tyler.durden
/
centreon-plugins
mirror of https://github.com/centreon/centreon-plugins.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Enh x509 (#2596)

This commit is contained in:
qgarnier 2021-02-18 11:04:21 +01:00 committed by GitHub
parent 4d01712e2c
commit 9238b96fbd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 579 additions and 362 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

230
apps/protocols/x509/custom/https.pm Normal file
View File

@ -0,0 +1,230 @@
#
# Copyright 2021 Centreon (http://www.centreon.com/)
#
# Centreon is a full-fledged industry-strength solution that meets
# the needs in IT infrastructure and application monitoring for
# service performance.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
package apps::protocols::x509::custom::https;
use strict;
use warnings;
use centreon::plugins::http;
use Net::SSLeay 1.42;
use DateTime;
sub new {
my ($class, %options) = @_;
my $self = {};
bless $self, $class;
if (!defined($options{output})) {
print "Class Custom: Need to specify 'output' argument.\n";
exit 3;
}
if (!defined($options{options})) {
$options{output}->add_option_msg(short_msg => "Class Custom: Need to specify 'options' argument.");
$options{output}->option_exit();
}
if (!defined($options{noptions})) {
$options{options}->add_options(arguments => {
'hostname:s' => { name => 'hostname' },
'port:s' => { name => 'port', },
'method:s' => { name => 'method' },
'urlpath:s' => { name => 'url_path' },
'timeout:s' => { name => 'timeout' },
'header:s@' => { name => 'header' }
});
}
$options{options}->add_help(package => __PACKAGE__, sections => 'CUSTOM HTTPS OPTIONS', once => 1);
$self->{output} = $options{output};
$self->{http} = centreon::plugins::http->new(%options);
return $self;
}
sub set_options {
my ($self, %options) = @_;
$self->{option_results} = $options{option_results};
}
sub set_defaults {}
sub check_options {
my ($self, %options) = @_;
$self->{option_results}->{hostname} = (defined($self->{option_results}->{hostname})) ? $self->{option_results}->{hostname} : '';
$self->{option_results}->{port} = (defined($self->{option_results}->{port})) ? $self->{option_results}->{port} : 443;
$self->{option_results}->{proto} = 'https';
$self->{option_results}->{url_path} = (defined($self->{option_results}->{url_path})) ? $self->{option_results}->{url_path} : '/';
$self->{option_results}->{timeout} = (defined($self->{option_results}->{timeout})) ? $self->{option_results}->{timeout} : 5;
if ($self->{option_results}->{hostname} eq '') {
$self->{output}->add_option_msg(short_msg => "Need to specify hostname option.");
$self->{output}->option_exit();
}
$self->{http}->set_options(%{$self->{option_results}});
return 0;
}
sub pem_type {
my ($self, %options) = @_;
my $bio_cert = Net::SSLeay::BIO_new(Net::SSLeay::BIO_s_mem());
if (!$bio_cert) {
$self->{output}->add_option_msg(short_msg => "Cannot init Net::SSLeay: $!");
$self->{output}->option_exit();
}
if (Net::SSLeay::BIO_write($bio_cert, $options{cert}) < 0) {
$self->{output}->add_option_msg(short_msg => "Cannot write certificate: $!");
$self->{output}->option_exit();
}
my $x509 = Net::SSLeay::PEM_read_bio_X509($bio_cert);
if (!$x509) {
