[pkg-nagios-changes] [Git][nagios-team/pkg-nagios-plugins-contrib][master] 3 commits: check_ssl_cert: Update to 1.96.0
Jan Wagner
gitlab at salsa.debian.org
Thu Oct 3 20:05:36 BST 2019
Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / pkg-nagios-plugins-contrib
Commits:
674775d2 by Jan Wagner at 2019-10-03T18:43:35Z
check_ssl_cert: Update to 1.96.0
- - - - -
c0cec30c by Jan Wagner at 2019-10-03T18:57:22Z
d/control.in: Bump Standards-Version to 4.4.1.0, no changes needed
- - - - -
ad53eecf by Jan Wagner at 2019-10-03T19:03:38Z
Update control
- - - - -
29 changed files:
- − check_ssl_cert/check_ssl_cert-1.85.0/README.md
- − check_ssl_cert/check_ssl_cert-1.85.0/VERSION
- check_ssl_cert/check_ssl_cert-1.85.0/._COPYRIGHT → check_ssl_cert/check_ssl_cert_1.96.0/._COPYRIGHT
- check_ssl_cert/check_ssl_cert-1.85.0/._Makefile → check_ssl_cert/check_ssl_cert_1.96.0/._Makefile
- check_ssl_cert/check_ssl_cert-1.85.0/._NEWS → check_ssl_cert/check_ssl_cert_1.96.0/._NEWS
- check_ssl_cert/check_ssl_cert-1.85.0/._check_ssl_cert → check_ssl_cert/check_ssl_cert_1.96.0/._check_ssl_cert
- check_ssl_cert/check_ssl_cert-1.85.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.96.0/AUTHORS
- check_ssl_cert/check_ssl_cert-1.85.0/COPYING → check_ssl_cert/check_ssl_cert_1.96.0/COPYING
- check_ssl_cert/check_ssl_cert-1.85.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.96.0/COPYRIGHT
- check_ssl_cert/check_ssl_cert-1.85.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.96.0/ChangeLog
- check_ssl_cert/check_ssl_cert-1.85.0/INSTALL → check_ssl_cert/check_ssl_cert_1.96.0/INSTALL
- check_ssl_cert/check_ssl_cert-1.85.0/Makefile → check_ssl_cert/check_ssl_cert_1.96.0/Makefile
- check_ssl_cert/check_ssl_cert-1.85.0/NEWS → check_ssl_cert/check_ssl_cert_1.96.0/NEWS
- + check_ssl_cert/check_ssl_cert_1.96.0/README.md
- check_ssl_cert/check_ssl_cert-1.85.0/TODO → check_ssl_cert/check_ssl_cert_1.96.0/TODO
- + check_ssl_cert/check_ssl_cert_1.96.0/VERSION
- check_ssl_cert/check_ssl_cert-1.85.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.96.0/check_ssl_cert
- check_ssl_cert/check_ssl_cert-1.85.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.96.0/check_ssl_cert.1
- check_ssl_cert/check_ssl_cert-1.85.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.96.0/check_ssl_cert.spec
- check_ssl_cert/check_ssl_cert-1.85.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.96.0/test/cabundle.crt
- check_ssl_cert/check_ssl_cert-1.85.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.96.0/test/cacert.crt
- + check_ssl_cert/check_ssl_cert_1.96.0/test/qvsslg2.crt
- check_ssl_cert/check_ssl_cert-1.85.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.96.0/test/unit_tests.sh
- + check_ssl_cert/check_ssl_cert_1.96.0/test/www.ethz.ch.crt
- + check_ssl_cert/check_ssl_cert_1.96.0/test/www.ethz.ch.error
- check_ssl_cert/control
- check_ssl_cert/src
- debian/control
- debian/control.in
Changes:
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/README.md deleted
=====================================
@@ -1,168 +0,0 @@
-
- (c) Matteo Corti, ETH Zurich, 2007-2012
-
- (c) Matteo Corti, 2007-2019
- see AUTHORS for the complete list of contributors
-
-# check_ssl_cert
-
-A Nagios plugin to check an X.509 certificate:
- - checks if the server is running and delivers a valid certificate
- - checks if the CA matches a given pattern
- - checks the validity
-
-## Usage
-
-```
-
-Usage: check_ssl_cert -H host [OPTIONS]
-
-Arguments:
- -H,--host host server
-
-Options:
- -A,--noauth ignore authority warnings (expiration only)
- --altnames matches the pattern specified in -n with alternate
- names too
- -C,--clientcert path use client certificate to authenticate
- --clientpass phrase set passphrase for client certificate.
