[Pkg-nagios-changes] [pkg-nagios-plugins-contrib] 03/03: check_ssl_cert: Updating to 1.37

Jan Wagner waja at moszumanska.debian.org
Tue Jan 3 23:48:38 UTC 2017


This is an automated email from the git hooks/post-receive script.

waja pushed a commit to branch master
in repository pkg-nagios-plugins-contrib.

commit 59eb257ba4dd913593152973da8db2b8bc01ba8c
Author: Jan Wagner <waja at cyconet.org>
Date:   Wed Jan 4 00:28:44 2017 +0100

    check_ssl_cert: Updating to 1.37
---
 check_ssl_cert/check_ssl_cert-1.36.1/VERSION       |  1 -
 .../AUTHORS                                        |  3 +-
 .../COPYING                                        |  0
 .../COPYRIGHT                                      |  0
 .../ChangeLog                                      |  8 +++
 .../INSTALL                                        |  0
 .../Makefile                                       |  0
 .../NEWS                                           |  2 +
 .../README.md                                      |  0
 .../TODO                                           |  0
 check_ssl_cert/check_ssl_cert-1.37/VERSION         |  1 +
 .../check_ssl_cert                                 | 69 ++++++++++++++++------
 .../check_ssl_cert.1                               |  4 +-
 .../check_ssl_cert.spec                            |  8 ++-
 .../test/cabundle.crt                              |  0
 .../test/cacert.crt                                |  0
 .../test/unit_tests.sh                             | 23 +++++++-
 check_ssl_cert/control                             |  2 +-
 check_ssl_cert/src                                 |  2 +-
 19 files changed, 97 insertions(+), 26 deletions(-)

diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/VERSION b/check_ssl_cert/check_ssl_cert-1.36.1/VERSION
deleted file mode 100644
index f107550..0000000
--- a/check_ssl_cert/check_ssl_cert-1.36.1/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-1.36.1
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/AUTHORS b/check_ssl_cert/check_ssl_cert-1.37/AUTHORS
similarity index 96%
rename from check_ssl_cert/check_ssl_cert-1.36.1/AUTHORS
rename to check_ssl_cert/check_ssl_cert-1.37/AUTHORS
index d1e3aa7..ad1a0ae 100644
--- a/check_ssl_cert/check_ssl_cert-1.36.1/AUTHORS
+++ b/check_ssl_cert/check_ssl_cert-1.37/AUTHORS
@@ -52,4 +52,5 @@ Thanks:
 * Many thanks to xert for the SSLLabs patch
 * Many thanks to Leynos (https://github.com/leynos) for the OCSP proxy patch
 * Many thanks to Philippe Kueck for the selection of the cipher authentication
-* Many thanks to Jalonet (https://github.com/jalonet) for the file/PEM patch
\ No newline at end of file
+* Many thanks to Jalonet (https://github.com/jalonet) for the file/PEM patch
+* Many thanks to Sander Cornelissen (https://github.com/scornelissen85) for the multiple CNs patch
\ No newline at end of file
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/COPYING b/check_ssl_cert/check_ssl_cert-1.37/COPYING
similarity index 100%
rename from check_ssl_cert/check_ssl_cert-1.36.1/COPYING
rename to check_ssl_cert/check_ssl_cert-1.37/COPYING
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/COPYRIGHT b/check_ssl_cert/check_ssl_cert-1.37/COPYRIGHT
similarity index 100%
rename from check_ssl_cert/check_ssl_cert-1.36.1/COPYRIGHT
rename to check_ssl_cert/check_ssl_cert-1.37/COPYRIGHT
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/ChangeLog b/check_ssl_cert/check_ssl_cert-1.37/ChangeLog
similarity index 97%
rename from check_ssl_cert/check_ssl_cert-1.36.1/ChangeLog
rename to check_ssl_cert/check_ssl_cert-1.37/ChangeLog
index dc9bbe0..1108903 100644
--- a/check_ssl_cert/check_ssl_cert-1.36.1/ChangeLog
+++ b/check_ssl_cert/check_ssl_cert-1.37/ChangeLog
@@ -1,3 +1,11 @@
+2016-12-23  Matteo Corti  <matteo at corti.li>
+
+	* check_ssl_cert: Added patch to specify multiple CNs (see https://github.com/matteocorti/check_ssl_cert/pull/35) 
+
+2016-12-13  Matteo Corti  <matteo at corti.li>
+
+	* check_ssl_cert: fixed a minor problem with --debug
+
 2016-12-06  Matteo Corti  <matteo at corti.li>
 