$self->{output}->add_option_msg(short_msg => "Cannot read certificate: $!");
$self->{output}->option_exit();
}
my $cert_infos = {};
$cert_infos->{issuer} = Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_issuer_name($x509));
$cert_infos->{expiration_date} = Net::SSLeay::P_ASN1_TIME_get_isotime(Net::SSLeay::X509_get_notAfter($x509));
my $subject = Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_subject_name($x509));
if ($subject =~ /CN=(.*?)(?:\/(?:C|ST|L|O)=|\Z)/) {
$cert_infos->{subject} = $1;
}
my @subject_alt_names = Net::SSLeay::X509_get_subjectAltNames($x509);
my $append = '';
$cert_infos->{alt_subjects} = '';
for (my $i = 0; $i < $#subject_alt_names; $i += 2) {
my ($type, $name) = ($subject_alt_names[$i], $subject_alt_names[$i + 1]);
if ($type == &Net::SSLeay::GEN_IPADD) {
$name = inet_ntoa($name);
}
$cert_infos->{alt_subjects} .= $append . $name;
$append = ', ';
}
$cert_infos->{expiration_date} =~ /^(\d+)-(\d+)-(\d+)T(\d+):(\d+):(\d+)Z$/; # 2033-05-16T20:39:37Z
my $dt = DateTime->new(year => $1, month => $2, day => $3, hour => $4, minute => $5, second => $6);
$cert_infos->{expiration} = $dt->epoch();
return $cert_infos;
}
sub socket_type {
my ($self, %options) = @_;
my $cert_infos = {};
$cert_infos->{subject} = $options{socket}->peer_certificate('commonName');
$cert_infos->{issuer} = $options{socket}->peer_certificate('authority');
my @subject_alt_names = $options{socket}->peer_certificate('subjectAltNames');
my $append = '';
$cert_infos->{alt_subjects} = '';
for (my $i = 0; $i < $#subject_alt_names; $i += 2) {
my ($type, $name) = ($subject_alt_names[$i], $subject_alt_names[$i + 1]);
if ($type == &Net::SSLeay::GEN_IPADD) {
$name = inet_ntoa($name);
}
$cert_infos->{alt_subjects} .= $append . $name;
$append = ', ';
}
$cert_infos->{expiration_date} = Net::SSLeay::P_ASN1_TIME_get_isotime(Net::SSLeay::X509_get_notAfter($options{socket}->peer_certificate()));
$cert_infos->{expiration_date} =~ /^(\d+)-(\d+)-(\d+)T(\d+):(\d+):(\d+)Z$/; # 2033-05-16T20:39:37Z
my $dt = DateTime->new(year => $1, month => $2, day => $3, hour => $4, minute => $5, second => $6);
$cert_infos->{expiration} = $dt->epoch();
return $cert_infos;
}
sub get_certificate_informations {
my ($self, %options) = @_;
$self->{http}->request(
certinfo => 1,
unknown_status => '',
warning_status => '',
critical_status => ''
);
my ($type, $cert) = $self->{http}->get_certificate();
if (!defined($cert)) {
$self->{output}->add_option_msg(short_msg => $self->{http}->get_message());
$self->{output}->option_exit();
}
my $cert_infos;
if ($type eq 'pem') {
$cert_infos = $self->pem_type(cert => $cert);
} elsif ($type eq 'socket') {
$cert_infos = $self->socket_type(socket => $cert);
}
return $cert_infos;
}
1;
__END__
=head1 NAME
http connection
=head1 CUSTOM HTTPS OPTIONS
http connection
=over 8
=item B<--hostname>
IP Addr/FQDN of the webserver host
=item B<--port>
Port used by Webserver (Default: 443)
=item B<--method>
Specify http method used (Default: 'GET')
=item B<--urlpath>
Set path to get webpage (Default: '/')
=item B<--timeout>
Threshold for HTTP timeout (Default: 5)
=item B<--header>
Set HTTP headers (Multiple option)
=back
=head1 DESCRIPTION
B<custom>.
=cut