- -c,--critical days minimum number of days a certificate has to be valid
- to issue a critical status
- --curl-bin path path of the curl binary to be used
- --curl-user-agent string user agent that curl shall use to obtain the issuer cert
- -d,--debug produces debugging output
- --ecdsa cipher selection: force ECDSA authentication
- -e,--email address pattern to match the email address contained in the
- certificate
- -f,--file file local file path (works with -H localhost only)
- with -f you can not only pass a x509 certificate file
- but also a certificate revocation list (CRL) to check
- the validity period
- --file-bin path path of the file binary to be used
- --fingerprint SHA1 pattern to match the SHA1-Fingerprint
- --force-perl-date force the usage of Perl for date computations
- --format FORMAT format output template on success, for example
- "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'"
- -h,--help,-? this help message
- --ignore-exp ignore expiration date
- --ignore-ocsp do not check revocation with OCSP
- --ignore-sig-alg do not check if the certificate was signed with SHA1
- or MD5
- --ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)
- -i,--issuer issuer pattern to match the issuer of the certificate
- --issuer-cert-cache dir directory where to store issuer certificates cache
- -L,--check-ssl-labs grade SSL Labs assessment
- (please check https://www.ssllabs.com/about/terms.html)
- --check-ssl-labs-warn-grade SSL-Labs grade on which to warn
- --long-output list append the specified comma separated (no spaces) list
- of attributes to the plugin output on additional lines
- Valid attributes are:
- enddate, startdate, subject, issuer, modulus,
- serial, hash, email, ocsp_uri and fingerprint.
- 'all' will include all the available attributes.
- -n,--cn name pattern to match the CN of the certificate (can be
- specified multiple times)
- --no_ssl2 disable SSL version 2
- --no_ssl3 disable SSL version 3
- --no_tls1 disable TLS version 1
- --no_tls1_1 disable TLS version 1.1
- --no_tls1_2 disable TLS version 1.2
- -N,--host-cn match CN with the host name
- -o,--org org pattern to match the organization of the certificate
- --openssl path path of the openssl binary to be used
- -p,--port port TCP port
- -P,--protocol protocol use the specific protocol
- {http|smtp|pop3|pop3s|imap|imaps|ftp|xmpp|irc|ldap}
- http: default
- smtp,pop3,imap,imaps,ftp,ldap: switch to TLS
- -s,--selfsigned allows self-signed certificates
- --serial serialnum pattern to match the serial number
- --sni name sets the TLS SNI (Server Name Indication) extension
- in the ClientHello message to 'name'
- --ssl2 forces SSL version 2
- --ssl3 forces SSL version 3
- --require-ocsp-stapling require OCSP stapling
- --require-san require the presence of a Subject Alternative Name
- extension
- -r,--rootcert path root certificate or directory to be used for
- certificate validation
- --rootcert-dir path root directory to be used for certificate validation
- --rootcert-file path root certificate to be used for certificate validation
- --rsa cipher selection: force RSA authentication
- --temp dir directory where to store the temporary files
- --terse terse output
- -t,--timeout seconds timeout after the specified time
- (defaults to 15 seconds)
- --tls1 force TLS version 1
- --tls1_1 force TLS version 1.1
- --tls1_2 force TLS version 1.2
- --tls1_3 force TLS version 1.3
- -v,--verbose verbose output
- -V,--version version
- -w,--warning days minimum number of days a certificate has to be valid
- to issue a warning status
- --xmpphost name specifies the host for the 'to' attribute of the stream element
-
-Deprecated options:
- --days days minimum number of days a certificate has to be valid
- (see --critical and --warning)
- --ocsp check revocation via OCSP
- -S,--ssl version force SSL version (2,3)
- (see: --ssl2 or --ssl3)
-```
-
-## Expect
-
-check_ssl_cert requires 'expect' to enable timeouts. If expect is not
-present on your system timeouts will be disabled.
-
-See: http://en.wikipedia.org/wiki/Expect
-
-## Virtual servers
-
-check_ssl_cert supports the servername TLS extension in ClientHello
-if the installed openssl version provides it. This is needed if you
-are checking a machine with virtual hosts.
-
-## SSL Labs
-
-If `-L` or `--check-ssl-labs` are specified the plugin will check the
-cached status using the SSL Labs Assessment API (see
-https://www.ssllabs.com/about/terms.html).
-
-The plugin will ask for a cached result (maximum age 1 day) to avoid
-to many checks. The first time you issue the check you could therefore
-get an outdated result.
-
-## Notes
-
-The root certificate corresponding to the checked certificate must be
-available to openssl or specified with the `-r cabundle` or
-`--rootcert cabundle` option, where cabundle is either a file for `-CAfile`
-or a directory for `-CApath`.
-
-On macOS the root certificates bundle is stored in the Keychain and
-openssl will complain with:
-
-```
-verification error: unable to get local issuer certificate
-```
-
-The bundle can be extracted with:
-
-```
-$ sudo security find-certificate -a \
- -p /System/Library/Keychains/SystemRootCertificates.keychain > cabundle.crt
-```
-
-and then submitted to `check_ssl_cert` with the `-r,--rootcert path` option
-
-```
- ./check_ssl_cert -H www.google.com -r ./cabundle.crt
-```
-
-## Bugs
-
-The timeout is applied to each action involving a download.
