From 9238b96fbdf5d5e79fb6fbb0a4a6e762c060a823 Mon Sep 17 00:00:00 2001 From: qgarnier Date: Thu, 18 Feb 2021 11:04:21 +0100 Subject: [PATCH] Enh x509 (#2596) --- apps/protocols/x509/custom/https.pm | 230 +++++++++++++++++++ apps/protocols/x509/custom/tcp.pm | 288 ++++++++++++++++++++++++ apps/protocols/x509/mode/certificate.pm | 147 ++---------- apps/protocols/x509/mode/validity.pm | 231 ------------------- apps/protocols/x509/plugin.pm | 8 +- centreon/plugins/backend/http/curl.pm | 11 + centreon/plugins/backend/http/lwp.pm | 20 +- centreon/plugins/http.pm | 6 + 8 files changed, 579 insertions(+), 362 deletions(-) create mode 100644 apps/protocols/x509/custom/https.pm create mode 100644 apps/protocols/x509/custom/tcp.pm delete mode 100644 apps/protocols/x509/mode/validity.pm diff --git a/apps/protocols/x509/custom/https.pm b/apps/protocols/x509/custom/https.pm new file mode 100644 index 000000000..b7bfefb88 --- /dev/null +++ b/apps/protocols/x509/custom/https.pm @@ -0,0 +1,230 @@ +# +# Copyright 2021 Centreon (http://www.centreon.com/) +# +# Centreon is a full-fledged industry-strength solution that meets +# the needs in IT infrastructure and application monitoring for +# service performance. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +package apps::protocols::x509::custom::https; + +use strict; +use warnings; +use centreon::plugins::http; +use Net::SSLeay 1.42; +use DateTime; + +sub new { + my ($class, %options) = @_; + my $self = {}; + bless $self, $class; + + if (!defined($options{output})) { + print "Class Custom: Need to specify 'output' argument.\n"; + exit 3; + } + if (!defined($options{options})) { + $options{output}->add_option_msg(short_msg => "Class Custom: Need to specify 'options' argument."); + $options{output}->option_exit(); + } + + if (!defined($options{noptions})) { + $options{options}->add_options(arguments => { + 'hostname:s' => { name => 'hostname' }, + 'port:s' => { name => 'port', }, + 'method:s' => { name => 'method' }, + 'urlpath:s' => { name => 'url_path' }, + 'timeout:s' => { name => 'timeout' }, + 'header:s@' => { name => 'header' } + }); + } + $options{options}->add_help(package => __PACKAGE__, sections => 'CUSTOM HTTPS OPTIONS', once => 1); + + $self->{output} = $options{output}; + $self->{http} = centreon::plugins::http->new(%options); + + return $self; +} + +sub set_options { + my ($self, %options) = @_; + + $self->{option_results} = $options{option_results}; +} + +sub set_defaults {} + +sub check_options { + my ($self, %options) = @_; + + $self->{option_results}->{hostname} = (defined($self->{option_results}->{hostname})) ? $self->{option_results}->{hostname} : ''; + $self->{option_results}->{port} = (defined($self->{option_results}->{port})) ? $self->{option_results}->{port} : 443; + $self->{option_results}->{proto} = 'https'; + $self->{option_results}->{url_path} = (defined($self->{option_results}->{url_path})) ? $self->{option_results}->{url_path} : '/'; + $self->{option_results}->{timeout} = (defined($self->{option_results}->{timeout})) ? $self->{option_results}->{timeout} : 5; + + if ($self->{option_results}->{hostname} eq '') { + $self->{output}->add_option_msg(short_msg => "Need to specify hostname option."); + $self->{output}->option_exit(); + } + + $self->{http}->set_options(%{$self->{option_results}}); + + return 0; +} + +sub pem_type { + my ($self, %options) = @_; + + my $bio_cert = Net::SSLeay::BIO_new(Net::SSLeay::BIO_s_mem()); + if (!$bio_cert) { + $self->{output}->add_option_msg(short_msg => "Cannot init Net::SSLeay: $!"); + $self->{output}->option_exit(); + } + if (Net::SSLeay::BIO_write($bio_cert, $options{cert}) < 0) { + $self->{output}->add_option_msg(short_msg => "Cannot write certificate: $!"); + $self->{output}->option_exit(); + } + my $x509 = Net::SSLeay::PEM_read_bio_X509($bio_cert); + if (!$x509) { + $self->{output}->add_option_msg(short_msg => "Cannot read certificate: $!"); + $self->{output}->option_exit(); + } + + my $cert_infos = {}; + $cert_infos->{issuer} = Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_issuer_name($x509)); + $cert_infos->{expiration_date} = Net::SSLeay::P_ASN1_TIME_get_isotime(Net::SSLeay::X509_get_notAfter($x509)); + my $subject = Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_subject_name($x509)); + if ($subject =~ /CN=(.