[Pkg-nagios-changes] [pkg-nagios-plugins-contrib] 03/03: check_ssl_cert: Updating to 1.37
Jan Wagner
waja at moszumanska.debian.org
Tue Jan 3 23:48:38 UTC 2017
This is an automated email from the git hooks/post-receive script.
waja pushed a commit to branch master
in repository pkg-nagios-plugins-contrib.
commit 59eb257ba4dd913593152973da8db2b8bc01ba8c
Author: Jan Wagner <waja at cyconet.org>
Date: Wed Jan 4 00:28:44 2017 +0100
check_ssl_cert: Updating to 1.37
---
check_ssl_cert/check_ssl_cert-1.36.1/VERSION | 1 -
.../AUTHORS | 3 +-
.../COPYING | 0
.../COPYRIGHT | 0
.../ChangeLog | 8 +++
.../INSTALL | 0
.../Makefile | 0
.../NEWS | 2 +
.../README.md | 0
.../TODO | 0
check_ssl_cert/check_ssl_cert-1.37/VERSION | 1 +
.../check_ssl_cert | 69 ++++++++++++++++------
.../check_ssl_cert.1 | 4 +-
.../check_ssl_cert.spec | 8 ++-
.../test/cabundle.crt | 0
.../test/cacert.crt | 0
.../test/unit_tests.sh | 23 +++++++-
check_ssl_cert/control | 2 +-
check_ssl_cert/src | 2 +-
19 files changed, 97 insertions(+), 26 deletions(-)
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/VERSION b/check_ssl_cert/check_ssl_cert-1.36.1/VERSION
deleted file mode 100644
index f107550..0000000
--- a/check_ssl_cert/check_ssl_cert-1.36.1/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-1.36.1
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/AUTHORS b/check_ssl_cert/check_ssl_cert-1.37/AUTHORS
similarity index 96%
rename from check_ssl_cert/check_ssl_cert-1.36.1/AUTHORS
rename to check_ssl_cert/check_ssl_cert-1.37/AUTHORS
index d1e3aa7..ad1a0ae 100644
--- a/check_ssl_cert/check_ssl_cert-1.36.1/AUTHORS
+++ b/check_ssl_cert/check_ssl_cert-1.37/AUTHORS
@@ -52,4 +52,5 @@ Thanks:
* Many thanks to xert for the SSLLabs patch
* Many thanks to Leynos (https://github.com/leynos) for the OCSP proxy patch
* Many thanks to Philippe Kueck for the selection of the cipher authentication
-* Many thanks to Jalonet (https://github.com/jalonet) for the file/PEM patch
\ No newline at end of file
+* Many thanks to Jalonet (https://github.com/jalonet) for the file/PEM patch
+* Many thanks to Sander Cornelissen (https://github.com/scornelissen85) for the multiple CNs patch
\ No newline at end of file
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/COPYING b/check_ssl_cert/check_ssl_cert-1.37/COPYING
similarity index 100%
rename from check_ssl_cert/check_ssl_cert-1.36.1/COPYING
rename to check_ssl_cert/check_ssl_cert-1.37/COPYING
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/COPYRIGHT b/check_ssl_cert/check_ssl_cert-1.37/COPYRIGHT
similarity index 100%
rename from check_ssl_cert/check_ssl_cert-1.36.1/COPYRIGHT
rename to check_ssl_cert/check_ssl_cert-1.37/COPYRIGHT
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/ChangeLog b/check_ssl_cert/check_ssl_cert-1.37/ChangeLog
similarity index 97%
rename from check_ssl_cert/check_ssl_cert-1.36.1/ChangeLog
rename to check_ssl_cert/check_ssl_cert-1.37/ChangeLog
index dc9bbe0..1108903 100644
--- a/check_ssl_cert/check_ssl_cert-1.36.1/ChangeLog
+++ b/check_ssl_cert/check_ssl_cert-1.37/ChangeLog
@@ -1,3 +1,11 @@
+2016-12-23 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: Added patch to specify multiple CNs (see https://github.com/matteocorti/check_ssl_cert/pull/35)
+
+2016-12-13 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: fixed a minor problem with --debug
+
2016-12-06 Matteo Corti <matteo at corti.li>