-
-Report bugs to https://github.com/matteocorti/check_ssl_cert/issues
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/VERSION deleted
=====================================
@@ -1 +0,0 @@
-1.85.0
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/._COPYRIGHT → check_ssl_cert/check_ssl_cert_1.96.0/._COPYRIGHT
=====================================
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/._Makefile → check_ssl_cert/check_ssl_cert_1.96.0/._Makefile
=====================================
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/._NEWS → check_ssl_cert/check_ssl_cert_1.96.0/._NEWS
=====================================
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/._check_ssl_cert → check_ssl_cert/check_ssl_cert_1.96.0/._check_ssl_cert
=====================================
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.96.0/AUTHORS
=====================================
@@ -72,13 +72,20 @@ Thanks:
* Many thanks to eeertel (https://github.com/eeertel) for the SNI warning patch
* Many thanks to Vojtech Horky (https://github.com/vhotspur) for the --format patch
* Many thanks to Markus Frosch (https://github.com/lazyfrosch) for the cleanup patch
-* Many thanks to Ricardo Bartels (https://github.com/bb-Ricardo) for the patches fixing unit tests, long output on Linux, extending the issuer checks to the whole chain
+* Many thanks to Ricardo Bartels (https://github.com/bb-Ricardo) for the patches fixing unit tests,
+ long output on Linux, extending the issuer checks to the whole chain
* Many thanks to eimamagi (https://github.com/eimamagi) for the client key patch and for the CA file and directory support
* Many thanks to Stefan Schlesinger for the HTTP_REQUEST patch
* Many thanks to sokol-44 (https://github.com/sokol-44) for the HTTP request fix
* Many thanks to Jonas Meurer (https://github.com/mejo-) for the IMAP / IMAPS fix
-* Many thanks to Mathieu Simon (https://github.com/matsimon) for the IMAPS and POP3S patch
+* Many thanks to Mathieu Simon (https://github.com/matsimon) for the IMAPS, POP3S and LDAP patches
* Many thanks to Nico (https://github.com/nicox) for the SSLlabs patch
* Many thanks to barakAtSoluto (https://github.com/barakAtSoluto) for the SSLlabs warning patch
* Many thanks to Valentin Heidelberger (https://github.com/va1entin) for the cURL user agent patch
-* Many thanks to Tone (https://github.com/anthonyhaussman) for the warning message improvement patch
\ No newline at end of file
+* Many thanks to Tone (https://github.com/anthonyhaussman) for the warning message improvement patch
+* Many thanks to Michael Niewiara (https://github.com/mobitux) for the HTTPS/echo fix
+* Many thanks to Zadkiel (https://github.com/aslafy-z) for the extended regex patch
+* Many thanks to Dick Visser (https://github.com/dnmvisser) for the --inetproto patch
+* Many thanks to jmuecke (https://github.com/jmuecke) for the multiple errors patch
+* Many thanks to iasdeoupxe (https://github.com/iasdeoupxe) for various fixes
+* Many thanks to Andre Klärner (https://github.com/klaernie) for the typos corrections
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/COPYING → check_ssl_cert/check_ssl_cert_1.96.0/COPYING
=====================================
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.96.0/COPYRIGHT
=====================================
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.96.0/ChangeLog
=====================================
@@ -1,6 +1,39 @@
-2019-06-02 Matteo Corti <corti at macmini.home>
+2019-09-24 Matteo Corti <matteo at corti.li>
- * check_ssl_cert (critical): Return the filename when using --file by warnings
+ * check_ssl_cert: Fixed a bug in the processing of the SSL Labs options
+ * check_ssl_cert: Fixed a bug with POP3S
+
+2019-09-24 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: OCSP check does not trigger an additional s_client call
+
+2019-09-19 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: Fixed a problem in the critical output
+
+2019-09-18 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: Consolidated the error messages in case of more than one error
+ * check_ssl_cert: Fixed a bug where the cypher was not forced by the OCSP checks
+
+2019-08-09 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (ascii_grep): Removed NULL characters before 'grepping' a file
+ * check_ssl_cert (critical): Display the CN in a crical or warning message (if present)
+ * check_ssl_cert: merged patch to choose the IP protocol version
+
+2019-08-08 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: Applied patch to support LDAPS
+ * check_ssl_cert.1: Formatting and ordering
+
+2019-07-26 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: Try to detect if LDAP is not supported