*?)(?:\/(?:C|ST|L|O)=|\Z)/) { + $cert_infos->{subject} = $1; + } + + my @subject_alt_names = Net::SSLeay::X509_get_subjectAltNames($x509); + my $append = ''; + $cert_infos->{alt_subjects} = ''; + for (my $i = 0; $i < $#subject_alt_names; $i += 2) { + my ($type, $name) = ($subject_alt_names[$i], $subject_alt_names[$i + 1]); + if ($type == &Net::SSLeay::GEN_IPADD) { + $name = inet_ntoa($name); + } + $cert_infos->{alt_subjects} .= $append . $name; + $append = ', '; + } + + $cert_infos->{expiration_date} =~ /^(\d+)-(\d+)-(\d+)T(\d+):(\d+):(\d+)Z$/; # 2033-05-16T20:39:37Z + my $dt = DateTime->new(year => $1, month => $2, day => $3, hour => $4, minute => $5, second => $6); + $cert_infos->{expiration} = $dt->epoch(); + + return $cert_infos; +} + +sub socket_type { + my ($self, %options) = @_; + + my $cert_infos = {}; + $cert_infos->{subject} = $options{socket}->peer_certificate('commonName'); + $cert_infos->{issuer} = $options{socket}->peer_certificate('authority'); + + my @subject_alt_names = $options{socket}->peer_certificate('subjectAltNames'); + my $append = ''; + $cert_infos->{alt_subjects} = ''; + for (my $i = 0; $i < $#subject_alt_names; $i += 2) { + my ($type, $name) = ($subject_alt_names[$i], $subject_alt_names[$i + 1]); + if ($type == &Net::SSLeay::GEN_IPADD) { + $name = inet_ntoa($name); + } + $cert_infos->{alt_subjects} .= $append . $name; + $append = ', '; + } + + $cert_infos->{expiration_date} = Net::SSLeay::P_ASN1_TIME_get_isotime(Net::SSLeay::X509_get_notAfter($options{socket}->peer_certificate())); + $cert_infos->{expiration_date} =~ /^(\d+)-(\d+)-(\d+)T(\d+):(\d+):(\d+)Z$/; # 2033-05-16T20:39:37Z + my $dt = DateTime->new(year => $1, month => $2, day => $3, hour => $4, minute => $5, second => $6); + $cert_infos->{expiration} = $dt->epoch(); + + return $cert_infos; +} + +sub get_certificate_informations { + my ($self, %options) = @_; + + $self->{http}->request( + certinfo => 1, + unknown_status => '', + warning_status => '', + critical_status => '' + ); + + my ($type, $cert) = $self->{http}->get_certificate(); + if (!defined($cert)) { + $self->{output}->add_option_msg(short_msg => $self->{http}->get_message()); + $self->{output}->option_exit(); + } + + my $cert_infos; + if ($type eq 'pem') { + $cert_infos = $self->pem_type(cert => $cert); + } elsif ($type eq 'socket') { + $cert_infos = $self->socket_type(socket => $cert); + } + + return $cert_infos; +} + +1; + +__END__ + +=head1 NAME + +http connection + +=head1 CUSTOM HTTPS OPTIONS + +http connection + +=over 8 + +=item B<--hostname> + +IP Addr/FQDN of the webserver host + +=item B<--port> + +Port used by Webserver (Default: 443) + +=item B<--method> + +Specify http method used (Default: 'GET') + +=item B<--urlpath> + +Set path to get webpage (Default: '/') + +=item B<--timeout> + +Threshold for HTTP timeout (Default: 5) + +=item B<--header> + +Set HTTP headers (Multiple option) + +=back + +=head1 DESCRIPTION + +B. + +=cut diff --git a/apps/protocols/x509/custom/tcp.pm b/apps/protocols/x509/custom/tcp.pm new file mode 100644 index 000000000..798fb57d9 --- /dev/null +++ b/apps/protocols/x509/custom/tcp.pm @@ -0,0 +1,288 @@ +# +# Copyright 2021 Centreon (http://www.centreon.com/) +# +# Centreon is a full-fledged industry-strength solution that meets +# the needs in IT infrastructure and application monitoring for +# service performance. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +package apps::protocols::x509::custom::tcp; + +use base qw(centreon::plugins::mode); + +use strict; +use warnings; +use Socket; +use IO::Socket::INET; +use IO::Socket::SSL; +use Net::SSLeay 1.42; +use DateTime; + +sub new { + my ($class, %options) = @_; + my $self = {}; + bless $self, $class; + + if (!defined($options{output})) { + print "Class Custom: Need to specify 'output' argument.