288
apps/protocols/x509/custom/tcp.pm Normal file
View File

@ -0,0 +1,288 @@
#
# Copyright 2021 Centreon (http://www.centreon.com/)
#
# Centreon is a full-fledged industry-strength solution that meets
# the needs in IT infrastructure and application monitoring for
# service performance.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
package apps::protocols::x509::custom::tcp;
use base qw(centreon::plugins::mode);
use strict;
use warnings;
use Socket;
use IO::Socket::INET;
use IO::Socket::SSL;
use Net::SSLeay 1.42;
use DateTime;
sub new {
my ($class, %options) = @_;
my $self = {};
bless $self, $class;
if (!defined($options{output})) {
print "Class Custom: Need to specify 'output' argument.\n";
exit 3;
}
if (!defined($options{options})) {
$options{output}->add_option_msg(short_msg => "Class Custom: Need to specify 'options' argument.");
$options{output}->option_exit();
}
if (!defined($options{noptions})) {
$options{options}->add_options(arguments => {
'hostname:s' => { name => 'hostname' },
'port:s' => { name => 'port' },
'servername:s' => { name => 'servername' },
'ssl-opt:s@' => { name => 'ssl_opt' },
'ssl-ignore-errors' => { name => 'ssl_ignore_errors' },
'timeout:s' => { name => 'timeout', default => 3 },
'starttls:s' => { name => 'starttls' }
});
}
$options{options}->add_help(package => __PACKAGE__, sections => 'CUSTOM TCP OPTIONS', once => 1);
$self->{output} = $options{output};
return $self;
}
sub set_options {
my ($self, %options) = @_;
$self->{option_results} = $options{option_results};
}
sub set_defaults {}
sub check_options {
my ($self, %options) = @_;
$self->{hostname} = (defined($self->{option_results}->{hostname})) ? $self->{option_results}->{hostname} : '';
$self->{port} = (defined($self->{option_results}->{port})) && $self->{option_results}->{port} =~ /(\d+)/ ? $1 : '';
$self->{timeout} = (defined($self->{option_results}->{timeout})) && $self->{option_results}->{timeout} =~ /(\d+)/ ? $1 : 3;
if ($self->{hostname} eq '') {
$self->{output}->add_option_msg(short_msg => 'Need to specify --hostname option.');
$self->{output}->option_exit();
}
if ($self->{port} eq '') {
$self->{output}->add_option_msg(short_msg => "Please set --port option");
$self->{output}->option_exit();
}
my $append = '';
foreach (@{$self->{option_results}->{ssl_opt}}) {
if ($_ ne '') {
$self->{ssl_context} .= $append . $_;
$append = ', ';
}
}
return 0;
}
sub connect_ssl {
my ($self, %options) = @_;
my $socket;
eval {
$socket = IO::Socket::SSL->new(
PeerHost => $self->{option_results}->{hostname},
PeerPort => $self->{option_results}->{port},
$self->{option_results}->{servername} ? ( SSL_hostname => $self->{option_results}->{servername} ) : (),
$self->{option_results}->{timeout} ? ( Timeout => $self->{option_results}->{timeout} ) : ()
);
};
if ($@) {
$self->{output}->add_option_msg(short_msg => sprintf("%s", $@));
$self->{output}->option_exit();
}
if (!defined($socket)) {
$self->{output}->add_option_msg(short_msg => "Error creating SSL socket: $!, SSL error: $SSL_ERROR");
$self->{output}->option_exit();
}
if (!defined($self->{option_results}->{ssl_ignore_errors}) && defined($SSL_ERROR)) {
$self->{output}->add_option_msg(short_msg => "SSL error: $SSL_ERROR");
$self->{output}->option_exit();
}
return $socket;
}
sub smtp_plain_com {
my ($self, %options) = @_;
my $buffer;
$options{socket}->recv($buffer, 1024);
$options{socket}->send("HELO\r\n");
$options{socket}->recv($buffer, 1024);
$options{socket}->send("STARTTLS\r\n");
$options{socket}->recv($buffer, 1024);
if ($buffer !~ /^220\s/) {
$self->{output}->add_option_msg(short_msg => "Cannot starttls: $buffer");