* check_ssl_cert: fixed a problem when specifying a CN beginnging with *
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/INSTALL b/check_ssl_cert/check_ssl_cert-1.37/INSTALL
similarity index 100%
rename from check_ssl_cert/check_ssl_cert-1.36.1/INSTALL
rename to check_ssl_cert/check_ssl_cert-1.37/INSTALL
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/Makefile b/check_ssl_cert/check_ssl_cert-1.37/Makefile
similarity index 100%
rename from check_ssl_cert/check_ssl_cert-1.36.1/Makefile
rename to check_ssl_cert/check_ssl_cert-1.37/Makefile
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/NEWS b/check_ssl_cert/check_ssl_cert-1.37/NEWS
similarity index 98%
rename from check_ssl_cert/check_ssl_cert-1.36.1/NEWS
rename to check_ssl_cert/check_ssl_cert-1.37/NEWS
index 7bfcd62..e07edb5 100644
--- a/check_ssl_cert/check_ssl_cert-1.36.1/NEWS
+++ b/check_ssl_cert/check_ssl_cert-1.37/NEWS
@@ -1,3 +1,5 @@
+2016-12-23 Version 1.37.0: Added a patch to specify multiple CNs
+2016-12-13 Version 1.36.2: fixed a minor problem with --debug
2016-12-06 Version 1.36.1: fixed a problem when specifying a CN beginning with *
2016-12-04 Version 1.36.0: fixed problem when file is returing PEM certificate on newer
Linux distributions
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/README.md b/check_ssl_cert/check_ssl_cert-1.37/README.md
similarity index 100%
rename from check_ssl_cert/check_ssl_cert-1.36.1/README.md
rename to check_ssl_cert/check_ssl_cert-1.37/README.md
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/TODO b/check_ssl_cert/check_ssl_cert-1.37/TODO
similarity index 100%
rename from check_ssl_cert/check_ssl_cert-1.36.1/TODO
rename to check_ssl_cert/check_ssl_cert-1.37/TODO
diff --git a/check_ssl_cert/check_ssl_cert-1.37/VERSION b/check_ssl_cert/check_ssl_cert-1.37/VERSION
new file mode 100644
index 0000000..bf50e91
--- /dev/null
+++ b/check_ssl_cert/check_ssl_cert-1.37/VERSION
@@ -0,0 +1 @@
+1.37.0
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert b/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert
similarity index 97%
rename from check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert
rename to check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert
index 775ac4c..c0365fd 100755
--- a/check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert
+++ b/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert
@@ -19,7 +19,7 @@
################################################################################
# Constants
-VERSION=1.36.1
+VERSION=1.37.0
SHORTNAME="SSL_CERT"
VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,serial,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -75,7 +75,8 @@ usage() {
echo " enddate, startdate, subject, issuer, modulus,"
echo " serial, hash, email, ocsp_uri and fingerprint."
echo " 'all' will include all the available attributes."
- echo " -n,--cn name pattern to match the CN of the certificate"
+ echo " -n,--cn name pattern to match the CN of the certificate (can be"
+ echo " specified multiple times)"
echo " --no_ssl2 disable SSL version 2"
echo " --no_ssl3 disable SSL version 3"
echo " --no_tls1 disable TLS version 1"
@@ -113,7 +114,7 @@ usage() {
echo " -S,--ssl version force SSL version (2,3)"
echo " (see: --ss2 or --ssl3)"
echo
- echo "Report bugs to: Matteo Corti <matteo at corti.li>"
+ echo "Report bugs to https://github.com/matteocorti/check_ssl_cert/issues"
echo
exit 3
@@ -596,7 +597,11 @@ main() {
