Merge pull request #359 from helmo/verify-host

Add `--verify-host` to check if -H hostname matches the SSL certificate

NEWS

@@ -1,5 +1,6 @@
 This file documents the major additions and syntax changes between releases.
 
+
 2.3.0 xxxx-xx-xx
 	ENHANCEMENTS
 	Added directory plugins-python containing three Python plugins
@@ -44,6 +45,7 @@ This file documents the major additions and syntax changes between releases.
 	check_snmp: warning/critical perfdata is returned properly
 	check_dns: reverse (PTR) check is now case insensitive
 
+
 2.2.1 2017-04-19
 	FIXES
 	check_users: not accepting zero as the threshold

plugins/check_http.c

@@ -313,7 +313,6 @@ process_arguments (int argc, char **argv)
             display_html = FALSE;
             break;
         case 'C': /* Check SSL cert validity */
-
 #ifdef HAVE_SSL
             if ((temp=strchr(optarg,','))!=NULL) {
                 *temp='\0';
@@ -1050,7 +1049,7 @@ check_http (void)
         elapsed_time_ssl = (double)microsec_ssl / 1.0e6;
         if (check_cert == TRUE) {
             result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
-            if (continue_after_check_cert == FALSE || result != STATE_OK) {
+            if (continue_after_check_cert == FALSE) {
 
                 if (sd) {
                     close(sd);
@@ -1208,25 +1207,46 @@ check_http (void)
     np_net_ssl_cleanup();
 #endif
 
-    /* Save check time */
-    microsec = deltime (tv);
-    elapsed_time = (double)microsec / 1.0e6;
-
-    /* leave full_page untouched so we can free it later */
-    pos = page = full_page;
-
-    if (verbose)
-        printf ("%s://%s:%d%s is %d characters\n",
-                use_ssl ? "https" : "http", server_address,
-                server_port, server_url, (int)pagesize);
-
-    /* find status line and null-terminate it */
+  /* Save check time */
+  microsec = deltime (tv);
+  elapsed_time = (double)microsec / 1.0e6;
+
+  /* leave full_page untouched so we can free it later */
+  pos = page = full_page;
+
+  if (verbose)
+    printf ("%s://%s:%d%s is %d characters\n",
+      use_ssl ? "https" : "http", server_address,
+      server_port, server_url, (int)pagesize);
+
+  /* find status line and null-terminate it */
+  page += (size_t) strcspn (page, "\r\n");
+  save_char = *page;
+  *page = '\0';
+  status_line = strdup(pos);
+  *page = save_char;
+  pos = page;
+
+  strip (status_line);
+  if (verbose)
+    printf ("STATUS: %s\n", status_line);
+
+  /* find header info and null-terminate it */
+  header = page;
+  for (;;) {
+    if (!strncmp(page, "\r\n\r\n", 4) || !strncmp(page, "\n\n", 2))
+     break;
+    while (*page == '\r' || *page == '\n') { ++page; }
     page += (size_t) strcspn (page, "\r\n");
     save_char = *page;
     *page = '\0';
     status_line = strdup(pos);
     *page = save_char;
     pos = page;
+  }
+  page += (size_t) strspn (page, "\r\n");
+  header[pos - header] = 0;
+  while (*header == '\r' || *header == '\n') { ++header; }
 
     strip (status_line);
     if (verbose)
@@ -1884,5 +1904,4 @@ print_usage (void)
     printf ("       [-A string] [-k string] [-S <version>] [--sni] [-C <warn_age>[,<crit_age>]]\n");
     printf ("       [-T <content-type>] [-j method]\n");
 #endif
-
 }

plugins/sslutils.c

@@ -36,7 +36,6 @@ static SSL_CTX *c=NULL;
 static SSL *s=NULL;
 static int initialized=0;
 
-
 int np_net_ssl_init(int sd) {
 	return np_net_ssl_init_with_hostname(sd, NULL);
 }