$self->{output}->option_exit();
}
}
sub ftp_plain_com {
my ($self, %options) = @_;
my $buffer;
$options{socket}->recv($buffer, 1024);
$options{socket}->send("AUTH TLS\r\n");
$options{socket}->recv($buffer, 1024);
if ($buffer !~ /^234\s/) {
$self->{output}->add_option_msg(short_msg => "Cannot starttls: $buffer");
$self->{output}->option_exit();
}
}
sub connect_starttls {
my ($self, %options) = @_;
my $socket = IO::Socket::INET->new(
PeerHost => $self->{option_results}->{hostname},
PeerPort => $self->{option_results}->{port},
$self->{option_results}->{timeout} ? ( Timeout => $self->{option_results}->{timeout} ) : ()
);
if (!defined($socket)) {
$self->{output}->add_option_msg(short_msg => "Error creating socket: $!");
$self->{output}->option_exit();
}
if ($self->{option_results}->{starttls} eq 'smtp') {
$self->smtp_plain_com(socket => $socket);
} elsif ($self->{option_results}->{starttls} eq 'ftp') {
$self->ftp_plain_com(socket => $socket);
}
my $rv = IO::Socket::SSL->start_SSL(
$socket,
$self->{option_results}->{servername} ? ( SSL_hostname => $self->{option_results}->{servername} ) : ()
);
if (!defined($self->{option_results}->{ssl_ignore_errors}) && !$rv) {
$self->{output}->add_option_msg(short_msg => "SSL error: $SSL_ERROR");
$self->{output}->option_exit();
}
return $socket;
}
sub get_certificate_informations {
my ($self, %options) = @_;
if (defined($self->{ssl_context}) && $self->{ssl_context} ne '') {
my $context = new IO::Socket::SSL::SSL_Context(eval $self->{ssl_context});
eval { IO::Socket::SSL::set_default_context($context) };
if ($@) {
$self->{output}->add_option_msg(short_msg => sprintf("Error setting SSL context: %s", $@));
$self->{output}->option_exit();
}
}
my $socket;
if (defined($self->{option_results}->{starttls})) {
$socket = $self->connect_starttls();
} else {
$socket = $self->connect_ssl();
}
my $cert_infos = {};
$cert_infos->{subject} = $socket->peer_certificate('commonName');
$cert_infos->{issuer} = $socket->peer_certificate('authority');
my @subject_alt_names = $socket->peer_certificate('subjectAltNames');
my $append = '';
$cert_infos->{alt_subjects} = '';
for (my $i = 0; $i < $#subject_alt_names; $i += 2) {
my ($type, $name) = ($subject_alt_names[$i], $subject_alt_names[$i + 1]);
if ($type == GEN_IPADD) {
$name = inet_ntoa($name);
}
$cert_infos->{alt_subjects} .= $append . $name;
$append = ', ';
}
$cert_infos->{expiration_date} = Net::SSLeay::P_ASN1_TIME_get_isotime(Net::SSLeay::X509_get_notAfter($socket->peer_certificate()));
$cert_infos->{expiration_date} =~ /^(\d+)-(\d+)-(\d+)T(\d+):(\d+):(\d+)Z$/; # 2033-05-16T20:39:37Z
my $dt = DateTime->new(year => $1, month => $2, day => $3, hour => $4, minute => $5, second => $6);
$cert_infos->{expiration} = $dt->epoch();
return $cert_infos;
}
1;
__END__
=head1 NAME
tcp ssl connections
=head1 CUSTOM TCP OPTIONS
tcp ssl connection
=over 8
=item B<--hostname>
IP Addr/FQDN of the host.
=item B<--port>
Port used by host.
=item B<--servername>
Servername of the host for SNI support (only with IO::Socket::SSL >= 1.56) (eg: foo.bar.com).
=item B<--ssl-opt>
Set SSL options.
Examples:
Do not verify certificate: --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE"
Verify certificate: --ssl-opt="SSL_verify_mode => SSL_VERIFY_PEER" --ssl-opt="SSL_version => TLSv1"
=item B<--ssl-ignore-errors>
Ignore SSL handshake errors. For example: 'SSL error: SSL wants a read first'.
=item B<--timeout>
Set timeout in seconds for SSL connection (Default: '3') (only with IO::Socket::SSL >= 1.984).
=item B<--starttls>
Init plaintext connection and start_SSL after. Can be: 'smtp', 'ftp'.
=back
=head1 DESCRIPTION
B<custom>.
=cut

