diff options
| -rw-r--r-- | NEWS | 7 | ||||
| -rw-r--r-- | configure.ac | 6 | ||||
| -rw-r--r-- | doc/developer-guidelines.sgml | 7 | ||||
| -rw-r--r-- | plugins-root/check_dhcp.c | 43 | ||||
| -rw-r--r-- | plugins/Makefile.am | 2 | ||||
| -rw-r--r-- | plugins/check_disk.c | 43 | ||||
| -rw-r--r-- | plugins/check_http.c | 22 | ||||
| -rw-r--r-- | plugins/check_smtp.c | 13 | ||||
| -rw-r--r-- | plugins/check_snmp.c | 3 | ||||
| -rw-r--r-- | plugins/check_ups.c | 12 | ||||
| -rw-r--r-- | plugins/netutils.h | 10 | ||||
| -rw-r--r-- | plugins/sslutils.c | 81 | ||||
| -rw-r--r-- | plugins/t/check_snmp.t | 4 |
13 files changed, 131 insertions, 122 deletions
@@ -6,14 +6,19 @@ This file documents the major additions and syntax changes between releases. thresholds New check_snmp "-N" option to specify SNMPv3 context name New check_nt "-l" parameters: seconds|minutes|hours|days - Make sure check_disk won't hang on hanging (network) file systems New check_mailq -s option which tells the plugin to use sudo(8) New -W/-C option for check_ldap to check number of entries (Gerhard Lausser) + The check_http -S/--ssl option now accepts the arguments "1.1" and "1.2" + to force TLSv1.1 and TLSv1.2 connections, respectively + The check_http -S/--ssl option now allows for specifying the desired + protocol with a "+" suffix to also accept newer versions FIXES Let check_real terminate lines with CRLF when talking to the server, as mandated by 2326 Fix check_procs on HP-UX + check_smtp's -e/--expect option can now be combined with -S/--starttls + Fix incorrect performance data thresholds emitted by check_ups WARNINGS The format of the performance data emitted by check_mrtgtraf has been diff --git a/configure.ac b/configure.ac index ce1728e3..29de4bdc 100644 --- a/configure.ac +++ b/configure.ac @@ -156,12 +156,6 @@ AC_CHECK_LIB(socket,socket,SOCKETLIBS="$SOCKETLIBS -lsocket") AC_CHECK_LIB(resolv,main,SOCKETLIBS="$SOCKETLIBS -lresolv") AC_SUBST(SOCKETLIBS) -dnl Check for POSIX thread libraries -AC_CHECK_HEADERS(pthread.h) -AC_CHECK_LIB(pthread,pthread_create,THREADLIBS="-lpthread", - AC_CHECK_LIB(pthread,pthread_create,THREADLIBS="-lpthread -lrt",-lrt)) -AC_SUBST(THREADLIBS) - dnl dnl check for math-related functions needing -lm AC_CHECK_HEADERS(math.h) diff --git a/doc/developer-guidelines.sgml b/doc/developer-guidelines.sgml index 228d3fa1..6f31f365 100644 --- a/doc/developer-guidelines.sgml +++ b/doc/developer-guidelines.sgml @@ -200,9 +200,8 @@ operation. Higher-level errors (such as name resolution errors, socket timeouts, etc) are outside of the control of plugins and should generally NOT be reported as UNKNOWN states. - </para> - <para>The --help or --version output should also result in Unknown state.</para> - </entry> + </para><para>The --help or --version output should also result in Unknown state. + </para></entry> </row> </tbody> </tgroup> @@ -613,7 +612,7 @@ The user should be allowed to specify -v multiple times to increase the verbosity level, as described in <xref linkend="verboselevels">.</para> - The exit code for version information or help should be UNKNOWN + <para>The exit code for version information or help should be UNKNOWN (3).