;;
-n|--cn)
if [ $# -gt 1 ]; then
- COMMON_NAME="$2"
+ if [ -n "${COMMON_NAME}" ]; then
+ COMMON_NAME="${COMMON_NAME} ${2}"
+ else
+ COMMON_NAME="${2}"
+ fi
shift 2
else
unknown "-n,--cn requires an argument"
@@ -928,13 +933,18 @@ main() {
#
SERVERNAME=
if ${OPENSSL} s_client not_a_real_option 2>&1 | grep -q -- -servername ; then
-
- if [ -n "${COMMON_NAME}" ] ; then
+
+ if [ -n "${COMMON_NAME}" ] && [ "${COMMON_NAME}" = "$(echo "${COMMON_NAME}" | tr -d ' ')" ] ; then
SERVERNAME="-servername ${COMMON_NAME}"
else
SERVERNAME="-servername ${HOST}"
fi
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] '${OPENSSL} s_client' supports '-servername': using ${SERVERNAME}"
+ fi
+
+
else
if [ -n "${VERBOSE}" ] ; then
@@ -1242,26 +1252,41 @@ main() {
# Check alterante names
if [ -n "${ALTNAMES}" ] ; then
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] checking altnames"
- fi
+ for cn in ${COMMON_NAME} ; do
- for alt_name in $($OPENSSL x509 -in "${CERT}" -text \
- | grep --after-context=1 "509v3 Subject Alternative Name:" \
- | tail -n 1 | sed -e "s/DNS://g" | sed -e "s/,//g") ; do
+ ok=""
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] ${alt_name}"
+ echo "[DBG] checking altnames against ${cn}"
fi
- if echo "${COMMON_NAME}" | grep -q -i "^${alt_name}$" ; then
- ok="true"
- fi
+ for alt_name in $($OPENSSL x509 -in "${CERT}" -text \
+ | grep --after-context=1 "509v3 Subject Alternative Name:" \
+ | tail -n 1 | sed -e "s/DNS://g" | sed -e "s/,//g") ; do
+
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] ${alt_name}"
+ fi
+
+ if echo "${cn}" | grep -q -i "^${alt_name}$" ; then
+ ok="true"
+ fi
+
+ done
+
+ if [ -z "$ok" ] ; then
+ fail=$cn
+ break;
+ fi
done
fi
+ if [ -n "$fail" ] ; then
+ critical "invalid CN ('$CN' does not match '$fail')"
+ fi
+
if [ -z "$ok" ] ; then
critical "invalid CN ('$CN' does not match '$COMMON_NAME')"
fi
@@ -1509,8 +1534,16 @@ main() {
fi
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] OCSP: storing a copy of the retrieved issuer certificate to ${ISSUER_URI##*/}"
- cp "${ISSUER_CERT}" "${ISSUER_URI##*/}"
+
+ # remove trailing /
+ FILE_NAME=${ISSUER_URI%/}
+
+ # remove everything up to the last slash
+ FILE_NAME=${FILE_NAME##*/}
+
+ echo "[DBG] OCSP: storing a copy of the retrieved issuer certificate to ${FILE_NAME}"
+
+ cp "${ISSUER_CERT}" "${FILE_NAME}"
fi
OCSP_HOST="$(echo "${OCSP_URI}" | sed -e "s at .*//\([^/]\+\)\(/.*\)\?\$@\1 at g" | sed 's/^http:\/\///' | sed 's/\/.*//' )"
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert.1 b/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert.1
similarity index 96%
rename from check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert.1
rename to check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert.1
index 34433b2..a730d18 100644
--- a/check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert.1
+++ b/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert.1
@@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii foo.1
.\"
-.TH "check_ssl_cert" 1 "December, 2016" "1.36.1" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "December, 2016" "1.37.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
@@ -74,7 +74,7 @@ append the specified comma separated (no spaces) list of attributes to the plugi
Valid attributes are: enddate, startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include all the available attributes.
