[Pkg-nagios-changes] [pkg-nagios-plugins-contrib] 04/07: Fixes check_ssl_cert problems with Openssl > 1.1.x (Closes: 855253)
Bernd Zeimetz
bernd at bzed.de
Wed Feb 22 13:21:34 UTC 2017
This is an automated email from the git hooks/post-receive script.
bzed pushed a commit to branch master
in repository pkg-nagios-plugins-contrib.
commit 6495faab2d9dc6424135cda90bea7575285f93ae
Author: Stefan Schörghofer <amd1212 at vier-ringe.at>
Date: Wed Feb 22 13:52:03 2017 +0100
Fixes check_ssl_cert problems with Openssl > 1.1.x (Closes: 855253)
---
debian/patches/check_ssl_cert/bug-855253-fix | 196 +++++++++++++++++++++++++++
debian/patches/series | 2 +-
2 files changed, 197 insertions(+), 1 deletion(-)
diff --git a/debian/patches/check_ssl_cert/bug-855253-fix b/debian/patches/check_ssl_cert/bug-855253-fix
new file mode 100644
index 0000000..c0408f9
--- /dev/null
+++ b/debian/patches/check_ssl_cert/bug-855253-fix
@@ -0,0 +1,196 @@
+--- a/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert
++++ b/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert
+@@ -969,8 +969,12 @@
+
+ if [ -n "${OCSP}" ] ; then
+
+- ISSUER_CERT="$( mktemp -t "${0##*/}XXXXXX" 2> /dev/null )"
+- if [ -z "${ISSUER_CERT}" ] || [ ! -w "${ISSUER_CERT}" ] ; then
++ ISSUER_CERT_TMP="$( mktemp -t "${0##*/}XXXXXX" 2> /dev/null )"
++ if [ -z "${ISSUER_CERT_TMP}" ] || [ ! -w "${ISSUER_CERT_TMP}" ] ; then
++ unknown 'temporary file creation failure.'
++ fi
++ ISSUER_CERT_TMP2="$( mktemp -t "${0##*/}XXXXXX" 2> /dev/null )"
++ if [ -z "${ISSUER_CERT_TMP2}" ] || [ ! -w "${ISSUER_CERT_TMP2}" ] ; then
+ unknown 'temporary file creation failure.'
+ fi
+
+@@ -992,7 +996,7 @@
+
+ # Cleanup before program termination
+ # Using named signals to be POSIX compliant
+- trap 'rm -f $CERT $ERROR $ISSUER_CERT' EXIT HUP INT QUIT TERM
++ trap 'rm -f $CERT $ERROR $ISSUER_CERT_TMP $ISSUER_CERT_TMP2' EXIT HUP INT QUIT TERM
+
+ fetch_certificate
+
+@@ -1348,8 +1352,11 @@
+ # Check the validity
+ if [ -z "${NOEXP}" ] ; then
+
++ if [ -n "${DEBUG}" ] ; then
++ echo "[DBG] Checking expiration date"
++ fi
+ # We always check expired certificates
+- if ! $OPENSSL x509 -in "${CERT}" -noout -checkend 0 ; then
++ if ! $OPENSSL x509 -in "${CERT}" -noout -checkend 0 > /dev/null ; then
+ critical "certificate is expired (was valid until $DATE)"
+ fi
+
+@@ -1359,7 +1366,7 @@
+ echo "[DBG] executing: $OPENSSL x509 -in ${CERT} -noout -checkend $(( CRITICAL * 86400 ))"
+ fi
+
+- if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( CRITICAL * 86400 )) ; then
++ if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( CRITICAL * 86400 )) > /dev/null ; then
+ critical "certificate will expire on $DATE"
+ fi
+
+@@ -1371,7 +1378,7 @@
+ echo "[DBG] executing: $OPENSSL x509 -in ${CERT} -noout -checkend $(( WARNING * 86400 ))"
+ fi
+
+- if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( WARNING * 86400 )) ; then
++ if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( WARNING * 86400 )) > /dev/null ; then
+ warning "certificate will expire on $DATE"
+ fi
+
+@@ -1504,34 +1511,36 @@
+ if [ -n "${OCSP}" ]; then
+
+ if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] OCSP: fetching issuer certificate ${ISSUER_URI} to ${ISSUER_CERT}"
++ echo "[DBG] OCSP: fetching issuer certificate ${ISSUER_URI} to ${ISSUER_CERT_TMP}"
+ fi
+
+- curl --silent "${ISSUER_URI}" > "${ISSUER_CERT}"
++ curl --silent "${ISSUER_URI}" > "${ISSUER_CERT_TMP}"
+
+ if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] OCSP: issuer certificate type: $(${FILE_BIN} "${ISSUER_CERT}" | sed 's/.*://' )"
++ echo "[DBG] OCSP: issuer certificate type: $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
+ fi
+
+ # check the result
+- if ! "${FILE_BIN}" "${ISSUER_CERT}" | grep -q ': (ASCII|PEM)' ; then
++ if ! "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -q ': (ASCII|PEM)' ; then
+
+- if "${FILE_BIN}" "${ISSUER_CERT}" | grep -q ': data' ; then
++ if "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -q ': data' ; then
+
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] OCSP: converting issuer certificate from DER to PEM"
+ fi
+
+- openssl x509 -inform DER -outform PEM -in "${ISSUER_CERT}" -out "${ISSUER_CERT}"
++ cp "${ISSUER_CERT_TMP}" "${ISSUER_CERT_TMP2}"
++
++ $OPENSSL x509 -inform DER -outform PEM -in "${ISSUER_CERT_TMP2}" -out "${ISSUER_CERT_TMP}"
+
+- else
++ else
+
+ unknown "Unable to fetch OCSP issuer certificate."