 	* check_ssl_cert: fixed a problem when specifying a CN beginnging with *
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/INSTALL b/check_ssl_cert/check_ssl_cert-1.37/INSTALL
similarity index 100%
rename from check_ssl_cert/check_ssl_cert-1.36.1/INSTALL
rename to check_ssl_cert/check_ssl_cert-1.37/INSTALL
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/Makefile b/check_ssl_cert/check_ssl_cert-1.37/Makefile
similarity index 100%
rename from check_ssl_cert/check_ssl_cert-1.36.1/Makefile
rename to check_ssl_cert/check_ssl_cert-1.37/Makefile
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/NEWS b/check_ssl_cert/check_ssl_cert-1.37/NEWS
similarity index 98%
rename from check_ssl_cert/check_ssl_cert-1.36.1/NEWS
rename to check_ssl_cert/check_ssl_cert-1.37/NEWS
index 7bfcd62..e07edb5 100644
--- a/check_ssl_cert/check_ssl_cert-1.36.1/NEWS
+++ b/check_ssl_cert/check_ssl_cert-1.37/NEWS
@@ -1,3 +1,5 @@
+2016-12-23 Version 1.37.0: Added a patch to specify multiple CNs
+2016-12-13 Version 1.36.2: fixed a minor problem with --debug
 2016-12-06 Version 1.36.1: fixed a problem when specifying a CN beginning with *
 2016-12-04 Version 1.36.0: fixed problem when file is returing PEM certificate on newer
                            Linux distributions
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/README.md b/check_ssl_cert/check_ssl_cert-1.37/README.md
similarity index 100%
rename from check_ssl_cert/check_ssl_cert-1.36.1/README.md
rename to check_ssl_cert/check_ssl_cert-1.37/README.md
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/TODO b/check_ssl_cert/check_ssl_cert-1.37/TODO
similarity index 100%
rename from check_ssl_cert/check_ssl_cert-1.36.1/TODO
rename to check_ssl_cert/check_ssl_cert-1.37/TODO
diff --git a/check_ssl_cert/check_ssl_cert-1.37/VERSION b/check_ssl_cert/check_ssl_cert-1.37/VERSION
new file mode 100644
index 0000000..bf50e91
--- /dev/null
+++ b/check_ssl_cert/check_ssl_cert-1.37/VERSION
@@ -0,0 +1 @@
+1.37.0
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert b/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert
similarity index 97%
rename from check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert
rename to check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert
index 775ac4c..c0365fd 100755
--- a/check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert
+++ b/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert
@@ -19,7 +19,7 @@
 ################################################################################
 # Constants
 
-VERSION=1.36.1
+VERSION=1.37.0
 SHORTNAME="SSL_CERT"
 
 VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,serial,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -75,7 +75,8 @@ usage() {
     echo "                                enddate, startdate, subject, issuer, modulus,"
     echo "                                serial, hash, email, ocsp_uri and fingerprint."
     echo "                              'all' will include all the available attributes."
-    echo "   -n,--cn name               pattern to match the CN of the certificate"
+    echo "   -n,--cn name               pattern to match the CN of the certificate (can be"
+    echo "                              specified multiple times)"
     echo "      --no_ssl2               disable SSL version 2"
     echo "      --no_ssl3               disable SSL version 3"
     echo "      --no_tls1               disable TLS version 1"
@@ -113,7 +114,7 @@ usage() {
     echo "   -S,--ssl version           force SSL version (2,3)"
     echo "                              (see: --ss2 or --ssl3)"
     echo
-    echo "Report bugs to: Matteo Corti <matteo at corti.li>"
+    echo "Report bugs to https://github.com/matteocorti/check_ssl_cert/issues"
     echo
 
     exit 3
@@ -596,7 +597,11 @@ main() {
                ;;
             -n|--cn)
                 if [ $# -gt 1 ]; then
-                    COMMON_NAME="$2"
+		    if [ -n "${COMMON_NAME}" ]; then
+		      COMMON_NAME="${COMMON_NAME} ${2}"
+		    else
+                      COMMON_NAME="${2}"
+		    fi
                     shift 2
                 else
                     unknown "-n,--cn requires an argument"
@@ -928,13 +933,18 @@ main() {
     #
     SERVERNAME=
     if ${OPENSSL} s_client not_a_real_option 2>&1 | grep -q -- -servername ; then
-
-        if [ -n "${COMMON_NAME}" ] ; then
+	
+        if [ -n "${COMMON_NAME}" ] && [ "${COMMON_NAME}" = "$(echo "${COMMON_NAME}" | tr -d ' ')" ] ; then
             SERVERNAME="-servername ${COMMON_NAME}"
         else
             SERVERNAME="-servername ${HOST}"
         fi
 