\n"; + exit 3; + } + if (!defined($options{options})) { + $options{output}->add_option_msg(short_msg => "Class Custom: Need to specify 'options' argument."); + $options{output}->option_exit(); + } + + if (!defined($options{noptions})) { + $options{options}->add_options(arguments => { + 'hostname:s' => { name => 'hostname' }, + 'port:s' => { name => 'port' }, + 'servername:s' => { name => 'servername' }, + 'ssl-opt:s@' => { name => 'ssl_opt' }, + 'ssl-ignore-errors' => { name => 'ssl_ignore_errors' }, + 'timeout:s' => { name => 'timeout', default => 3 }, + 'starttls:s' => { name => 'starttls' } + }); + } + $options{options}->add_help(package => __PACKAGE__, sections => 'CUSTOM TCP OPTIONS', once => 1); + + $self->{output} = $options{output}; + + return $self; +} + +sub set_options { + my ($self, %options) = @_; + + $self->{option_results} = $options{option_results}; +} + +sub set_defaults {} + +sub check_options { + my ($self, %options) = @_; + + $self->{hostname} = (defined($self->{option_results}->{hostname})) ? $self->{option_results}->{hostname} : ''; + $self->{port} = (defined($self->{option_results}->{port})) && $self->{option_results}->{port} =~ /(\d+)/ ? $1 : ''; + $self->{timeout} = (defined($self->{option_results}->{timeout})) && $self->{option_results}->{timeout} =~ /(\d+)/ ? $1 : 3; + + if ($self->{hostname} eq '') { + $self->{output}->add_option_msg(short_msg => 'Need to specify --hostname option.'); + $self->{output}->option_exit(); + } + if ($self->{port} eq '') { + $self->{output}->add_option_msg(short_msg => "Please set --port option"); + $self->{output}->option_exit(); + } + + my $append = ''; + foreach (@{$self->{option_results}->{ssl_opt}}) { + if ($_ ne '') { + $self->{ssl_context} .= $append . $_; + $append = ', '; + } + } + + return 0; +} + +sub connect_ssl { + my ($self, %options) = @_; + + my $socket; + eval { + $socket = IO::Socket::SSL->new( + PeerHost => $self->{option_results}->{hostname}, + PeerPort => $self->{option_results}->{port}, + $self->{option_results}->{servername} ? ( SSL_hostname => $self->{option_results}->{servername} ) : (), + $self->{option_results}->{timeout} ? ( Timeout => $self->{option_results}->{timeout} ) : () + ); + }; + if ($@) { + $self->{output}->add_option_msg(short_msg => sprintf("%s", $@)); + $self->{output}->option_exit(); + } + if (!defined($socket)) { + $self->{output}->add_option_msg(short_msg => "Error creating SSL socket: $!, SSL error: $SSL_ERROR"); + $self->{output}->option_exit(); + } + if (!defined($self->{option_results}->{ssl_ignore_errors}) && defined($SSL_ERROR)) { + $self->{output}->add_option_msg(short_msg => "SSL error: $SSL_ERROR"); + $self->{output}->option_exit(); + } + + return $socket; +} + +sub smtp_plain_com { + my ($self, %options) = @_; + + my $buffer; + $options{socket}->recv($buffer, 1024); + + $options{socket}->send("HELO\r\n"); + $options{socket}->recv($buffer, 1024); + + $options{socket}->send("STARTTLS\r\n"); + $options{socket}->recv($buffer, 1024); + if ($buffer !~ /^220\s/) { + $self->{output}->add_option_msg(short_msg => "Cannot starttls: $buffer"); + $self->{output}->option_exit(); + } +} + +sub ftp_plain_com { + my ($self, %options) = @_; + + my $buffer; + $options{socket}->recv($buffer, 1024); + + $options{socket}->send("AUTH TLS\r\n"); + $options{socket}->recv($buffer, 1024); + if ($buffer !~ /^234\s/) { + $self->{output}->add_option_msg(short_msg => "Cannot starttls: $buffer"); + $self->{output}->option_exit(); + } +} + +sub connect_starttls { + my ($self, %options) = @_; + + my $socket = IO::Socket::INET->new( + PeerHost => $self->{option_results}->{hostname}, + PeerPort => $self->{option_results}->{port}, + $self->{option_results}->{timeout} ? ( Timeout => $self->{option_results}->{timeout} ) : () + ); + if (!defined($socket)) { + $self->{output}->add_option_msg(short_msg => "Error creating socket: $!"); + $self->{output}->option_exit(); + } + + if ($self->{option_results}->{starttls} eq 'smtp') { + $self->smtp_plain_com(socket => $socket); + } elsif ($self->{option_results}->{starttls} eq 'ftp') { + $self->ftp_plain_com(socket => $socket); + } + + my $rv = IO::Socket::SSL->start_SSL( + $socket, + $self->{option_results}->{servername} ? ( SSL_hostname => $self->{option_results}->{servername} ) : () + ); + if (!defined($self->{option_results}->{ssl_ignore_errors}) && !