.TP
.BR "-n,---cn" " name"
-pattern to match the CN of the certificate
+pattern to match the CN of the certificate (can be specified multiple times)
.TP
.BR " --no_ssl2"
disable SSL version 2
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert.spec b/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert.spec
similarity index 97%
rename from check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert.spec
rename to check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert.spec
index c06780b..b41584f 100644
--- a/check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert.spec
+++ b/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert.spec
@@ -1,4 +1,4 @@
-%define version 1.36.1
+%define version 1.37.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
@@ -45,6 +45,12 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/%{sourcename}.1*
%changelog
+* Fri Dec 23 2016 Matteo Corti <matteo at corti.li> - 1.37.0-0
+- Updated to 1.37.0
+
+* Tue Dec 13 2016 Matteo Corti <matteo at corti.li> - 1.36.2-0
+- Updated to 1.36.2
+
* Tue Dec 06 2016 Matteo Corti <matteo at corti.li> - 1.36.1-0
- Updated to 1.36.1
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/test/cabundle.crt b/check_ssl_cert/check_ssl_cert-1.37/test/cabundle.crt
similarity index 100%
rename from check_ssl_cert/check_ssl_cert-1.36.1/test/cabundle.crt
rename to check_ssl_cert/check_ssl_cert-1.37/test/cabundle.crt
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/test/cacert.crt b/check_ssl_cert/check_ssl_cert-1.37/test/cacert.crt
similarity index 100%
rename from check_ssl_cert/check_ssl_cert-1.36.1/test/cacert.crt
rename to check_ssl_cert/check_ssl_cert-1.37/test/cacert.crt
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/test/unit_tests.sh b/check_ssl_cert/check_ssl_cert-1.37/test/unit_tests.sh
similarity index 84%
rename from check_ssl_cert/check_ssl_cert-1.36.1/test/unit_tests.sh
rename to check_ssl_cert/check_ssl_cert-1.37/test/unit_tests.sh
index 885ef5a..d676423 100755
--- a/check_ssl_cert/check_ssl_cert-1.36.1/test/unit_tests.sh
+++ b/check_ssl_cert/check_ssl_cert-1.37/test/unit_tests.sh
@@ -105,6 +105,27 @@ testAltNames2() {
assertEquals "wrong exit code" ${NAGIOS_CRITICAL} "${EXIT_CODE}"
}
+testMultipleAltNamesOK() {
+ # Test with multiple CN's
+ ${SCRIPT} -H inf.ethz.ch -n www.ethz.ch -n ethz.ch --rootcert cabundle.crt --altnames
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
+}
+
+testMultipleAltNamesFailOne() {
+ # Test with wiltiple CN's but last one is wrong
+ ${SCRIPT} -H inf.ethz.ch -n www.ethz.ch -n wrong.ch --rootcert cabundle.crt --altnames
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" ${NAGIOS_CRITICAL} "${EXIT_CODE}"
+}
+
+testMultipleAltNamesFailTwo() {
+ # Test with multiple CN's but first one is wrong
+ ${SCRIPT} -H inf.ethz.ch -n wrong.ch -n www.ethz.ch --rootcert cabundle.crt --altnames
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" ${NAGIOS_CRITICAL} "${EXIT_CODE}"
+}
+
testAltNames2CaseInsensitive() {
# should fail: inf.ethz.ch has the same ip as www.inf.ethz.ch but inf.ethz.ch is not in the certificate
${SCRIPT} -H inf.ethz.ch --cn INF.ETHZ.CH --rootcert cabundle.crt --altnames
@@ -162,7 +183,7 @@ unset SOURCE_ONLY
# We clone to output to pass it to grep as shunit does always return 0
# We parse the output to check if a test failed
#
-if ! . "${SHUNIT2}" | tee /dev/tty | grep -q 'success rate: 100%' ; then
+if ! . "${SHUNIT2}" | tee /dev/tty | grep -q 'tests\ total:\ *[0-9]*\ 100%' ; then
# at least one of the tests failed
exit 1
fi
diff --git a/check_ssl_cert/control b/check_ssl_cert/control
index adce6e6..5bc2458 100644
--- a/check_ssl_cert/control
+++ b/check_ssl_cert/control
@@ -1,7 +1,7 @@
Uploaders: Jan Wagner <waja at cyconet.org>
Recommends: openssl
Suggests: expect
-Version: 1.36.1
+Version: 1.37
Homepage: https://github.com/matteocorti/check_ssl_cert
Watch: https://github.com/matteocorti/check_ssl_cert/releases check_ssl_cert-([0-9.]+)\.tar\.gz
Description: plugin to check the CA and validity of an
diff --git a/check_ssl_cert/src b/check_ssl_cert/src
index de85fd5..1f10c26 120000
--- a/check_ssl_cert/src
+++ b/check_ssl_cert/src
@@ -1 +1 @@
-check_ssl_cert-1.36.1/
\ No newline at end of file
+check_ssl_cert-1.37/
\ No newline at end of file
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-nagios/pkg-nagios-plugins-contrib.git
More information about the Pkg-nagios-changes
mailing list