check_http: check for and print the certificate cn

This patch adds a check for the certificate cn (hostname) to normal
certificate checks. It returns CRITICAL if th cn is missing, otherwise it
prints it in the normal output.

Patch by Stéphane Urbanovski

NEWS

@@ -5,6 +5,7 @@ This file documents the major additions and syntax changes between releases.
 	check_nt UPTIME accepts warning/critical thresholds (Ryan Kelly)
 	check_disk_smb now allows spaces in share names (#990948, #1370031, Debian #601699)
 	check_http now uses standard threshold functions (enables floating point and ranges)
+	check_http now checks for and prints the certificate cn (hostname) in SSL certificate checks (Stéphane Urbanovski)
 
 	FIXES
 	Fix check_disk free space calculation if blocksizes differ within a disk group (Bekar - #2973603)

THANKS.in

@@ -266,3 +266,4 @@ Stephane Chazelas
 Craig Leres
 Brian Landers
 Ryan Kelly
+Stéphane Urbanovski

plugins/sslutils.c

@@ -3,7 +3,7 @@
 * Nagios plugins SSL utilities
 * 
 * License: GPL
-* Copyright (c) 2005-2007 Nagios Plugins Development Team
+* Copyright (c) 2005-2010 Nagios Plugins Development Team
 * 
 * Description:
 * 
@@ -26,6 +26,7 @@
 * 
 *****************************************************************************/
 
+#define MAX_CN_LENGTH 256
 #define LOCAL_TIMEOUT_ALARM_HANDLER
 #include "common.h"
 #include "netutils.h"
@@ -97,6 +98,11 @@ int np_net_ssl_read(void *buf, int num){
 int np_net_ssl_check_cert(int days_till_exp){
 #  ifdef USE_OPENSSL
 	X509 *certificate=NULL;
+	X509_NAME *subj=NULL;
+	char cn[MAX_CN_LENGTH]= "";
+	int cnlen =-1;
+	int status=STATE_UNKNOWN;
+
 	ASN1_STRING *tm;
 	int offset;
 	struct tm stamp;
@@ -110,6 +116,17 @@ int np_net_ssl_check_cert(int days_till_exp){
 		return STATE_CRITICAL;
 	}
 
+	/* Extract CN from certificate subject */
+	subj=X509_get_subject_name(certificate);
+
+	if(! subj){
+		printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
+		return STATE_CRITICAL;
+	}
+	cnlen = X509_NAME_get_text_by_NID (subj, NID_commonName, cn, sizeof(cn));
+	if ( cnlen == -1 )
+		strcpy(cn , _("Unknown CN"));
+
 	/* Retrieve timestamp of certificate */
 	tm = X509_get_notAfter (certificate);
 
@@ -155,19 +172,20 @@ int np_net_ssl_check_cert(int days_till_exp){
 		 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
 
 	if (days_left > 0 && days_left <= days_till_exp) {
-		printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp);
-		return STATE_WARNING;
+		printf (_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp);
+		status=STATE_WARNING;
 	} else if (time_left < 0) {
-		printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp);
-		return STATE_CRITICAL;
+		printf (_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
+		status=STATE_CRITICAL;
 	} else if (days_left == 0) {
-		printf (_("WARNING - Certificate expires today (%s).\n"), timestamp);
-		return STATE_WARNING;
+		printf (_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp);
+		status=STATE_WARNING;
+	} else {
+		printf (_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
+		status=STATE_OK;
 	}
-
-	printf (_("OK - Certificate will expire on %s.\n"), timestamp);
 	X509_free (certificate);
-	return STATE_OK;
+	return status;
 #  else /* ifndef USE_OPENSSL */
 	printf ("%s\n", _("WARNING - Plugin does not support checking certificates."));
 	return STATE_WARNING;

plugins/t/check_http.t

@@ -102,7 +102,7 @@ SKIP: {
 
         $res = NPTest->testCmd( "./check_http -C 1 --ssl www.verisign.com" );
         cmp_ok( $res->return_code, '==', 0, "Checking certificate for www.verisign.com");
-        like  ( $res->output, '/Certificate will expire on/', "Output OK" );
+        like  ( $res->output, "/Certificate 'www.verisign.com' will expire on/", "Output OK" );
         my $saved_cert_output = $res->output;
 
         $res = NPTest->testCmd( "./check_http www.verisign.com -C 1" );

plugins/tests/check_http.t

@@ -182,17 +182,17 @@ SKIP: {
 	
 	$result = NPTest->testCmd( "$command -p $port_https -S -C 14" );
 	is( $result->return_code, 0, "$command -p $port_https -S -C 14" );
-	is( $result->output, 'OK - Certificate will expire on 03/03/2019 21:41.', "output ok" );
+	is( $result->output, 'OK - Certificate \'Ton Voon\' will expire on 03/03/2019 21:41.', "output ok" );
 
 	$result = NPTest->testCmd( "$command -p $port_https -S -C 14000" );
 	is( $result->return_code, 1, "$command -p $port_https -S -C 14000" );
-	like( $result->output, '/WARNING - Certificate expires in \d+ day\(s\) \(03/03/2019 21:41\)./', "output ok" );
+	like( $result->output, '/WARNING - Certificate \'Ton Voon\' expires in \d+ day\(s\) \(03/03/2019 21:41\)./', "output ok" );
 
 	# Expired cert tests
 	$result = NPTest->testCmd( "$command -p $port_https_expired -S -C 7" );
 	is( $result->return_code, 2, "$command -p $port_https_expired -S -C 7" );
 	is( $result->output, 
-		'CRITICAL - Certificate expired on 03/05/2009 00:13.',
+		'CRITICAL - Certificate \'Ton Voon\' expired on 03/05/2009 00:13.',
 		"output ok" );
 
 }