147
apps/protocols/x509/mode/certificate.pm
View File

@ -24,11 +24,7 @@ use base qw(centreon::plugins::templates::counter);
use strict;
use warnings;
use Socket;
use IO::Socket::SSL;
use Net::SSLeay 1.42;
use DateTime;
use centreon::plugins::templates::catalog_functions qw(catalog_status_threshold);
use centreon::plugins::templates::catalog_functions qw(catalog_status_threshold_ng);
sub custom_status_output {
my ($self, %options) = @_;
@ -59,19 +55,26 @@ sub set_counters {
my ($self, %options) = @_;
$self->{maps_counters_type} = [
{ name => 'global', type => 0 },
{ name => 'global', type => 0 }
];
$self->{maps_counters}->{global} = [
{ label => 'status', threshold => 0, set => {
key_values => [ { name => 'subject' }, { name => 'issuer' }, { name => 'expiration' },
{ name => 'date' }, { name => 'alt_subjects' } ],
{
label => 'status', type => 2,
warning_default => '%{expiration} < 60',
critical_default => '%{expiration} < 30',
set => {
key_values => [
{ name => 'subject' }, { name => 'issuer' },
{ name => 'expiration' }, { name => 'date' },
{ name => 'alt_subjects' }
],
closure_custom_calc => $self->can('custom_status_calc'),
closure_custom_output => $self->can('custom_status_output'),
closure_custom_perfdata => sub { return 0; },
closure_custom_threshold_check => \&catalog_status_threshold,
closure_custom_threshold_check => \&catalog_status_threshold_ng
}
},
}
];
}
@ -81,102 +84,22 @@ sub new {
bless $self, $class;
$options{options}->add_options(arguments => {
'hostname:s' => { name => 'hostname' },
'port:s' => { name => 'port' },
'servername:s' => { name => 'servername' },
'ssl-opt:s@' => { name => 'ssl_opt' },
'ssl-ignore-errors' => { name => 'ssl_ignore_errors' },
'timeout:s' => { name => 'timeout', default => '3' },
'warning-status:s' => { name => 'warning_status', default => '%{expiration} < 60' },
'critical-status:s' => { name => 'critical_status', default => '%{expiration} < 30' },
});
return $self;
}
sub check_options {
my ($self, %options) = @_;
$self->SUPER::check_options(%options);
if (!defined($self->{option_results}->{hostname}) || $self->{option_results}->{hostname} eq '') {
$self->{output}->add_option_msg(short_msg => "Please set --hostname option");
$self->{output}->option_exit();
}
if (!defined($self->{option_results}->{port}) || $self->{option_results}->{port} eq '') {
$self->{output}->add_option_msg(short_msg => "Please set --port option");
$self->{output}->option_exit();
}
my $append = '';
foreach (@{$self->{option_results}->{ssl_opt}}) {
if ($_ ne '') {
$self->{ssl_context} .= $append . $_;
$append = ', ';
}
}
$self->change_macros(macros => ['warning_status', 'critical_status']);
}
sub manage_selection {
my ($self, %options) = @_;
if (defined($self->{ssl_context}) && $self->{ssl_context} ne '') {
my $context = new IO::Socket::SSL::SSL_Context(eval $self->{ssl_context});
eval { IO::Socket::SSL::set_default_context($context) };
if ($@) {
$self->{output}->add_option_msg(short_msg => sprintf("Error setting SSL context: %s", $@));
$self->{output}->option_exit();
}
}
my $socket;
eval {
$socket = IO::Socket::SSL->new(
PeerHost => $self->{option_results}->{hostname},
PeerPort => $self->{option_results}->{port},
$self->{option_results}->{servername} ? ( SSL_hostname => $self->{option_results}->{servername} ) : (),
$self->{option_results}->{timeout} ? ( Timeout => $self->{option_results}->{timeout} ) : (),
);
};
if ($@) {
$self->{output}->add_option_msg(short_msg => sprintf("%s", $@));
$self->{output}->option_exit();
}
if (!defined($socket)) {
$self->{output}->add_option_msg(short_msg => "Error creating SSL socket: $!, SSL error: $SSL_ERROR");
$self->{output}->option_exit();
}
if (!defined($self->{option_results}->{ssl_ignore_errors}) && defined($SSL_ERROR)) {
$self->{output}->add_option_msg(short_msg => "SSL error: $SSL_ERROR");
$self->{output}->option_exit();
}
my $subject = $socket->peer_certificate('commonName');
my $issuer = $socket->peer_certificate('authority');
my @subject_alt_names = $socket->peer_certificate('subjectAltNames');
my $append = '';
my $alt_subjects = '';
for (my $i = 0; $i < $#subject_alt_names; $i += 2) {
my ($type, $name) = ($subject_alt_names[$i], $subject_alt_names[$i + 1]);
if ($type == GEN_IPADD) {
$name = inet_ntoa($name);
}
$alt_subjects .= $append . $name;
$append = ', ';
}
my $notafterdate = Net::SSLeay::P_ASN1_TIME_get_isotime(Net::SSLeay::X509_get_notAfter($socket->peer_certificate()));
$notafterdate =~ /^(\d+)-(\d+)-(\d+)T(\d+):(\d+):(\d+)Z$/; # 2033-05-16T20:39:37Z
my $dt = DateTime->new(year => $1, month => $2, day => $3, hour => $4, minute => $5, second => $6);
my $cert = $options{custom}->get_certificate_informations();
$self->{global} = {
subject => $subject,
issuer => $issuer,
expiration => $dt->epoch,
date => $notafterdate,
alt_subjects => $alt_subjects
subject => $cert->{subject},
issuer => $cert->{issuer},
expiration => $cert->{expiration},
date => $cert->{expiration_date},
alt_subjects => $cert->{alt_subjects}
};
}
@ -190,36 +113,6 @@ Check X509's certificate validity (for SMTPS, POPS, IMAPS, HTTPS)
=over 8
=item B<--hostname>
IP Addr/FQDN of the host.
=item B<--port>
Port used by host.
=item B<--servername>
Servername of the host for SNI support (only with IO::Socket::SSL >= 1.56) (eg: foo.bar.com).
=item B<--ssl-opt>
Set SSL options.
Examples:
Do not verify certificate: --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE"
Verify certificate: --ssl-opt="SSL_verify_mode => SSL_VERIFY_PEER" --ssl-opt="SSL_version => TLSv1"
=item B<--ssl-ignore-errors>
Ignore SSL handshake errors. For example: 'SSL error: SSL wants a read first'.
=item B<--timeout>
Set timeout in seconds for SSL connection (Default: '3') (only with IO::Socket::SSL >= 1.984).
=item B<--warning-status>
Set warning threshold for status. (Default: '%{expiration} < 60').