$rv) { + $self->{output}->add_option_msg(short_msg => "SSL error: $SSL_ERROR"); + $self->{output}->option_exit(); + } + + return $socket; +} + +sub get_certificate_informations { + my ($self, %options) = @_; + + if (defined($self->{ssl_context}) && $self->{ssl_context} ne '') { + my $context = new IO::Socket::SSL::SSL_Context(eval $self->{ssl_context}); + eval { IO::Socket::SSL::set_default_context($context) }; + if ($@) { + $self->{output}->add_option_msg(short_msg => sprintf("Error setting SSL context: %s", $@)); + $self->{output}->option_exit(); + } + } + + my $socket; + if (defined($self->{option_results}->{starttls})) { + $socket = $self->connect_starttls(); + } else { + $socket = $self->connect_ssl(); + } + + my $cert_infos = {}; + + $cert_infos->{subject} = $socket->peer_certificate('commonName'); + $cert_infos->{issuer} = $socket->peer_certificate('authority'); + + my @subject_alt_names = $socket->peer_certificate('subjectAltNames'); + my $append = ''; + $cert_infos->{alt_subjects} = ''; + for (my $i = 0; $i < $#subject_alt_names; $i += 2) { + my ($type, $name) = ($subject_alt_names[$i], $subject_alt_names[$i + 1]); + if ($type == GEN_IPADD) { + $name = inet_ntoa($name); + } + $cert_infos->{alt_subjects} .= $append . $name; + $append = ', '; + } + + $cert_infos->{expiration_date} = Net::SSLeay::P_ASN1_TIME_get_isotime(Net::SSLeay::X509_get_notAfter($socket->peer_certificate())); + $cert_infos->{expiration_date} =~ /^(\d+)-(\d+)-(\d+)T(\d+):(\d+):(\d+)Z$/; # 2033-05-16T20:39:37Z + my $dt = DateTime->new(year => $1, month => $2, day => $3, hour => $4, minute => $5, second => $6); + $cert_infos->{expiration} = $dt->epoch(); + + return $cert_infos; +} + +1; + +__END__ + +=head1 NAME + +tcp ssl connections + +=head1 CUSTOM TCP OPTIONS + +tcp ssl connection + +=over 8 + +=item B<--hostname> + +IP Addr/FQDN of the host. + +=item B<--port> + +Port used by host. + +=item B<--servername> + +Servername of the host for SNI support (only with IO::Socket::SSL >= 1.56) (eg: foo.bar.com). + +=item B<--ssl-opt> + +Set SSL options. + +Examples: + +Do not verify certificate: --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE" + +Verify certificate: --ssl-opt="SSL_verify_mode => SSL_VERIFY_PEER" --ssl-opt="SSL_version => TLSv1" + +=item B<--ssl-ignore-errors> + +Ignore SSL handshake errors. For example: 'SSL error: SSL wants a read first'. + +=item B<--timeout> + +Set timeout in seconds for SSL connection (Default: '3') (only with IO::Socket::SSL >= 1.984). + +=item B<--starttls> + +Init plaintext connection and start_SSL after. Can be: 'smtp', 'ftp'. + +=back + +=head1 DESCRIPTION + +B. + +=cut diff --git a/apps/protocols/x509/mode/certificate.pm b/apps/protocols/x509/mode/certificate.pm index 839cf69d0..4d7933156 100644 --- a/apps/protocols/x509/mode/certificate.pm +++ b/apps/protocols/x509/mode/certificate.pm @@ -24,11 +24,7 @@ use base qw(centreon::plugins::templates::counter); use strict; use warnings; -use Socket; -use IO::Socket::SSL; -use Net::SSLeay 1.42; -use DateTime; -use centreon::plugins::templates::catalog_functions qw(catalog_status_threshold); +use centreon::plugins::templates::catalog_functions qw(catalog_status_threshold_ng); sub custom_status_output { my ($self, %options) = @_; @@ -59,19 +55,26 @@ sub set_counters { my ($self, %options) = @_; $self->{maps_counters_type} = [ - { name => 'global', type => 0 }, + { name => 'global', type => 0 } ]; $self->{maps_counters}->{global} = [ - { label => 'status', threshold => 0, set => { - key_values => [ { name => 'subject' }, { name => 'issuer' }, { name => 'expiration' }, - { name => 'date' }, { name => 'alt_subjects' } ], + { + label => 'status', type => 2, + warning_default => '%{expiration} < 60', + critical_default => '%{expiration} < 30', + set => { + key_values => [ + { name => 'subject' }, { name => 'issuer' }, + { name => 'expiration' }, { name => 'date' }, + { name => 'alt_subjects' } + ], closure_custom_calc => $self->can('custom_status_calc'), closure_custom_output => $self->can('custom_status_output'), closure_custom_perfdata => sub { return 0; }, - closure_custom_threshold_check => \&catalog_status_threshold, + closure_custom_threshold_check => \&catalog_status_threshold_ng } - }, + } ]; } @@ -81,102 +84,22 @@ sub new { bless $self, $class; $options{options}->add_options(arguments => { - 'hostname:s' => { name => 'hostname' }, - 'port:s' => { name => 'port' }, - 'servername:s' => { name => 'servername' }, - 'ssl-opt:s@' => { name => 'ssl_opt' }, - 'ssl-ignore-errors' => { name => 'ssl_ignore_errors' }, - 'timeout:s' => { name => 'timeout', default => '3' }, - 'warning-status:s' => { name => 'warning_status', default => '%{expiration} < 60' }, - 'critical-status:s' => { name => 'critical_status', default => '%{expiration} < 30' }, }); return $self; } -sub check_options { - my ($self, %options) = @_; - $self->SUPER::check_options(%options); - - if (!defined($self->{option_results}->{hostname}) || $self->{option_results}->{hostname} eq '') { - $self->{output}->add_option_msg(short_msg => "Please set --hostname option"); - $self->{output}->option_exit(); - } - if (!defined($self->{option_results}->{port}) || $self->{option_results}->{port} eq '') { - $self->{output}->add_option_msg(short_msg => "Please set --port option"); - $self->{output}->option_exit(); - } - - my $append = ''; - foreach (@{$self->{option_results}->{ssl_opt}}) { - if ($_ ne '') { - $self->{ssl_context} .= $append . $_; - $append = ', '; - } - } - - $self->change_macros(macros => ['warning_status', 'critical_status']); -} - sub manage_selection { my ($self, %options) = @_; - if (defined($self->{ssl_context}) && $self->{ssl_context} ne '') { - my $context = new IO::Socket::SSL::SSL_Context(eval $self->{ssl_context}); - eval { IO::Socket::SSL::set_default_context($context) }; - if ($@) { - $self->{output}->add_option_msg(short_msg => sprintf("Error setting SSL context: %s", $@)); - $self->{output}->option_exit(); - } - } - - my $socket; - eval { - $socket = IO::Socket::SSL->new( - PeerHost => $self->{option_results}->{hostname}, - PeerPort => $self->{option_results}->{port}, - $self->{option_results}->{servername} ? ( SSL_hostname => $self->{option_results}->{servername} ) : (), - $self->{option_results}->{timeout} ? ( Timeout => $self->{option_results}->{timeout} ) : (), - ); - }; - if ($@) { - $self->{output}->add_option_msg(short_msg => sprintf("%s", $@)); - $self->{output}->option_exit(); - } - if (!defined($socket)) { - $self->{output}->add_option_msg(short_msg => "Error creating SSL socket: $!, SSL error: $SSL_ERROR"); - $self->{output}->option_exit(); - } - if (!defined($self->{option_results}->{ssl_ignore_errors}) && defined($SSL_ERROR)) { - $self->{output}->add_option_msg(short_msg => "SSL error: $SSL_ERROR"); - $self->{output}->option_exit(); - } - - my $subject = $socket->peer_certificate('commonName'); - my $issuer = $socket->peer_certificate('authority'); - - my @subject_alt_names = $socket->peer_certificate('subjectAltNames'); - my $append = ''; - my $alt_subjects = ''; - for (my $i = 0; $i < $#subject_alt_names; $i += 2) { - my ($type, $name) = ($subject_alt_names[$i], $subject_alt_names[$i + 1]); - if ($type == GEN_IPADD) { - $name = inet_ntoa($name); - } - $alt_subjects .= $append . $name; - $append = ', '; - } - - my $notafterdate = Net::SSLeay::P_ASN1_TIME_get_isotime(Net::SSLeay::X509_get_notAfter($socket->peer_certificate())); - $notafterdate =~ /^(\d+)-(\d+)-(\d+)T(\d+):(\d+):(\d+)Z$/; # 2033-05-16T20:39:37Z - my $dt = DateTime->new(year => $1, month => $2, day => $3, hour => $4, minute => $5, second => $6); + my $cert = $options{custom}->get_certificate_informations(); $self->{global} = { - subject => $subject, - issuer => $issuer, - expiration => $dt->epoch, - date => $notafterdate, - alt_subjects => $alt_subjects + subject => $cert->{subject}, + issuer => $cert->{issuer}, + expiration => $cert->{expiration}, + date => $cert->{expiration_date}, + alt_subjects => $cert->{alt_subjects} }; } @@ -190,36 +113,6 @@ Check X509's certificate validity (for SMTPS, POPS, IMAPS, HTTPS) =over 8 -=item B<--hostname> - -IP Addr/FQDN of the host. - -=item B<--port> - -Port used by host. - -=item B<--servername> - -Servername of the host for SNI support (only with IO::Socket::SSL >= 1.56) (eg: foo.bar.com). - -=item B<--ssl-opt> - -Set SSL options. - -Examples: - -Do not verify certificate: --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE" - -Verify certificate: --ssl-opt="SSL_verify_mode => SSL_VERIFY_PEER" --ssl-opt="SSL_version => TLSv1" - -=item B<--ssl-ignore-errors> - -Ignore SSL handshake errors. For example: 'SSL error: SSL wants a read first'. - -=item B<--timeout> - -Set timeout in seconds for SSL connection (Default: '3') (only with IO::Socket::SSL >= 1.984). - =item B<--warning-status> Set warning threshold for status. (Default: '%{expiration} < 60'). diff --git a/apps/protocols/x509/mode/validity.pm b/apps/protocols/x509/mode/validity.pm deleted file mode 100644 index d1a616424..000000000 --- a/apps/protocols/x509/mode/validity.pm +++ /dev/null @@ -1,231 +0,0 @@ -# -# Copyright 2021 Centreon (http://www.centreon.com/) -# -# Centreon is a full-fledged industry-strength solution that meets -# the needs in IT infrastructure and application monitoring for -# service performance. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -package apps::protocols::x509::mode::validity; - -use base qw(centreon::plugins::mode); - -use strict; -use warnings; -use IO::Socket::SSL; -use Net::SSLeay; -use Socket; -use centreon::plugins::misc; - -sub new { - my ($class, %options) = @_; - my $self = $class->SUPER::new(package => __PACKAGE__, %options, force_new_perfdata => 1); - bless $self, $class; - - $options{options}->add_options(arguments => { - 'hostname:s' => { name => 'hostname' }, - 'port:s' => { name => 'port' }, - 'servername:s' => { name => 'servername' }, - 'validity-mode:s' => { name => 'validity_mode' }, - 'warning-date:s' => { name => 'warning' }, - 'critical-date:s' => { name => 'critical' }, - 'subjectname:s' => { name => 'subjectname', default => '' }, - 'issuername:s' => { name => 'issuername', default => '' }, - 'timeout:s' => { name => 'timeout', default => 5 }, - 'ssl-opt:s%' => { name => 'ssl_opt' } - }); - - return $self; -} - -sub check_options { - my ($self, %options) = @_; - $self->SUPER::init(%options); - - if (($self->{perfdata}->threshold_validate(label => 'warning', value => $self->{option_results}->{warning})) == 0) { - $self->{output}->add_option_msg(short_msg => "Wrong warning threshold '" . $self->{option_results}->{warning} . "'."); - $self->{output}->option_exit(); - } - if (($self->{perfdata}->threshold_validate(label => 'critical', value => $self->{option_results}->{critical})) == 0) { - $self->{output}->add_option_msg(short_msg => "Wrong critical threshold '" . $self->{option_results}->{critical} . "'."); - $self->{output}->option_exit(); - } - if (!defined($self->{option_results}->{hostname})) { - $self->{output}->add_option_msg(short_msg => "Please set the hostname option"); - $self->{output}->option_exit(); - } - if (!defined($self->{option_results}->{port})) { - $self->{output}->add_option_msg(short_msg => "Please set the port option"); - $self->{output}->option_exit(); - } - if (!defined($self->{option_results}->{validity_mode}) || $self->{option_results}->{validity_mode} !~ /^expiration|subject|issuer$/) { - $self->{output}->add_option_msg(short_msg => "Please set the validity-mode option (issuer, subject or expiration)"); - $self->{output}->option_exit(); - } - - $self->{ssl_opts} = ''; - if (defined($self->{option_results}->{ssl_opt})) { - foreach (keys %{$self->{option_results}->{ssl_opt}}) { - $self->{ssl_opts} .