+
+- fi
++ fi
+
+
+- fi
++ fi
+
+ if [ -n "${DEBUG}" ] ; then
+
+@@ -1543,7 +1552,7 @@
+
+ echo "[DBG] OCSP: storing a copy of the retrieved issuer certificate to ${FILE_NAME}"
+
+- cp "${ISSUER_CERT}" "${FILE_NAME}"
++ cp "${ISSUER_CERT_TMP}" "${FILE_NAME}"
+ fi
+
+ OCSP_HOST="$(echo "${OCSP_URI}" | sed -e "s at .*//\([^/]\+\)\(/.*\)\?\$@\1 at g" | sed 's/^http:\/\///' | sed 's/\/.*//' )"
+@@ -1563,33 +1572,54 @@
+ echo "[DBG] openssl ocsp support the -header option"
+ fi
+
++ # the -header option was first accepting key and value separated by space. The newer versions are using key=value
++ KEYVALUE=""
++ if openssl ocsp -help 2>&1 | grep header | grep -q 'key=value' ; then
++ if [ -n "${DEBUG}" ] ; then
++ echo "[DBG] openssl ocsp -header requires 'key=value'"
++ fi
++ KEYVALUE=1
++ else
++ if [ -n "${DEBUG}" ] ; then
++ echo "[DBG] openssl ocsp -header requires 'key value'"
++ fi
++ fi
++
+ # http_proxy is sometimes lower- and sometimes uppercase. Programs usually check both
+ # shellcheck disable=SC2154
+ if [ -n "${http_proxy}" ] ; then
+ HTTP_PROXY="${http_proxy}"
+ fi
+
+- if [ -n "${HTTP_PROXY:-}" ] ; then
++ if [ -n "${HTTP_PROXY:-}" ] ; then
++ if [ -n "${KEYVALUE}" ] ; then
++ if [ -n "${DEBUG}" ] ; then
++ echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT_TMP} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
++ fi
++ OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
++ else
++ if [ -n "${DEBUG}" ] ; then
++ echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT_TMP} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
++ fi
++ OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+
+- if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
+- fi
+-
+- OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 | grep -i "ssl_cert")"
+-
+- else
+-
+- if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
+- fi
+-
+- OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 | grep -i "ssl_cert")"
++ fi
++ fi
+
+-
+- fi
++ if [ -n "${KEYVALUE}" ] ; then
++ if [ -n "${DEBUG}" ] ; then
++ echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT_TMP} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
++ fi
++ OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
++ else
++ if [ -n "${DEBUG}" ] ; then
++ echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT_TMP} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
++ fi
++ OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
++ fi
+
+ if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] OCSP: response = ${OCSP_RESP}"
++ echo "${OCSP_RESP}" | sed 's/^/[DBG] OCSP: response = /'
+ fi
+
+ if echo "${OCSP_RESP}" | grep -qi "revoked" ; then
+@@ -1597,9 +1627,9 @@
+ elif ! echo "${OCSP_RESP}" | grep -qi "good" ; then
+
+ if [ -n "${HTTP_PROXY:-}" ] ; then
+- OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
++ OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+ else
+- OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
++ OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT_TMP}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+ fi
+ critical "${OCSP_RESP}"
+
diff --git a/debian/patches/series b/debian/patches/series
index 52daaa3..b2c8c46 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -43,7 +43,6 @@ dsa/check_packages_location
dsa/status_directory
dsa/check_packages-inifile
dsa/epn
-
dsa/check_packages_,_fix
check_cups/ParseDateDelta
check_printer/epn
@@ -53,3 +52,4 @@ check_varnish/fix_for_v5
check_raid/no_epn
check_raid/fix_mdadm_hotspare_failure_detection
percona-nagios-plugins/fix_bashism
+check_ssl_cert/bug-855253-fix
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-nagios/pkg-nagios-plugins-contrib.git
More information about the Pkg-nagios-changes
mailing list