+
+2019-06-02 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: Return the filename when using --file by warnings
2019-03-28 Matteo Corti <matteo at corti.li>
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/INSTALL → check_ssl_cert/check_ssl_cert_1.96.0/INSTALL
=====================================
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/Makefile → check_ssl_cert/check_ssl_cert_1.96.0/Makefile
=====================================
@@ -37,6 +37,9 @@ distclean: clean
test: dist
( export SHUNIT2="$$(pwd)/shunit2/shunit2" && cd test && ./unit_tests.sh )
+shellcheck:
+ if shellcheck --help 2>&1 | grep -q -- '-o\ ' ; then shellcheck -o all check_ssl_cert test/unit_tests.sh ; else shellcheck check_ssl_cert test/unit_tests.sh ; fi
+
copyright_check:
grep -q "(c) Matteo Corti, 2007-$(YEAR)" README.md
grep -q "Copyright (c) 2007-$(YEAR) Matteo Corti" COPYRIGHT
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/NEWS → check_ssl_cert/check_ssl_cert_1.96.0/NEWS
=====================================
@@ -1,3 +1,14 @@
+2019-09-25 Version 1.96.0: Bug fixes
+2019-09-24 Version 1.95.0: Bug fixes
+2019-09-24 Version 1.94.0: Several bugs fixed
+2019-09-24 Version 1.93.0: Fixed a bug in the processing of the SSL Labs options
+2019-09-24 Version 1.92.0: Bug fix in the OCSP check
+2019-09-23 Version 1.91.0: Various minor improvements and fixes
+2019-09-19 Version 1.90.0: Bug fix, did not always print all the detected errors
+2019-08-22 Version 1.89.0: Prints all the errors
+2019-08-09 Version 1.88.0: Add an option to force IPv4 or IPv6
+2019-08-08 Version 1.87.0: LDAPS support
+2019-07-21 Version 1.86.0: Fixed a bug and enabled extended regex search
2019-06-02 Version 1.85.0: Improved the warnings when using the --file option
2019-03-28 Version 1.84.0: Added an option to specify the cURL user agent
2019-03-01 Version 1.83.0: Spelling corrections
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/README.md
=====================================
@@ -0,0 +1,179 @@
+
+ (c) Matteo Corti, ETH Zurich, 2007-2012
+
+ (c) Matteo Corti, 2007-2019
+ see AUTHORS for the complete list of contributors
+
+# check_ssl_cert
+
+A shell script (that can be used as a Nagios plugin) to check an X.509 certificate:
+ - checks if the server is running and delivers a valid certificate
+ - checks if the CA matches a given pattern
+ - checks the validity
+
+## Usage
+
+```
+
+Usage: check_ssl_cert -H host [OPTIONS]
+
+Arguments:
+ -H,--host host server
+
+Options:
+ -A,--noauth ignore authority warnings (expiration only)
+ --altnames matches the pattern specified in -n with
+ alternate names too
+ -C,--clientcert path use client certificate to authenticate
+ --clientpass phrase set passphrase for client certificate.
+ -c,--critical days minimum number of days a certificate has to
+ be valid to issue a critical status
+ --curl-bin path path of the curl binary to be used
+ --curl-user-agent string user agent that curl shall use to obtain the
+ issuer cert
+ -d,--debug produces debugging output
+ --ecdsa cipher selection: force ECDSA authentication
+ -e,--email address pattern to match the email address contained
+ in the certificate
+ -f,--file file local file path (works with -H localhost only)
+ with -f you can not only pass a x509
+ certificate file but also a certificate
+ revocation list (CRL) to check the validity
+ period
+ --file-bin path path of the file binary to be used
+ --fingerprint SHA1 pattern to match the SHA1-Fingerprint
+ --force-perl-date force the usage of Perl for date computations
+ --format FORMAT format output template on success, for example
+ "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'"
+ -h,--help,-? this help message
+ --http-use-get use GET instead of HEAD (default) for the HTTP
+ related checks
+ --ignore-exp ignore expiration date
+ --ignore-ocsp do not check revocation with OCSP
+ --ignore-sig-alg do not check if the certificate was signed with SHA1
+ or MD5
+ --ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)
+ --inetproto protocol Force IP version 4 or 6
+ -i,--issuer issuer pattern to match the issuer of the certificate
+ --issuer-cert-cache dir directory where to store issuer certificates cache
+ -K,--clientkey path use client certificate key to authenticate
+ -L,--check-ssl-labs grade SSL Labs assessment
+ (please check https://www.ssllabs.com/about/terms.html)
+ --check-ssl-labs-warn-grade SSL-Labs grade on which to warn
+ --long-output list append the specified comma separated (no spaces) list
+ of attributes to the plugin output on additional lines
+ Valid attributes are:
+ enddate, startdate, subject, issuer, modulus,
+ serial, hash, email, ocsp_uri and fingerprint.
+ 'all' will include all the available attributes.