231
apps/protocols/x509/mode/validity.pm
View File

@ -1,231 +0,0 @@
#
# Copyright 2021 Centreon (http://www.centreon.com/)
#
# Centreon is a full-fledged industry-strength solution that meets
# the needs in IT infrastructure and application monitoring for
# service performance.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
package apps::protocols::x509::mode::validity;
use base qw(centreon::plugins::mode);
use strict;
use warnings;
use IO::Socket::SSL;
use Net::SSLeay;
use Socket;
use centreon::plugins::misc;
sub new {
my ($class, %options) = @_;
my $self = $class->SUPER::new(package => __PACKAGE__, %options, force_new_perfdata => 1);
bless $self, $class;
$options{options}->add_options(arguments => {
'hostname:s' => { name => 'hostname' },
'port:s' => { name => 'port' },
'servername:s' => { name => 'servername' },
'validity-mode:s' => { name => 'validity_mode' },
'warning-date:s' => { name => 'warning' },
'critical-date:s' => { name => 'critical' },
'subjectname:s' => { name => 'subjectname', default => '' },
'issuername:s' => { name => 'issuername', default => '' },
'timeout:s' => { name => 'timeout', default => 5 },
'ssl-opt:s%' => { name => 'ssl_opt' }
});
return $self;
}
sub check_options {
my ($self, %options) = @_;
$self->SUPER::init(%options);
if (($self->{perfdata}->threshold_validate(label => 'warning', value => $self->{option_results}->{warning})) == 0) {
$self->{output}->add_option_msg(short_msg => "Wrong warning threshold '" . $self->{option_results}->{warning} . "'.");
$self->{output}->option_exit();
}
if (($self->{perfdata}->threshold_validate(label => 'critical', value => $self->{option_results}->{critical})) == 0) {
$self->{output}->add_option_msg(short_msg => "Wrong critical threshold '" . $self->{option_results}->{critical} . "'.");
$self->{output}->option_exit();
}
if (!defined($self->{option_results}->{hostname})) {
$self->{output}->add_option_msg(short_msg => "Please set the hostname option");
$self->{output}->option_exit();
}
if (!defined($self->{option_results}->{port})) {
$self->{output}->add_option_msg(short_msg => "Please set the port option");
$self->{output}->option_exit();
}
if (!defined($self->{option_results}->{validity_mode}) || $self->{option_results}->{validity_mode} !~ /^expiration|subject|issuer$/) {
$self->{output}->add_option_msg(short_msg => "Please set the validity-mode option (issuer, subject or expiration)");
$self->{output}->option_exit();
}
$self->{ssl_opts} = '';
if (defined($self->{option_results}->{ssl_opt})) {
foreach (keys %{$self->{option_results}->{ssl_opt}}) {
$self->{ssl_opts} .= "$_ => " . $self->{option_results}->{ssl_opt}->{$_} . ", ";
}
}
}
sub run {
my ($self, %options) = @_;
# Global variables
my $client = IO::Socket::SSL->new(
PeerHost => $self->{option_results}->{hostname},
PeerPort => $self->{option_results}->{port},
eval $self->{ssl_opts},
$self->{option_results}->{servername} ? ( SSL_hostname => $self->{option_results}->{servername} ):(),
);
if (!defined($client)) {
$self->{output}->output_add(severity => 'CRITICAL',
short_msg => "failed to accept or ssl handshake: $!,$SSL_ERROR");
$self->{output}->display();
$self->{output}->exit()
}
#Retrieve Certificate
my $cert;
eval { $cert = $client->peer_certificate() };
if ($@) {
$self->{output}->output_add(severity => 'CRITICAL',
short_msg => sprintf("%s", $@));
$self->{output}->display();
$self->{output}->exit()
}
my $subject = Net::SSLeay::X509_NAME_get_text_by_NID(
Net::SSLeay::X509_get_subject_name($cert), 13); # NID_CommonName
$subject =~ s{\0$}{}; # work around Bug in Net::SSLeay <1.33
#Expiration Date
if ($self->{option_results}->{validity_mode} eq 'expiration') {
