(plugin) apps::protocols::x509 - add support for verify_hostname (#4364)

This commit is contained in:
qgarnier 2023-04-19 10:27:08 +02:00 committed by GitHub
parent b66367bc4b
commit a4d0c3c1b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 28 additions and 2 deletions

View File

@ -209,6 +209,21 @@ sub get_certificate_informations {
$cert_infos->{subject} = $socket->peer_certificate('commonName');
$cert_infos->{issuer} = $socket->peer_certificate('authority');
if (defined($self->{ssl_context}->{SSL_verify_mode}) &&
defined($self->{option_results}->{servername}) &&
$self->{ssl_context}->{SSL_verify_mode} == SSL_VERIFY_NONE) {
$cert_infos->{verify_hostname} = $socket->verify_hostname(
$self->{option_results}->{servername},
# like default scheme
{
wildcards_in_cn => 'anywhere',
wildcards_in_alt => 'anywhere',
check_cn => 'always',
ip_in_cn => 1,
}
);
}
my @subject_alt_names = $socket->peer_certificate('subjectAltNames');
my $append = '';
$cert_infos->{alt_subjects} = '';

View File

@ -34,9 +34,15 @@ sub custom_status_output {
$self->{result_values}->{subject}, $self->{result_values}->{expiration}, $self->{result_values}->{date},
$self->{result_values}->{issuer}
);
if (defined($self->{result_values}->{verify_hostname}) && $self->{result_values}->{verify_hostname} eq 'FAILED') {
$msg .= sprintf(" - Verify hostname status '%s'", $self->{result_values}->{verify_hostname});
}
if (defined($self->{result_values}->{alt_subjects}) && $self->{result_values}->{alt_subjects} ne '') {
$self->{output}->output_add(long_msg => sprintf("Alternative subject names: %s.", $self->{result_values}->{alt_subjects}));
}
if (defined($self->{result_values}->{verify_hostname}) && $self->{result_values}->{verify_hostname} ne '-') {
$self->{output}->output_add(long_msg => sprintf("Verify hostname result: %s.", $self->{result_values}->{verify_hostname}));
}
return $msg;
}
@ -48,6 +54,7 @@ sub custom_status_calc {
$self->{result_values}->{expiration} = ($options{new_datas}->{$self->{instance} . '_expiration'} - time()) / 86400;
$self->{result_values}->{date} = $options{new_datas}->{$self->{instance} . '_date'};
$self->{result_values}->{alt_subjects} = $options{new_datas}->{$self->{instance} . '_alt_subjects'};
$self->{result_values}->{verify_hostname} = $options{new_datas}->{$self->{instance} . '_verify_hostname'};
return 0;
}
@ -63,11 +70,13 @@ sub set_counters {
label => 'status', type => 2,
warning_default => '%{expiration} < 60',
critical_default => '%{expiration} < 30',
unknown_default => '%{verify_hostname} eq "FAILED"',
set => {
key_values => [
{ name => 'subject' }, { name => 'issuer' },
{ name => 'expiration' }, { name => 'date' },
{ name => 'alt_subjects' }
{ name => 'alt_subjects' },
{ name => 'verify_hostname' },
],
closure_custom_calc => $self->can('custom_status_calc'),
closure_custom_output => $self->can('custom_status_output'),
@ -99,7 +108,9 @@ sub manage_selection {
issuer => defined($cert->{issuer}) ? $cert->{issuer} : '-',
expiration => $cert->{expiration},
date => $cert->{expiration_date},
alt_subjects => $cert->{alt_subjects}
alt_subjects => $cert->{alt_subjects},
verify_hostname => defined($cert->{verify_hostname})
? ($cert->{verify_hostname} ? "OK" : "FAILED") : '-',
};
}