+ -n,--cn name pattern to match the CN of the certificate (can be
+ specified multiple times)
+ --no_ssl2 disable SSL version 2
+ --no_ssl3 disable SSL version 3
+ --no_tls1 disable TLS version 1
+ --no_tls1_1 disable TLS version 1.1
+ --no_tls1_2 disable TLS version 1.2
+ -N,--host-cn match CN with the host name
+ -o,--org org pattern to match the organization of the certificate
+ --openssl path path of the openssl binary to be used
+ -p,--port port TCP port
+ -P,--protocol protocol use the specific protocol
+ {ftp|ftps|http|imap|imaps|irc|ldap|ldaps|pop3|pop3s|smtp|smtps|xmpp}
+ http: default
+ ftp,imap,ldap,pop3,smtp: switch to TLS using StartTLS
+ -s,--selfsigned allows self-signed certificates
+ --serial serialnum pattern to match the serial number
+ --sni name sets the TLS SNI (Server Name Indication) extension
+ in the ClientHello message to 'name'
+ --ssl2 forces SSL version 2
+ --ssl3 forces SSL version 3
+ --require-ocsp-stapling require OCSP stapling
+ --require-san require the presence of a Subject Alternative Name
+ extension
+ -r,--rootcert path root certificate or directory to be used for
+ certificate validation
+ --rootcert-dir path root directory to be used for certificate validation
+ --rootcert-file path root certificate to be used for certificate validation
+ --rsa cipher selection: force RSA authentication
+ --temp dir directory where to store the temporary files
+ --terse terse output
+ -t,--timeout seconds timeout after the specified time
+ (defaults to 15 seconds)
+ --tls1 force TLS version 1
+ --tls1_1 force TLS version 1.1
+ --tls1_2 force TLS version 1.2
+ --tls1_3 force TLS version 1.3
+ -v,--verbose verbose output
+ -V,--version version
+ -w,--warning days minimum number of days a certificate has to be valid
+ to issue a warning status
+ --xmpphost name specifies the host for the 'to' attribute of the stream element
+ -4 force IPv4
+ -6 force IPv6
+
+Deprecated options:
+ --days days minimum number of days a certificate has to be valid
+ (see --critical and --warning)
+ --ocsp check revocation via OCSP
+ -S,--ssl version force SSL version (2,3)
+ (see: --ssl2 or --ssl3)
+
+Report bugs to https://github.com/matteocorti/check_ssl_cert/issues
+
+```
+
+## Expect
+
+check_ssl_cert requires 'expect' to enable timeouts. If expect is not
+present on your system timeouts will be disabled.
+
+See: http://en.wikipedia.org/wiki/Expect
+
+## Virtual servers
+
+check_ssl_cert supports the servername TLS extension in ClientHello
+if the installed openssl version provides it. This is needed if you
+are checking a machine with virtual hosts.
+
+## SSL Labs
+
+If `-L` or `--check-ssl-labs` are specified the plugin will check the
+cached status using the SSL Labs Assessment API (see
+https://www.ssllabs.com/about/terms.html).
+
+The plugin will ask for a cached result (maximum age 1 day) to avoid
+to many checks. The first time you issue the check you could therefore
+get an outdated result.
+
+## Notes
+
+The root certificate corresponding to the checked certificate must be
+available to openssl or specified with the `-r cabundle` or
+`--rootcert cabundle` option, where cabundle is either a file for `-CAfile`
+or a directory for `-CApath`.
+
+On macOS the root certificates bundle is stored in the Keychain and
+openssl will complain with:
+
+```
+verification error: unable to get local issuer certificate
+```
+
+The bundle can be extracted with:
+
+```
+$ sudo security find-certificate -a \
+ -p /System/Library/Keychains/SystemRootCertificates.keychain > cabundle.crt
+```
+
+and then submitted to `check_ssl_cert` with the `-r,--rootcert path` option
+
+```
+ ./check_ssl_cert -H www.google.com -r ./cabundle.crt
+```
+
+## Bugs
+
+The timeout is applied to each action involving a download.
+
+Report bugs to https://github.com/matteocorti/check_ssl_cert/issues
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/TODO → check_ssl_cert/check_ssl_cert_1.96.0/TODO
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/VERSION
=====================================
@@ -0,0 +1 @@
+1.96.0
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.96.0/check_ssl_cert
=====================================
@@ -19,7 +19,7 @@
################################################################################
# Constants
-VERSION=1.85.0
+VERSION=1.96.0
SHORTNAME="SSL_CERT"
VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,serial,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -29,6 +29,12 @@ SIGNALS="HUP INT QUIT TERM ABRT"
# return value for the creation of temporary files
TEMPFILE=""
+################################################################################
+# Variables
+WARNING_MSG=""
+CRITICAL_MSG=""
+ALL_MSG=""
+
################################################################################
# Functions
@@ -53,33 +59,38 @@ usage() {
echo
echo "Options:"
echo " -A,--noauth ignore authority warnings (expiration only)"
- echo " --altnames matches the pattern specified in -n with alternate"
- echo " names too"
+ echo " --altnames matches the pattern specified in -n with"
+ echo " alternate names too"
echo " -C,--clientcert path use client certificate to authenticate"
echo " --clientpass phrase set passphrase for client certificate."