centreon::plugins::misc::mymodule_load(output => $self->{output}, module => 'Date::Manip',
error_msg => "Cannot load module 'Date::Manip'.");
(my $notafterdate = Net::SSLeay::P_ASN1_UTCTIME_put2string(Net::SSLeay::X509_get_notAfter($cert))) =~ s/ GMT//;
my $daysbefore = int((Date::Manip::UnixDate(Date::Manip::ParseDate($notafterdate),"%s") - time) / 86400);
my $exit = $self->{perfdata}->threshold_check(value => $daysbefore,
threshold => [ { label => 'critical', exit_litteral => 'critical' }, { label => 'warning', exit_litteral => 'warning' } ]);
$self->{output}->output_add(severity => $exit,
short_msg => sprintf("Certificate expiration for '%s' in days: %s - Validity Date: %s", $subject, $daysbefore, $notafterdate));
$self->{output}->perfdata_add(
nlabel => 'certificate.expiration.days.count',
value => $daysbefore,
warning => $self->{perfdata}->get_perfdata_for_output(label => 'warning'),
critical => $self->{perfdata}->get_perfdata_for_output(label => 'critical')
);
#Subject Name
} elsif ($self->{option_results}->{validity_mode} eq 'subject') {
my @subject_matched = ();
if ($subject =~ /$self->{option_results}->{subjectname}/mi) {
push @subject_matched, $subject;
} else {
$self->{output}->output_add(long_msg => sprintf("Subject Name '%s' is also present in Certificate", $subject), debug => 1);
}
my @subject_alt_names = Net::SSLeay::X509_get_subjectAltNames($cert);
for (my $i = 0; $i < $#subject_alt_names; $i += 2) {
my ($type, $name) = ($subject_alt_names[$i], $subject_alt_names[$i + 1]);
if ($type == GEN_IPADD) {
$name = inet_ntoa($name);
}
if ($name =~ /$self->{option_results}->{subjectname}/mi) {
push @subject_matched, $name;
} else {
$self->{output}->output_add(long_msg => sprintf("Subject Name '%s' is also present in Certificate", $name), debug => 1);
}
}
if (@subject_matched == 0) {
$self->{output}->output_add(severity => 'CRITICAL',
short_msg => sprintf("No Subject Name matched '%s' in Certificate", $self->{option_results}->{subjectname}));
} else {
$self->{output}->output_add(severity => 'OK',
short_msg => sprintf("Subject Name [%s] is present in Certificate", join(', ', @subject_matched)));
}
#Issuer Name
} elsif ($self->{option_results}->{validity_mode} eq 'issuer') {
my $issuer_name = Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_issuer_name($cert));
if ($issuer_name =~ /$self->{option_results}->{issuername}/mi) {
$self->{output}->output_add(severity => 'OK',
short_msg => sprintf("Issuer Name '%s' is present in Certificate '%s': %s", $self->{option_results}->{issuername}, $subject, $issuer_name));
} else {
$self->{output}->output_add(severity => 'CRITICAL',
short_msg => sprintf("Issuer Name '%s' is not present in Certificate '%s': %s", $self->{option_results}->{issuername}, $subject, $issuer_name));
}
}
$self->{output}->display();
$self->{output}->exit();
}
1;
__END__
=head1 MODE
Check X509's certificate validity (for SMTPS, POPS, IMAPS, HTTPS)
Legacy mode, use 'certificate' mode instead.
=over 8
=item B<--hostname>
IP Addr/FQDN of the host
=item B<--servername>
Servername of the host for SNI support (only with IO::Socket::SSL >= 1.56) (eg: foo.bar.com)
=item B<--port>
Port used by Server
=item B<--validity-mode>
Validity mode.
Can be : 'expiration' or 'subject' or 'issuer'
=item B<--warning-date>
Threshold warning in days (Days before expiration, eg: '60:' for 60 days before)
=item B<--critical-date>
Threshold critical in days (Days before expiration, eg: '30:' for 30 days before)
=item B<--subjectname>
Subject Name pattern (support alternative subject name)
=item B<--issuername>
Issuer Name pattern
=item B<--ssl-opt>
Set SSL Options (--ssl-opt="SSL_verify_mode=SSL_VERIFY_NONE").
=back
=cut

