From 15760add883fa12dc41bc4c4c95c1fdd546d47bc Mon Sep 17 00:00:00 2001
From: Jan Wagner <waja@cyconet.org>
Date: Wed, 14 Aug 2024 11:29:30 +0200
Subject: [PATCH] Adding d/p/11_check_curl_raise_ssl_issue from upstream

https://patch-diff.githubusercontent.com/raw/monitoring-plugins/monitoring-plugins/pull/2011.patch
---
 debian/patches/11_check_curl_raise_ssl_issue | 87 ++++++++++++++++++++
 debian/patches/series                        |  1 +
 2 files changed, 88 insertions(+)
 create mode 100644 debian/patches/11_check_curl_raise_ssl_issue

diff --git a/debian/patches/11_check_curl_raise_ssl_issue b/debian/patches/11_check_curl_raise_ssl_issue
new file mode 100644
index 0000000..9c8fd8f
--- /dev/null
+++ b/debian/patches/11_check_curl_raise_ssl_issue
@@ -0,0 +1,87 @@
+From ca40cf81fb94cf57a82df938ed2aa2843691be3a Mon Sep 17 00:00:00 2001
+From: Yannick Martin <yannick.martin@ovhcloud.com>
+Date: Fri, 9 Aug 2024 12:14:28 +0200
+Subject: [PATCH] check_curl: raise SSL issue when --continue-after-certificate
+ is used
+
+This change aims to raise the worst status between the SSL check and the HTTP check.
+
+before:
+check_curl -H www.google.fr -S --continue-after-certificate --certificate 4000,4000 ; echo $?
+CRITICAL - Certificate '*.google.fr' expires in 74 day(s) (Tue 22 Oct 2024 12:53:52 PM GMT +0000).
+HTTP OK: HTTP/2 200  - 22807 bytes in 0.076 second response time |time=0.075516s;;;0.000000;10.000000 size=22807B;;;0;
+0
+
+after:
+/usr/lib/nagios/ovh/check_curl -H www.google.fr -S --continue-after-certificate --certificate 4000,4000 ; echo $?
+CRITICAL - Certificate '*.google.fr' expires in 74 day(s) (Tue 22 Oct 2024 12:53:52 PM GMT +0000).
+HTTP OK: HTTP/2 200  - 22840 bytes in 0.090 second response time |time=0.090463s;;;0.000000;10.000000 size=22840B;;;0;
+2
+---
+ plugins/check_curl.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/plugins/check_curl.c b/plugins/check_curl.c
+index 01e2770e3..4522e6c9f 100644
+--- a/plugins/check_curl.c
++++ b/plugins/check_curl.c
+@@ -468,6 +468,7 @@ int
+ check_http (void)
+ {
+   int result = STATE_OK;
++  int result_ssl = STATE_OK;
+   int page_len = 0;
+   int i;
+   char *force_host_header = NULL;
+@@ -852,9 +853,9 @@ check_http (void)
+         /* check certificate with OpenSSL functions, curl has been built against OpenSSL
+          * and we actually have OpenSSL in the monitoring tools
+          */
+-        result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
++        result_ssl = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
+         if (!continue_after_check_cert) {
+-          return result;
++          return result_ssl;
+         }
+ #else /* USE_OPENSSL */
+         die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n");
+@@ -898,17 +899,17 @@ check_http (void)
+ 						die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
+           }
+           BIO_free (cert_BIO);
+-          result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
++          result_ssl = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
+           if (!continue_after_check_cert) {
+-            return result;
++            return result_ssl;
+           }
+ #else /* USE_OPENSSL */
+           /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal,
+            * so we use the libcurl CURLINFO data
+            */
+-          result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit);
++          result_ssl = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit);
+           if (!continue_after_check_cert) {
+-            return result;
++            return result_ssl;
+           }
+ #endif /* USE_OPENSSL */
+         } else {
+@@ -1176,7 +1177,7 @@ check_http (void)
+     }
+ 
+   /* TODO: separate _() msg and status code: die (result, "HTTP %s: %s\n", state_text(result), msg); */
+-  die (result, "HTTP %s: %s %d %s%s%s - %d bytes in %.3f second response time %s|%s\n%s%s",
++  die (max_state_alt(result, result_ssl), "HTTP %s: %s %d %s%s%s - %d bytes in %.3f second response time %s|%s\n%s%s",
+     state_text(result), string_statuscode (status_line.http_major, status_line.http_minor),
+     status_line.http_code, status_line.msg,
+     strlen(msg) > 0 ? " - " : "",
+@@ -1186,7 +1187,7 @@ check_http (void)
+     (show_body ? body_buf.buf : ""),
+     (show_body ? "\n" : "") );
+ 
+-  return result;
++  return max_state_alt(result, result_ssl);
+ }
+ 
+ int
diff --git a/debian/patches/series b/debian/patches/series
index 76ba0a4..b159683 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,4 +2,5 @@
 03_epn
 # commited upstream
 10_check_curl_fix_redirects
+11_check_curl_raise_ssl_issue
 # feature patches