- echo " -c,--critical days minimum number of days a certificate has to be valid"
- echo " to issue a critical status"
+ echo " -c,--critical days minimum number of days a certificate has to"
+ echo " be valid to issue a critical status"
echo " --curl-bin path path of the curl binary to be used"
- echo " --curl-user-agent string user agent that curl shall use to obtain the issuer cert"
+ echo " --curl-user-agent string user agent that curl shall use to obtain the"
+ echo " issuer cert"
echo " -d,--debug produces debugging output"
echo " --ecdsa cipher selection: force ECDSA authentication"
- echo " -e,--email address pattern to match the email address contained in the"
- echo " certificate"
+ echo " -e,--email address pattern to match the email address contained"
+ echo " in the certificate"
echo " -f,--file file local file path (works with -H localhost only)"
- echo " with -f you can not only pass a x509 certificate file"
- echo " but also a certificate revocation list (CRL) to check"
- echo " the validity period"
+ echo " with -f you can not only pass a x509"
+ echo " certificate file but also a certificate"
+ echo " revocation list (CRL) to check the validity"
+ echo " period"
echo " --file-bin path path of the file binary to be used"
echo " --fingerprint SHA1 pattern to match the SHA1-Fingerprint"
echo " --force-perl-date force the usage of Perl for date computations"
echo " --format FORMAT format output template on success, for example"
echo " \"%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'\""
echo " -h,--help,-? this help message"
+ echo " --http-use-get use GET instead of HEAD (default) for the HTTP"
+ echo " related checks"
echo " --ignore-exp ignore expiration date"
echo " --ignore-ocsp do not check revocation with OCSP"
echo " --ignore-sig-alg do not check if the certificate was signed with SHA1"
echo " or MD5"
echo " --ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)"
+ echo " --inetproto protocol Force IP version 4 or 6"
echo " -i,--issuer issuer pattern to match the issuer of the certificate"
echo " --issuer-cert-cache dir directory where to store issuer certificates cache"
echo " -K,--clientkey path use client certificate key to authenticate"
@@ -104,9 +115,9 @@ usage() {
echo " --openssl path path of the openssl binary to be used"
echo " -p,--port port TCP port"
echo " -P,--protocol protocol use the specific protocol"
- echo " {http|smtp|pop3|pops3s|imap|imaps|ftp|xmpp|irc|ldap}"
+ echo " {ftp|ftps|http|imap|imaps|irc|ldap|ldaps|pop3|pop3s|smtp|smtps|xmpp}"
echo " http: default"
- echo " smtp,pop3,imap,ftp,ldap: switch to TLS"
+ echo " ftp,imap,ldap,pop3,smtp: switch to TLS using StartTLS"
echo " -s,--selfsigned allows self-signed certificates"
echo " --serial serialnum pattern to match the serial number"
echo " --sni name sets the TLS SNI (Server Name Indication) extension"
@@ -134,6 +145,8 @@ usage() {
echo " -w,--warning days minimum number of days a certificate has to be valid"
echo " to issue a warning status"
echo " --xmpphost name specifies the host for the 'to' attribute of the stream element"
+ echo " -4 force IPv4"
+ echo " -6 force IPv6"
echo
echo "Deprecated options:"
echo " --days days minimum number of days a certificate has to be valid"
@@ -156,7 +169,7 @@ trap_with_arg() {
func="$1" ; shift
for sig ; do
# shellcheck disable=SC2064
- trap "$func $sig" "$sig"
+ trap "${func} ${sig}" "${sig}"
done
}
@@ -166,11 +179,11 @@ remove_temporary_files() {
if [ -n "${DEBUG}" ] ; then
echo "[DBG] cleaning up temporary files"
# shellcheck disable=SC2086
- echo $TEMPORARY_FILES | tr '\ ' '\n' | sed 's/^/[DBG] /'
+ echo ${TEMPORARY_FILES} | tr '\ ' '\n' | sed 's/^/[DBG] /'
fi
# shellcheck disable=SC2086
- if [ -n "$TEMPORARY_FILES" ]; then
- rm -f $TEMPORARY_FILES
+ if [ -n "${TEMPORARY_FILES}" ]; then
+ rm -f ${TEMPORARY_FILES}
fi
}
@@ -179,11 +192,11 @@ remove_temporary_files() {
cleanup() {
SIGNAL=$1
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] signal caught $SIGNAL"
+ echo "[DBG] signal caught ${SIGNAL}"
fi
remove_temporary_files
# shellcheck disable=SC2086
- trap - $SIGNALS
+ trap - ${SIGNALS}
exit
}
@@ -196,49 +209,145 @@ create_temporary_file() {
fi
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] temporary file $TEMPFILE created"
+ echo "[DBG] temporary file ${TEMPFILE} created"
fi
# add the file to the list of temporary files
- TEMPORARY_FILES="$TEMPORARY_FILES $TEMPFILE"
+ TEMPORARY_FILES="${TEMPORARY_FILES} ${TEMPFILE}"
}
################################################################################
-# Exits with a critical message
+# prepends critical messages to list of all messages
# Params
# $1 error message
-critical() {
- if [ -n "${HOST}" ] ; then
- if [ -n "${SNI}" ] ; then
- tmp=" ${SNI}"
- elif [ -n "${FILE}" ] ; then
- tmp=" ${FILE}"
- else
- tmp=" ${HOST}"
+prepend_critical_message() {
+