= "$_ => " . $self->{option_results}->{ssl_opt}->{$_} . ", "; - } - } -} - -sub run { - my ($self, %options) = @_; - - # Global variables - my $client = IO::Socket::SSL->new( - PeerHost => $self->{option_results}->{hostname}, - PeerPort => $self->{option_results}->{port}, - eval $self->{ssl_opts}, - $self->{option_results}->{servername} ? ( SSL_hostname => $self->{option_results}->{servername} ):(), - ); - if (!defined($client)) { - $self->{output}->output_add(severity => 'CRITICAL', - short_msg => "failed to accept or ssl handshake: $!,$SSL_ERROR"); - $self->{output}->display(); - $self->{output}->exit() - } - - #Retrieve Certificate - my $cert; - eval { $cert = $client->peer_certificate() }; - if ($@) { - $self->{output}->output_add(severity => 'CRITICAL', - short_msg => sprintf("%s", $@)); - $self->{output}->display(); - $self->{output}->exit() - } - - my $subject = Net::SSLeay::X509_NAME_get_text_by_NID( - Net::SSLeay::X509_get_subject_name($cert), 13); # NID_CommonName - $subject =~ s{\0$}{}; # work around Bug in Net::SSLeay <1.33 - - #Expiration Date - if ($self->{option_results}->{validity_mode} eq 'expiration') { - centreon::plugins::misc::mymodule_load(output => $self->{output}, module => 'Date::Manip', - error_msg => "Cannot load module 'Date::Manip'."); - (my $notafterdate = Net::SSLeay::P_ASN1_UTCTIME_put2string(Net::SSLeay::X509_get_notAfter($cert))) =~ s/ GMT//; - my $daysbefore = int((Date::Manip::UnixDate(Date::Manip::ParseDate($notafterdate),"%s") - time) / 86400); - my $exit = $self->{perfdata}->threshold_check(value => $daysbefore, - threshold => [ { label => 'critical', exit_litteral => 'critical' }, { label => 'warning', exit_litteral => 'warning' } ]); - $self->{output}->output_add(severity => $exit, - short_msg => sprintf("Certificate expiration for '%s' in days: %s - Validity Date: %s", $subject, $daysbefore, $notafterdate)); - $self->{output}->perfdata_add( - nlabel => 'certificate.expiration.days.count', - value => $daysbefore, - warning => $self->{perfdata}->get_perfdata_for_output(label => 'warning'), - critical => $self->{perfdata}->get_perfdata_for_output(label => 'critical') - ); - #Subject Name - } elsif ($self->{option_results}->{validity_mode} eq 'subject') { - my @subject_matched = (); - - if ($subject =~ /$self->{option_results}->{subjectname}/mi) { - push @subject_matched, $subject; - } else { - $self->{output}->output_add(long_msg => sprintf("Subject Name '%s' is also present in Certificate", $subject), debug => 1); - } - - my @subject_alt_names = Net::SSLeay::X509_get_subjectAltNames($cert); - for (my $i = 0; $i < $#subject_alt_names; $i += 2) { - my ($type, $name) = ($subject_alt_names[$i], $subject_alt_names[$i + 1]); - if ($type == GEN_IPADD) { - $name = inet_ntoa($name); - } - if ($name =~ /$self->{option_results}->{subjectname}/mi) { - push @subject_matched, $name; - } else { - $self->{output}->output_add(long_msg => sprintf("Subject Name '%s' is also present in Certificate", $name), debug => 1); - } - } - - if (@subject_matched == 0) { - $self->{output}->output_add(severity => 'CRITICAL', - short_msg => sprintf("No Subject Name matched '%s' in Certificate", $self->{option_results}->{subjectname})); - } else { - $self->{output}->output_add(severity => 'OK', - short_msg => sprintf("Subject Name [%s] is present in Certificate", join(', ', @subject_matched))); - } - - #Issuer Name - } elsif ($self->{option_results}->{validity_mode} eq 'issuer') { - my $issuer_name = Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_issuer_name($cert)); - if ($issuer_name =~ /$self->{option_results}->{issuername}/mi) { - $self->{output}->output_add(severity => 'OK', - short_msg => sprintf("Issuer Name '%s' is present in Certificate '%s': %s", $self->{option_results}->{issuername}, $subject, $issuer_name)); - } else { - $self->{output}->output_add(severity => 'CRITICAL', - short_msg => sprintf("Issuer Name '%s' is not present in Certificate '%s': %s", $self->{option_results}->{issuername}, $subject, $issuer_name)); - } - } - - $self->{output}->display(); - $self->{output}->exit(); -} - -1; - -__END__ - -=head1 MODE - -Check X509's certificate validity (for SMTPS, POPS, IMAPS, HTTPS) - -Legacy mode, use 'certificate' mode instead. - -=over 8 - -=item B<--hostname> - -IP Addr/FQDN of the host - -=item B<--servername> - -Servername of the host for SNI support (only with IO::Socket::SSL >= 1.56) (eg: foo.bar.com) - -=item