8
apps/protocols/x509/plugin.pm
View File

@ -22,7 +22,7 @@ package apps::protocols::x509::plugin;
use strict;
use warnings;
use base qw(centreon::plugins::script_simple);
use base qw(centreon::plugins::script_custom);
sub new {
my ($class, %options) = @_;
@ -31,10 +31,12 @@ sub new {
$self->{version} = '0.1';
$self->{modes} = {
'certificate' => 'apps::protocols::x509::mode::certificate',
'validity' => 'apps::protocols::x509::mode::validity' #legacy mode
'certificate' => 'apps::protocols::x509::mode::certificate'
};
$self->{custom_modes}->{tcp} = 'apps::protocols::x509::custom::tcp';
$self->{custom_modes}->{https} = 'apps::protocols::x509::custom::https';
return $self;
}

11
centreon/plugins/backend/http/curl.pm
View File

@ -371,6 +371,10 @@ sub request {
$self->curl_setopt(option => $self->{constant_cb}->(name => 'CURLOPT_HEADERDATA'), parameter => $self);
$self->curl_setopt(option => $self->{constant_cb}->(name => 'CURLOPT_HEADERFUNCTION'), parameter => \&cb_get_header);
if (defined($options{request}->{certinfo}) && $options{request}->{certinfo} == 1) {
$self->curl_setopt(option => $self->{constant_cb}->(name => 'CURLOPT_CERTINFO'), parameter => 1);
}
eval {
$self->{curl_easy}->perform();
};
@ -470,6 +474,13 @@ sub get_message {
return $http_code_explained->{$self->{response_code}};
}
sub get_certificate {
my ($self, %options) = @_;
my $certs = $self->{curl_easy}->getinfo($self->{constant_cb}->(name => 'CURLINFO_CERTINFO'));
return ('pem', $certs->[0]->{Cert});
}
1;
__END__

20
centreon/plugins/backend/http/lwp.pm
View File

@ -124,10 +124,21 @@ sub set_proxy {
sub request {
my ($self, %options) = @_;
my %user_agent_params = (keep_alive => 1);
if (defined($options{request}->{certinfo}) && $options{request}->{certinfo} == 1) {
centreon::plugins::misc::mymodule_load(
output => $self->{output}, module => 'LWP::ConnCache',
error_msg => "Cannot load module 'LWP::ConnCache'."
);
$self->{cache} = LWP::ConnCache->new();
$self->{cache}->total_capacity(1);
%user_agent_params = (conn_cache => $self->{cache});
}
my $request_options = $options{request};
if (!defined($self->{ua})) {
$self->{ua} = centreon::plugins::backend::http::useragent->new(
keep_alive => 1,
%user_agent_params,
protocols_allowed => ['http', 'https'],
timeout => $request_options->{timeout},
credentials => $request_options->{credentials},
@ -327,6 +338,13 @@ sub get_message {
return $self->{response}->message();
}
sub get_certificate {
my ($self, %options) = @_;
my ($con) = $self->{cache}->get_connections('https');
return ('socket', $con);
}
1;
__END__

6
centreon/plugins/http.pm
View File

@ -220,6 +220,12 @@ sub get_message {
return $self->{'backend_' . $self->{http_backend}}->get_message();
}
sub get_certificate {
my ($self, %options) = @_;
return $self->{'backend_' . $self->{http_backend}}->get_certificate();
}
1;
__END__