diff options
author | Barak Shohat <barak@bazzisoft.com> | 2021-04-07 12:34:46 +0300 |
---|---|---|
committer | Barak Shohat <barak@bazzisoft.com> | 2021-04-07 15:38:47 +0300 |
commit | 6993c216955a54845d98dc568534613334c0b545 (patch) | |
tree | 5c69050db7d0407f7fb668a40fdc8d5620527596 | |
parent | 57b4dc0f2307cd49bedeed01ee56bc6077d428f5 (diff) | |
download | monitoring-plugins-6993c216955a54845d98dc568534613334c0b545.tar.gz |
Add an option to check_curl to verify the peer certificate & host using the system CA's
-rw-r--r-- | plugins/check_curl.c | 17 | ||||
-rw-r--r-- | plugins/t/check_curl.t | 5 |
2 files changed, 18 insertions, 4 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c index 8f274c26..19f80b74 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c @@ -195,6 +195,7 @@ int ssl_version = CURL_SSLVERSION_DEFAULT; char *client_cert = NULL; char *client_privkey = NULL; char *ca_cert = NULL; +int verify_peer_and_host = FALSE; int is_openssl_callback = FALSE; #if defined(HAVE_SSL) && defined(USE_OPENSSL) X509 *cert = NULL; @@ -489,9 +490,11 @@ check_http (void) if (client_privkey) handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLKEY, client_privkey), "CURLOPT_SSLKEY"); if (ca_cert) { + handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CAINFO, ca_cert), "CURLOPT_CAINFO"); + } + if (ca_cert || verify_peer_and_host) { /* per default if we have a CA verify both the peer and the * hostname in the certificate, can be switched off later */ - handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CAINFO, ca_cert), "CURLOPT_CAINFO"); handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1), "CURLOPT_SSL_VERIFYPEER"); handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2), "CURLOPT_SSL_VERIFYHOST"); } else { @@ -1159,6 +1162,7 @@ process_arguments (int argc, char **argv) {"client-cert", required_argument, 0, 'J'}, {"private-key", required_argument, 0, 'K'}, {"ca-cert", required_argument, 0, CA_CERT_OPTION}, + {"verify-cert", no_argument, 0, 'D'}, {"useragent", required_argument, 0, 'A'}, {"header", required_argument, 0, 'k'}, {"no-body", no_argument, 0, 'N'}, @@ -1193,7 +1197,7 @@ process_arguments (int argc, char **argv) server_url = strdup(DEFAULT_SERVER_URL); while (1) { - c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:nlLS::m:M:NE", longopts, &option); + c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:DnlLS::m:M:NE", longopts, &option); if (c == -1 || c == EOF || c == 1) break; @@ -1333,6 +1337,11 @@ process_arguments (int argc, char **argv) ca_cert = optarg; goto enable_ssl; #endif +#ifdef LIBCURL_FEATURE_SSL + case 'D': /* verify peer certificate & host */ + verify_peer_and_host = TRUE; + goto enable_ssl; +#endif case 'S': /* use SSL */ #ifdef LIBCURL_FEATURE_SSL enable_ssl: @@ -1703,6 +1712,8 @@ print_help (void) printf (" %s\n", _("matching the client certificate")); printf (" %s\n", "--ca-cert=FILE"); printf (" %s\n", _("CA certificate file to verify peer against")); + printf (" %s\n", "-D, --verify-cert"); + printf (" %s\n", _("Verify the peer's SSL certificate and hostname")); #endif printf (" %s\n", "-e, --expect=STRING"); @@ -1836,7 +1847,7 @@ print_usage (void) { printf ("%s\n", _("Usage:")); printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname); - printf (" [-J <client certificate file>] [-K <private key>] [--ca-cert <CA certificate file>]\n"); + printf (" [-J <client certificate file>] [-K <private key>] [--ca-cert <CA certificate file>] [-D]\n"); printf (" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-E] [-a auth]\n"); printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport|curl>]\n"); printf (" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n"); diff --git a/plugins/t/check_curl.t b/plugins/t/check_curl.t index 4bff538a..55577add 100644 --- a/plugins/t/check_curl.t +++ b/plugins/t/check_curl.t @@ -9,7 +9,7 @@ use Test::More; use POSIX qw/mktime strftime/; use NPTest; -plan tests => 57; +plan tests => 58; my $successOutput = '/OK.*HTTP.*second/'; @@ -94,6 +94,9 @@ SKIP: { $res = NPTest->testCmd("./$plugin -v -H $host_tls_http:443 -S -p 443"); like( $res->output, '/^Host: '.$host_tls_http.'\s*$/ms', "Host Header OK" ); + + $res = NPTest->testCmd("./$plugin -v -H $host_tls_http -D -p 443"); + like( $res->output, '/(^Host: '.$host_tls_http.'\s*$)|(cURL returned 60)/ms', "Host Header OK" ); }; SKIP: { |