp_crit
)?"WARNING":"CRITICAL", cn
, days_left
, timestamp
);
207 if (days_left
> days_till_exp_crit
)
208 return STATE_WARNING
;
210 return STATE_CRITICAL
;
211 } else if (time_left
< 0) {
212 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn
, timestamp
);
213 status
=STATE_CRITICAL
;
214 } else if (days_left
== 0) {
215 printf (_("%s - Certificate '%s' expires today (%s).\n"), (days_left
>days_till_exp_crit
)?"WARNING":"CRITICAL", cn
, timestamp
);
216 if (days_left
> days_till_exp_crit
)
217 return STATE_WARNING
;
219 return STATE_CRITICAL
;
221 printf(_("OK - Certificate '%s' will expire on %s.\n"), cn
, timestamp
);
224 X509_free(certificate
);
226 # else /* ifndef USE_OPENSSL */
227 printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
228 return STATE_WARNING
;
229 # endif /* USE_OPENSSL */
232 #endif /* HAVE_SSL */