+	if [ -n "${DEBUG}" ] ; then
+            echo "[DBG] '${OPENSSL} s_client' supports '-servername': using ${SERVERNAME}"
+	fi
+
+	
     else
 
         if [ -n "${VERBOSE}" ] ; then
@@ -1242,26 +1252,41 @@ main() {
         # Check alterante names
         if [ -n "${ALTNAMES}" ] ; then
 
-            if [ -n "${DEBUG}" ] ; then
-                echo "[DBG] checking altnames"
-            fi
+            for cn in ${COMMON_NAME} ; do
 
-            for alt_name in $($OPENSSL x509 -in "${CERT}" -text \
-                | grep --after-context=1 "509v3 Subject Alternative Name:" \
-                | tail -n 1 | sed -e "s/DNS://g" | sed -e "s/,//g") ; do
+                ok=""
 
                 if [ -n "${DEBUG}" ] ; then
-                    echo "[DBG]   ${alt_name}"
+                    echo "[DBG] checking altnames against ${cn}"
                 fi
 
-		if echo "${COMMON_NAME}" | grep -q -i "^${alt_name}$" ; then
-                    ok="true"
-		fi
+                for alt_name in $($OPENSSL x509 -in "${CERT}" -text \
+                    | grep --after-context=1 "509v3 Subject Alternative Name:" \
+                    | tail -n 1 | sed -e "s/DNS://g" | sed -e "s/,//g") ; do
+
+                    if [ -n "${DEBUG}" ] ; then
+                        echo "[DBG]   ${alt_name}"
+                    fi
+
+		    if echo "${cn}" | grep -q -i "^${alt_name}$" ; then
+                        ok="true"
+		    fi
+
+                done
+
+                if [ -z "$ok" ] ; then
+                    fail=$cn
+                    break;
+                fi
 
             done
 
         fi
 
+        if [ -n "$fail" ] ; then
+           critical "invalid CN ('$CN' does not match '$fail')"
+        fi
+
         if [ -z "$ok" ] ; then
             critical "invalid CN ('$CN' does not match '$COMMON_NAME')"
         fi
@@ -1509,8 +1534,16 @@ main() {
         fi
 
 	if [ -n "${DEBUG}" ] ; then
-	    echo "[DBG] OCSP: storing a copy of the retrieved issuer certificate to ${ISSUER_URI##*/}"
-	    cp "${ISSUER_CERT}" "${ISSUER_URI##*/}"
+
+	    # remove trailing /
+	    FILE_NAME=${ISSUER_URI%/}
+
+	    # remove everything up to the last slash
+	    FILE_NAME=${FILE_NAME##*/}
+	    
+	    echo "[DBG] OCSP: storing a copy of the retrieved issuer certificate to ${FILE_NAME}"
+	    
+	    cp "${ISSUER_CERT}" "${FILE_NAME}"
 	fi
 	
         OCSP_HOST="$(echo "${OCSP_URI}" | sed -e "s at .*//\([^/]\+\)\(/.*\)\?\$@\1 at g" | sed 's/^http:\/\///' | sed 's/\/.*//' )"
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert.1 b/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert.1
similarity index 96%
rename from check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert.1
rename to check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert.1
index 34433b2..a730d18 100644
--- a/check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert.1
+++ b/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert.1
@@ -1,7 +1,7 @@
 .\" Process this file with
 .\" groff -man -Tascii foo.1
 .\"
-.TH "check_ssl_cert" 1 "December, 2016" "1.36.1" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "December, 2016" "1.37.0" "USER COMMANDS"
 .SH NAME
 check_ssl_cert \- checks the validity of X.509 certificates
 .SH SYNOPSIS
@@ -74,7 +74,7 @@ append the specified comma separated (no spaces) list of attributes to the plugi
 Valid attributes are: enddate, startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include all the available attributes.
 .TP
 .BR "-n,---cn" " name"
-pattern to match the CN of the certificate
+pattern to match the CN of the certificate (can be specified multiple times)
 .TP
 .BR "   --no_ssl2"
 disable SSL version 2
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert.spec b/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert.spec
similarity index 97%
rename from check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert.spec
rename to check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert.spec
index c06780b..b41584f 100644
--- a/check_ssl_cert/check_ssl_cert-1.36.1/check_ssl_cert.spec
+++ b/check_ssl_cert/check_ssl_cert-1.37/check_ssl_cert.spec
@@ -1,4 +1,4 @@
-%define version          1.36.1
+%define version          1.37.0
 %define release          0
 %define sourcename       check_ssl_cert
 %define packagename      nagios-plugins-check_ssl_cert
@@ -45,6 +45,12 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/%{sourcename}.1*
 