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] CRITICAL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
+ echo "[DBG] prepend_critical_message: new message = $1"
+ echo "[DBG] prepend_critical_message: HOST = ${HOST}"
+ echo "[DBG] prepend_critical_message: CN = ${CN}"
+ echo "[DBG] prepend_critical_message: SNI = ${SNI}"
+ echo "[DBG] prepend_critical_message: FILE = ${FILE}"
+ echo "[DBG] prepend_critical_message: SHORTNAME = ${SHORTNAME}"
+ echo "[DBG] prepend_critical_message: MSG = ${MSG}"
+ echo "[DBG] prepend_critical_message: CRITICAL_MSG = ${CRITICAL_MSG}"
+ echo "[DBG] prepend_critical_message: ALL_MSG 1 = ${ALL_MSG}"
+ fi
+
+ if [ -n "${CN}" ] ; then
+ tmp=" ${CN}"
+ else
+ if [ -n "${HOST}" ] ; then
+ if [ -n "${SNI}" ] ; then
+ tmp=" ${SNI}"
+ elif [ -n "${FILE}" ] ; then
+ tmp=" ${FILE}"
+ else
+ tmp=" ${HOST}"
+ fi
fi
fi
+
+ MSG="${SHORTNAME} CRITICAL${tmp}: ${1}${PERFORMANCE_DATA}${LONG_OUTPUT}"
+
+ if [ "${CRITICAL_MSG}" = "" ]; then
+ CRITICAL_MSG="${MSG}"
+ fi
+
+ ALL_MSG="\n ${MSG}${ALL_MSG}"
+
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] prepend_critical_message: MSG 2 = ${MSG}"
+ echo "[DBG] prepend_critical_message: CRITICAL_MSG 2 = ${CRITICAL_MSG}"
+ echo "[DBG] prepend_critical_message: ALL_MSG 2 = ${ALL_MSG}"
+ echo "[DBG] CRITICAL <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
+ fi
+
+}
+
+################################################################################
+# Exits with a critical message
+# Params
+# $1 error message
+critical() {
+
remove_temporary_files
- printf '%s CRITICAL%s: %s%s%s\n' "${SHORTNAME}" "${tmp}" "$1" "${PERFORMANCE_DATA}" "${LONG_OUTPUT}"
+
+ if [ -n "${DEBUG}" ] ; then
+ echo '[DBG] exiting with CRITICAL'
+ echo "[DBG] ALL_MSG = ${ALL_MSG}"
+ fi
+
+ NUMBER_OF_ERRORS=$( printf '%b' "${ALL_MSG}" | wc -l )
+
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] number of errors = ${NUMBER_OF_ERRORS}"
+ fi
+
+ if [ "${NUMBER_OF_ERRORS}" -ge 2 ] ; then
+ printf '%s\nError(s):%b\n' "$1" "${ALL_MSG}"
+ else
+ printf '%s\n' "$1"
+ fi
+
exit 2
}
+################################################################################
+# append all warning messages to list of all messages
+# Params
+# $1 warning message
+append_warning_message() {
+
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] append_warning_message: HOST = ${HOST}"
+ echo "[DBG] append_warning_message: CN = ${CN}"
+ echo "[DBG] append_warning_message: SNI = ${SNI}"
+ echo "[DBG] append_warning_message: FILE = ${FILE}"
+ echo "[DBG] append_warning_message: SHORTNAME = ${SHORTNAME}"
+ echo "[DBG] append_warning_message: $1 = $1"
+ fi
+
+ if [ -n "${CN}" ] ; then
+ tmp=" ${CN}"
+ else
+ if [ -n "${HOST}" ] ; then
+ if [ -n "${SNI}" ] ; then
+ tmp=" ${SNI}"
+ elif [ -n "${FILE}" ] ; then
+ tmp=" ${FILE}"
+ else
+ tmp=" ${HOST}"
+ fi
+ fi
+ fi
+
+ MSG="${SHORTNAME} WARN${tmp}: ${1}${PERFORMANCE_DATA}${LONG_OUTPUT}"
+ if [ "${WARNING_MSG}" = "" ]; then
+ WARNING_MSG="${MSG}"
+ fi
+ ALL_MSG="${ALL_MSG}\n ${MSG}"
+}
+
+
################################################################################
# Exits with a warning message
# Param
# $1 warning message
warning() {
- if [ -n "${HOST}" ] ; then
- if [ -n "${SNI}" ] ; then
- tmp=" ${SNI}"
- elif [ -n "${FILE}" ] ; then
- tmp=" ${FILE}"
- else
- tmp=" ${HOST}"
- fi
- fi
+
remove_temporary_files
- printf '%s WARN%s: %s%s%s\n' "${SHORTNAME}" "${tmp}" "$1" "${PERFORMANCE_DATA}" "${LONG_OUTPUT}"
+
+ NUMBER_OF_ERRORS=$( printf '%b' "${ALL_MSG}" | wc -l )
+
+ if [ "${NUMBER_OF_ERRORS}" -ge 2 ] ; then
+ printf '%s\nError(s):%b\n' "$1" "${ALL_MSG}"
+ else
+ printf '%s\n' "$1"
+ fi
+
exit 1
}
@@ -276,37 +385,38 @@ exec_with_timeout() {
command="/bin/sh -c \"$2\""
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing with timeout (${time}s): $2"
+ printf '[DBG] executing with timeout (%ss): %s\n' "${time}" "${2}"
fi
if [ -n "${TIMEOUT_BIN}" ] ; then
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] ${TIMEOUT_BIN} $time $command"
+ printf "[DBG] %s %s %s\n" "${TIMEOUT_BIN}" "${time}" "${command}"
fi
- eval "${TIMEOUT_BIN} $time $command" > /dev/null 2>&1
+ eval "${TIMEOUT_BIN} ${time} ${command}" > /dev/null 2>&1
if [ $? -eq 137 ] ; then
- critical "Timeout after ${time} seconds"
+ prepend_critical_message "Timeout after ${time} seconds"
fi
elif [ -n "${EXPECT}" ] ; then
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] expect -c \"set echo \\\"-noecho\\\"; set timeout $time; spawn -noecho $command; expect timeout { exit 1 } eof { exit 0 }\""
+ printf '[DBG] expect -c \"set echo \\\"-noecho\\\"; set timeout %s; spawn -noecho %s; expect timeout { exit 1 } eof { exit 0 }\"\n' "${time}" "${command}"
fi
-
- expect -c "set echo \"-noecho\"; set timeout $time; spawn -noecho $command; expect timeout { exit 1 } eof { exit 0 }"
+
+ expect -c "set echo \"-noecho\"; set timeout ${time}; spawn -noecho ${command}; expect timeout { exit 1 } eof { exit 0 }"
RET=$?