</para> </section> diff --git a/plugins-root/check_dhcp.c b/plugins-root/check_dhcp.c index 3723e61a..d8afb172 100644 --- a/plugins-root/check_dhcp.c +++ b/plugins-root/check_dhcp.c @@ -229,7 +229,7 @@ struct in_addr requested_address; int process_arguments(int, char **); int call_getopt(int, char **); -int validate_arguments(void); +int validate_arguments(int, int); void print_usage(void); void print_help(void); @@ -1059,29 +1059,19 @@ int get_results(void){ /* process command-line arguments */ int process_arguments(int argc, char **argv){ - int c; + int arg_index; if(argc<1) return ERROR; - c=0; - while((c+=(call_getopt(argc-c,&argv[c])))<argc){ - - /* - if(is_option(argv[c])) - continue; - */ - } - - return validate_arguments(); + arg_index = call_getopt(argc,argv); + return validate_arguments(argc,arg_index); } int call_getopt(int argc, char **argv){ - int c=0; - int i=0; - + extern int optind; int option_index = 0; static struct option long_options[] = { @@ -1098,25 +1088,14 @@ int call_getopt(int argc, char **argv){ }; while(1){ - c=getopt_long(argc,argv,"+hVvt:s:r:t:i:m:u",long_options,&option_index); + int c=0; - i++; + c=getopt_long(argc,argv,"+hVvt:s:r:t:i:m:u",long_options,&option_index); if(c==-1||c==EOF||c==1) break; switch(c){ - case 'w': - case 'r': - case 't': - case 'i': - i++; - break; - default: - break; - } - - switch(c){ case 's': /* DHCP server address */ resolve_host(optarg,&dhcp_ip); @@ -1181,12 +1160,14 @@ int call_getopt(int argc, char **argv){ break; } } - - return i; + return optind; } -int validate_arguments(void){ +int validate_arguments(int argc, int arg_index){ + + if(argc-optind > 0) + usage(_("Got unexpected non-option argument")); return OK; } diff --git a/plugins/Makefile.am b/plugins/Makefile.am index 41906c53..0ddf9bd1 100644 --- a/plugins/Makefile.am +++ b/plugins/Makefile.am @@ -71,7 +71,7 @@ check_apt_LDADD = $(BASEOBJS) check_cluster_LDADD = $(BASEOBJS) check_dbi_LDADD = $(NETLIBS) $(DBILIBS) check_dig_LDADD = $(NETLIBS) -check_disk_LDADD = $(BASEOBJS) $(THREADLIBS) +check_disk_LDADD = $(BASEOBJS) check_dns_LDADD = $(NETLIBS) check_dummy_LDADD = $(BASEOBJS) check_fping_LDADD = $(NETLIBS) diff --git a/plugins/check_disk.c b/plugins/check_disk.c index 9693bad3..874a0ee0 100644 --- a/plugins/check_disk.c +++ b/plugins/check_disk.c @@ -51,9 +51,6 @@ const char *email = "devel@monitoring-plugins.org"; # include <limits.h> #endif #include "regex.h" -#if HAVE_PTHREAD_H -# include <pthread.h> -#endif #ifdef __CYGWIN__ # include <windows.h> @@ -133,7 +130,6 @@ void print_help (void); void print_usage (void); double calculate_percent(uintmax_t, uintmax_t); void stat_path (struct parameter_list *p); -void *do_stat_path (void *p); void get_stats (struct parameter_list *p, struct fs_usage *fsp); void get_path_stats (struct parameter_list *p, struct fs_usage *fsp); @@ -972,44 +968,6 @@ print_usage (void) void stat_path (struct parameter_list *p) { -#ifdef HAVE_PTHREAD_H - pthread_t stat_thread; - int statdone = 0; - int timer = timeout_interval; - struct timespec req, rem; - - req.tv_sec = 0; - pthread_create(&stat_thread, NULL, do_stat_path, p); - while (timer-- > 0) { - req.tv_nsec = 10000000; - nanosleep(&req, &rem); - if (pthread_kill(stat_thread, 0)) { - statdone = 1; - break; - } else { - req.tv_nsec = 990000000; - nanosleep(&req, &rem); - } - } - if (statdone == 1) { - pthread_join(stat_thread, NULL); - } else { - pthread_detach(stat_thread); - if (verbose >= 3) - printf("stat did not return within %ds on %s\n", timeout_interval, p->name); - printf("DISK %s - ", _("CRITICAL")); - die (STATE_CRITICAL, _("%s %s: %s\n"), p->name, _("hangs"), _("Timeout")); - } -#else - do_stat_path(p); -#endif -} - -void * -do_stat_path (void *in) -{ - struct parameter_list *p = in; - /* Stat entry to check that dir exists and is accessible */ if (verbose >= 3) printf("calling stat on %s\n", p->name); @@ -1019,7 +977,6 @@ do_stat_path (void *in) printf("DISK %s - ", _("CRITICAL")); die (STATE_CRITICAL, _("%s %s: %s\n"), p->name, _("is not accessible"), strerror(errno)); } - return NULL; } diff --git a/plugins/check_http.c b/plugins/check_http.c index 68b470ce..2038f4a1 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c @@ -343,9 +343,20 @@ process_arguments (int argc, char **argv) parameters, like -S and -C combinations */ use_ssl = TRUE; if (c=='S' && optarg != NULL) { - ssl_version = atoi(optarg); - if (ssl_version < 1 || ssl_version > 3) - usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 (SSLv3)")); + int got_plus = strchr(optarg, '+') != NULL; + + if (!strncmp (optarg, "1.2", 3)) + ssl_version = got_plus ? MP_TLSv1_2_OR_NEWER : MP_TLSv1_2; + else if (!strncmp (optarg, "1.1", 3)) + ssl_version = got_plus ? MP_TLSv1_1_OR_NEWER : MP_TLSv1_1; + else if (optarg[0] == '1') + ssl_version = got_plus ? MP_TLSv1_OR_NEWER : MP_TLSv1; + else if (optarg[0] == '3') + ssl_version = got_plus ? MP_SSLv3_OR_NEWER : MP_SSLv3; + else if (optarg[0] == '2') + ssl_version = got_plus ? MP_SSLv2_OR_NEWER : MP_SSLv2; + else + usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2 (with optional '+' suffix)")); } if (specify_port == FALSE) server_port = HTTPS_PORT; @@ -1514,9 +1525,10 @@ print_help (void) printf (UT_IPv46); #ifdef HAVE_SSL - printf (" %s\n", "-S, --ssl=VERSION"); + printf (" %s\n", "-S, --ssl=VERSION[+]"); printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents")); - printf (" %s\n", _("auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3).")); + printf (" %s\n", _("auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,")); + printf (" %s\n", _("1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted.")); printf (" %s\n", "--sni"); printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]"); diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index 56040ff2..1996c6d3 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -231,7 +231,7 @@ main (int argc, char **argv) send(sd, SMTP_STARTTLS, strlen(SMTP_STARTTLS), 0); recvlines(buffer, MAX_INPUT_BUFFER); /* wait for it */ - if (!strstr (buffer, server_expect)) { + if (!strstr (buffer, SMTP_EXPECT)) { printf (_("Server does not support STARTTLS\n")); smtp_quit(); return STATE_UNKNOWN; @@ -276,6 +276,7 @@ main (int argc, char **argv) # ifdef USE_OPENSSL if ( check_cert ) { result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit); + smtp_quit(); my_close(); return result; } @@ -581,11 +582,6 @@ process_arguments (int argc, char **argv) usage4 (_("Timeout interval must be a positive integer")); } break; - case 'S': - /* starttls */ - use_ssl = TRUE; - use_ehlo = TRUE; - break; case 'D': /* Check SSL cert validity */ #ifdef USE_OPENSSL @@ -607,9 +603,14 @@ process_arguments (int argc, char **argv) days_till_exp_warn = atoi (optarg); } check_cert = TRUE; + ignore_send_quit_failure = TRUE; #else usage (_("SSL support not available - install OpenSSL and recompile")); #endif + case 'S': + /* starttls */ + use_ssl = TRUE; + use_ehlo = TRUE; break; case '4': address_family = AF_INET; diff --git a/plugins/check_snmp.c b/plugins/check_snmp.c index 28cc44dd..9839d6e8 100644 --- a/plugins/check_snmp.c +++ b/plugins/check_snmp.c @@ -41,7 +41,6 @@ const char *email = "devel@monitoring-plugins.org"; #define DEFAULT_PORT "161" #define DEFAULT_MIBLIST "ALL" #define DEFAULT_PROTOCOL "1" -#define DEFAULT_TIMEOUT 1 #define DEFAULT_RETRIES 5 #define DEFAULT_AUTH_PROTOCOL "MD5" #define DEFAULT_PRIV_PROTOCOL "DES" @@ -227,7 +226,7 @@ main (int argc, char **argv) outbuff = strdup (""); delimiter = strdup (" = "); output_delim = strdup (DEFAULT_OUTPUT_DELIMITER); - timeout_interval = DEFAULT_TIMEOUT; + timeout_interval = DEFAULT_SOCKET_TIMEOUT; retries = DEFAULT_RETRIES; np_init( (char *) progname, argc, argv ); diff --git a/plugins/check_ups.c b/plugins/check_ups.c index dc5a348b..e9e56a51 100644 --- a/plugins/check_ups.c +++ b/plugins/check_ups.c @@ -242,8 +242,8 @@ main (int argc, char **argv) } xasprintf (&data, "%s %s", data, perfdata ("battery", (long)ups_battery_percent, "%", - check_warn, (long)(1000*warning_value), - check_crit, (long)(1000*critical_value), + check_warn, (long)(warning_value), + check_crit, (long)(critical_value), TRUE, 0, TRUE, 100)); } else { xasprintf (&data, "%s %s", data, @@ -271,8 +271,8 @@ main (int argc, char **argv) } xasprintf (&data, "%s %s", data, perfdata ("load", (long)ups_load_percent, "%", - check_warn, (long)(1000*warning_value), - check_crit, (long)(1000*critical_value), + check_warn, (long)(warning_value), + check_crit, (long)(critical_value), TRUE, 0, TRUE, 100)); } else { xasprintf (&data, "%s %s", data, @@ -308,8 +308,8 @@ main (int argc, char **argv) } xasprintf (&data, "%s %s", data, perfdata ("temp", (long)ups_temperature, tunits, - check_warn, (long)(1000*warning_value), - check_crit, (long)(1000*critical_value), + check_warn, (long)(warning_value), + check_crit, (long)(critical_value), TRUE, 0, FALSE, 0)); } else { xasprintf (&data, "%s %s", data, diff --git a/plugins/netutils.h b/plugins/netutils.h index c6fce901..2766029e 100644 --- a/plugins/netutils.h +++ b/plugins/netutils.h @@ -91,6 +91,16 @@ RETSIGTYPE socket_timeout_alarm_handler (int) __attribute__((noreturn)); /* SSL-Related functionality */ #ifdef HAVE_SSL +# define MP_SSLv2 1 +# define MP_SSLv3 2 +# define MP_TLSv1 3 +# define MP_TLSv1_1 4 +# define MP_TLSv1_2 5 +# define MP_SSLv2_OR_NEWER 6 +# define MP_SSLv3_OR_NEWER 7 +# define MP_TLSv1_OR_NEWER 8 +# define MP_TLSv1_1_OR_NEWER 9 +# define MP_TLSv1_2_OR_NEWER 10 /* maybe this could be merged with the above np_net_connect, via some flags */ int np_net_ssl_init(int sd); int np_net_ssl_init_with_hostname(int sd, char *host_name); diff --git a/plugins/sslutils.c b/plugins/sslutils.c index c9882c69..4f9c793c 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c @@ -49,28 +49,78 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { SSL_METHOD *method = NULL; + long options = 0; switch (version) { - case 0: /* Deafult to auto negotiation */ - method = SSLv23_client_method(); - break; - case 1: /* TLSv1 protocol */ - method = TLSv1_client_method(); - break; - case 