 %changelog
+* Fri Dec 23 2016 Matteo Corti <matteo at corti.li> - 1.37.0-0
+- Updated to 1.37.0
+
+* Tue Dec 13 2016 Matteo Corti <matteo at corti.li> - 1.36.2-0
+- Updated to 1.36.2
+
 * Tue Dec 06 2016 Matteo Corti <matteo at corti.li> - 1.36.1-0
 - Updated to 1.36.1
 
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/test/cabundle.crt b/check_ssl_cert/check_ssl_cert-1.37/test/cabundle.crt
similarity index 100%
rename from check_ssl_cert/check_ssl_cert-1.36.1/test/cabundle.crt
rename to check_ssl_cert/check_ssl_cert-1.37/test/cabundle.crt
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/test/cacert.crt b/check_ssl_cert/check_ssl_cert-1.37/test/cacert.crt
similarity index 100%
rename from check_ssl_cert/check_ssl_cert-1.36.1/test/cacert.crt
rename to check_ssl_cert/check_ssl_cert-1.37/test/cacert.crt
diff --git a/check_ssl_cert/check_ssl_cert-1.36.1/test/unit_tests.sh b/check_ssl_cert/check_ssl_cert-1.37/test/unit_tests.sh
similarity index 84%
rename from check_ssl_cert/check_ssl_cert-1.36.1/test/unit_tests.sh
rename to check_ssl_cert/check_ssl_cert-1.37/test/unit_tests.sh
index 885ef5a..d676423 100755
--- a/check_ssl_cert/check_ssl_cert-1.36.1/test/unit_tests.sh
+++ b/check_ssl_cert/check_ssl_cert-1.37/test/unit_tests.sh
@@ -105,6 +105,27 @@ testAltNames2() {
     assertEquals "wrong exit code" ${NAGIOS_CRITICAL} "${EXIT_CODE}"
 }
 
+testMultipleAltNamesOK() {
+    # Test with multiple CN's
+    ${SCRIPT} -H inf.ethz.ch -n www.ethz.ch -n ethz.ch --rootcert cabundle.crt --altnames
+    EXIT_CODE=$?
+    assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
+}
+
+testMultipleAltNamesFailOne() {
+    # Test with wiltiple CN's but last one is wrong
+    ${SCRIPT} -H inf.ethz.ch -n www.ethz.ch -n wrong.ch --rootcert cabundle.crt --altnames
+    EXIT_CODE=$?
+    assertEquals "wrong exit code" ${NAGIOS_CRITICAL} "${EXIT_CODE}"
+}
+
+testMultipleAltNamesFailTwo() {
+    # Test with multiple CN's but first one is wrong
+    ${SCRIPT} -H inf.ethz.ch -n wrong.ch -n www.ethz.ch --rootcert cabundle.crt --altnames
+    EXIT_CODE=$?
+    assertEquals "wrong exit code" ${NAGIOS_CRITICAL} "${EXIT_CODE}"
+}
+
 testAltNames2CaseInsensitive() {
     # should fail: inf.ethz.ch has the same ip as www.inf.ethz.ch but inf.ethz.ch is not in the certificate
     ${SCRIPT} -H inf.ethz.ch --cn INF.ETHZ.CH --rootcert cabundle.crt --altnames
@@ -162,7 +183,7 @@ unset SOURCE_ONLY
 # We clone to output to pass it to grep as shunit does always return 0
 # We parse the output to check if a test failed
 #
-if ! . "${SHUNIT2}" | tee /dev/tty | grep -q 'success rate: 100%' ; then
+if ! . "${SHUNIT2}" | tee /dev/tty | grep -q 'tests\ total:\ *[0-9]*\ 100%' ; then
     # at least one of the tests failed
     exit 1
 fi
diff --git a/check_ssl_cert/control b/check_ssl_cert/control
index adce6e6..5bc2458 100644
--- a/check_ssl_cert/control
+++ b/check_ssl_cert/control
@@ -1,7 +1,7 @@
 Uploaders: Jan Wagner <waja at cyconet.org>
 Recommends: openssl
 Suggests: expect
-Version: 1.36.1
+Version: 1.37
 Homepage: https://github.com/matteocorti/check_ssl_cert
 Watch: https://github.com/matteocorti/check_ssl_cert/releases check_ssl_cert-([0-9.]+)\.tar\.gz
 Description: plugin to check the CA and validity of an
diff --git a/check_ssl_cert/src b/check_ssl_cert/src
index de85fd5..1f10c26 120000
--- a/check_ssl_cert/src
+++ b/check_ssl_cert/src
@@ -1 +1 @@
-check_ssl_cert-1.36.1/
\ No newline at end of file
+check_ssl_cert-1.37/
\ No newline at end of file

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-nagios/pkg-nagios-plugins-contrib.git



More information about the Pkg-nagios-changes mailing list