B<--port> - -Port used by Server - -=item B<--validity-mode> - -Validity mode. -Can be : 'expiration' or 'subject' or 'issuer' - -=item B<--warning-date> - -Threshold warning in days (Days before expiration, eg: '60:' for 60 days before) - -=item B<--critical-date> - -Threshold critical in days (Days before expiration, eg: '30:' for 30 days before) - -=item B<--subjectname> - -Subject Name pattern (support alternative subject name) - -=item B<--issuername> - -Issuer Name pattern - -=item B<--ssl-opt> - -Set SSL Options (--ssl-opt="SSL_verify_mode=SSL_VERIFY_NONE"). - -=back - -=cut diff --git a/apps/protocols/x509/plugin.pm b/apps/protocols/x509/plugin.pm index b70ecf3a1..b8185e119 100644 --- a/apps/protocols/x509/plugin.pm +++ b/apps/protocols/x509/plugin.pm @@ -22,7 +22,7 @@ package apps::protocols::x509::plugin; use strict; use warnings; -use base qw(centreon::plugins::script_simple); +use base qw(centreon::plugins::script_custom); sub new { my ($class, %options) = @_; @@ -31,10 +31,12 @@ sub new { $self->{version} = '0.1'; $self->{modes} = { - 'certificate' => 'apps::protocols::x509::mode::certificate', - 'validity' => 'apps::protocols::x509::mode::validity' #legacy mode + 'certificate' => 'apps::protocols::x509::mode::certificate' }; + $self->{custom_modes}->{tcp} = 'apps::protocols::x509::custom::tcp'; + $self->{custom_modes}->{https} = 'apps::protocols::x509::custom::https'; + return $self; } diff --git a/centreon/plugins/backend/http/curl.pm b/centreon/plugins/backend/http/curl.pm index ca3e7dab5..2967d7234 100644 --- a/centreon/plugins/backend/http/curl.pm +++ b/centreon/plugins/backend/http/curl.pm @@ -371,6 +371,10 @@ sub request { $self->curl_setopt(option => $self->{constant_cb}->(name => 'CURLOPT_HEADERDATA'), parameter => $self); $self->curl_setopt(option => $self->{constant_cb}->(name => 'CURLOPT_HEADERFUNCTION'), parameter => \&cb_get_header); + if (defined($options{request}->{certinfo}) && $options{request}->{certinfo} == 1) { + $self->curl_setopt(option => $self->{constant_cb}->(name => 'CURLOPT_CERTINFO'), parameter => 1); + } + eval { $self->{curl_easy}->perform(); }; @@ -470,6 +474,13 @@ sub get_message { return $http_code_explained->{$self->{response_code}}; } +sub get_certificate { + my ($self, %options) = @_; + + my $certs = $self->{curl_easy}->getinfo($self->{constant_cb}->(name => 'CURLINFO_CERTINFO')); + return ('pem', $certs->[0]->{Cert}); +} + 1; __END__ diff --git a/centreon/plugins/backend/http/lwp.pm b/centreon/plugins/backend/http/lwp.pm index 56bfee542..780f2b1b5 100644 --- a/centreon/plugins/backend/http/lwp.pm +++ b/centreon/plugins/backend/http/lwp.pm @@ -124,10 +124,21 @@ sub set_proxy { sub request { my ($self, %options) = @_; + my %user_agent_params = (keep_alive => 1); + if (defined($options{request}->{certinfo}) && $options{request}->{certinfo} == 1) { + centreon::plugins::misc::mymodule_load( + output => $self->{output}, module => 'LWP::ConnCache', + error_msg => "Cannot load module 'LWP::ConnCache'." + ); + $self->{cache} = LWP::ConnCache->new(); + $self->{cache}->total_capacity(1); + %user_agent_params = (conn_cache => $self->{cache}); + } + my $request_options = $options{request}; if (!defined($self->{ua})) { $self->{ua} = centreon::plugins::backend::http::useragent->new( - keep_alive => 1, + %user_agent_params, protocols_allowed => ['http', 'https'], timeout => $request_options->{timeout}, credentials => $request_options->{credentials}, @@ -327,6 +338,13 @@ sub get_message { return $self->{response}->message(); } +sub get_certificate { + my ($self, %options) = @_; + + my ($con) = $self->{cache}->get_connections('https'); + return ('socket', $con); +} + 1; __END__ diff --git a/centreon/plugins/http.pm b/centreon/plugins/http.pm index a8c6b58d6..c5efeb1ea 100644 --- a/centreon/plugins/http.pm +++ b/centreon/plugins/http.pm @@ -220,6 +220,12 @@ sub get_message { return $self->{'backend_' . $self->{http_backend}}->get_message(); } +sub get_certificate { + my ($self, %options) = @_; + + return $self->{'backend_' . $self->{http_backend}}->get_certificate(); +} + 1; __END__