2: /* SSLv2 protocol */ + case MP_SSLv2: /* SSLv2 protocol */ #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) - printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library."))); - return STATE_CRITICAL; + printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); + return STATE_UNKNOWN; #else method = SSLv2_client_method(); -#endif break; - case 3: /* SSLv3 protocol */ +#endif + case MP_SSLv3: /* SSLv3 protocol */ +#if defined(OPENSSL_NO_SSL3) + printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); + return STATE_UNKNOWN; +#else method = SSLv3_client_method(); break; - default: /* Unsupported */ - printf("%s\n", _("CRITICAL - Unsupported SSL protocol version.")); - return STATE_CRITICAL; +#endif + case MP_TLSv1: /* TLSv1 protocol */ +#if defined(OPENSSL_NO_TLS1) + printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); + return STATE_UNKNOWN; +#else + method = TLSv1_client_method(); + break; +#endif + case MP_TLSv1_1: /* TLSv1.1 protocol */ +#if !defined(SSL_OP_NO_TLSv1_1) + printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); + return STATE_UNKNOWN; +#else + method = TLSv1_1_client_method(); + break; +#endif + case MP_TLSv1_2: /* TLSv1.2 protocol */ +#if !defined(SSL_OP_NO_TLSv1_2) + printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); + return STATE_UNKNOWN; +#else + method = TLSv1_2_client_method(); + break; +#endif + case MP_TLSv1_2_OR_NEWER: +#if !defined(SSL_OP_NO_TLSv1_1) + printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); + return STATE_UNKNOWN; +#else + options |= SSL_OP_NO_TLSv1_1; +#endif + /* FALLTHROUGH */ + case MP_TLSv1_1_OR_NEWER: +#if !defined(SSL_OP_NO_TLSv1) + printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); + return STATE_UNKNOWN; +#else + options |= SSL_OP_NO_TLSv1; +#endif + /* FALLTHROUGH */ + case MP_TLSv1_OR_NEWER: +#if defined(SSL_OP_NO_SSLv3) + options |= SSL_OP_NO_SSLv3; +#endif + /* FALLTHROUGH */ + case MP_SSLv3_OR_NEWER: +#if defined(SSL_OP_NO_SSLv2) + options |= SSL_OP_NO_SSLv2; +#endif + case MP_SSLv2_OR_NEWER: + /* FALLTHROUGH */ + default: /* Default to auto negotiation */ + method = SSLv23_client_method(); } if (!initialized) { /* Initialize SSL context */ @@ -94,8 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int #endif } #ifdef SSL_OP_NO_TICKET - SSL_CTX_set_options(c, SSL_OP_NO_TICKET); + options |= SSL_OP_NO_TICKET; #endif + SSL_CTX_set_options(c, options); SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); if ((s = SSL_new(c)) != NULL) { #ifdef SSL_set_tlsext_host_name diff --git a/plugins/t/check_snmp.t b/plugins/t/check_snmp.t index 2d6c44a7..aefd872a 100644 --- a/plugins/t/check_snmp.t +++ b/plugins/t/check_snmp.t @@ -166,8 +166,8 @@ SKIP: { SKIP: { skip "no non responsive host defined", 2 if ( ! $host_nonresponsive ); $res = NPTest->testCmd( "./check_snmp -H $host_nonresponsive -C np_foobar -o system.sysUpTime.0 -w 1: -c 1:"); - cmp_ok( $res->return_code, '==', 3, "Exit UNKNOWN with non responsive host" ); - like($res->output, '/External command error: Timeout: No Response from /', "String matches timeout problem"); + cmp_ok( $res->return_code, '==', 2, "Exit CRITICAL with non responsive host" ); + like($res->output, '/Plugin timed out while executing system call/', "String matches timeout problem"); } SKIP: { |