if [ -n "${DEBUG}" ] ; then
echo "[DBG] expect returned ${RET}"
- fi
-
+ fi
+
if [ "${RET}" -eq 1 ] ; then
- critical "Timeout after ${time} seconds"
+ prepend_critical_message "Timeout after ${time} seconds"
+ critical "${SHORTNAME} CRITICAL: Timeout after ${time} seconds"
fi
else
@@ -326,12 +436,12 @@ check_required_prog() {
PROG=$(command -v "$1" 2> /dev/null)
- if [ -z "$PROG" ] ; then
- critical "cannot find program: $1"
+ if [ -z "${PROG}" ] ; then
+ prepend_critical_message "cannot find program: $1"
fi
- if [ ! -x "$PROG" ] ; then
- critical "$PROG is not executable"
+ if [ ! -x "${PROG}" ] ; then
+ prepend_critical_message "${PROG} is not executable"
fi
}
@@ -432,28 +542,44 @@ fetch_certificate() {
fi
fi
+ if [ -n "${REQUIRE_OCSP_STAPLING}" ] ; then
+ STATUS='-status'
+ fi
+
# Check if a protocol was specified (if not HTTP switch to TLS)
if [ -n "${PROTOCOL}" ] && [ "${PROTOCOL}" != "http" ] && [ "${PROTOCOL}" != "https" ] ; then
case "${PROTOCOL}" in
- smtp)
- exec_with_timeout "$TIMEOUT" "echo -e 'QUIT\\r' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} 2> ${ERROR} 1> ${CERT}"
+ smtp|pop3|ftp)
+ exec_with_timeout "${TIMEOUT}" "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -ign_eof -starttls ${PROTOCOL} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
+ RET=$?
+ ;;
+ smtps|ftps)
+ exec_with_timeout "${TIMEOUT}" "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -ign_eof -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
+ RET=$?
+ ;;
+ pop3s)
+ exec_with_timeout "${TIMEOUT}" "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
+ RET=$?
+ ;;
+ ldap)
+ exec_with_timeout "${TIMEOUT}" "echo | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
- irc)
- exec_with_timeout "$TIMEOUT" "echo -e 'QUIT\\r' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} 2> ${ERROR} 1> ${CERT}"
+ irc|ldaps)
+ exec_with_timeout "${TIMEOUT}" "echo | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
- pop3|imap|ftp|ldap)
- exec_with_timeout "$TIMEOUT" "echo 'Q' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} 2> ${ERROR} 1> ${CERT}"
+ imap)
+ exec_with_timeout "${TIMEOUT}" "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -ign_eof -starttls ${PROTOCOL} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
- pop3s|imaps)
- exec_with_timeout "$TIMEOUT" "echo 'Q' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} 2> ${ERROR} 1> ${CERT}"
+ imaps)
+ exec_with_timeout "${TIMEOUT}" "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -ign_eof -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
xmpp)
- exec_with_timeout "$TIMEOUT" "echo 'Q' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect $HOST:$XMPPPORT ${XMPPHOST} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "${TIMEOUT}" "echo 'Q' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST}:${XMPPPORT} ${XMPPHOST} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
*)
@@ -464,42 +590,42 @@ fetch_certificate() {
elif [ -n "${FILE}" ] ; then
if [ "${HOST}" = "localhost" ] ; then
- exec_with_timeout "$TIMEOUT" "/bin/cat '${FILE}' 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "${TIMEOUT}" "/bin/cat '${FILE}' 2> ${ERROR} 1> ${CERT}"
RET=$?
else
unknown "Error: option 'file' works with -H localhost only"
fi
else
-
- exec_with_timeout "$TIMEOUT" "echo '${HTTP_REQUEST}' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -crlf -ign_eof -connect $HOST:$PORT ${SERVERNAME} -showcerts -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} 2> ${ERROR} 1> ${CERT}"
+
+ exec_with_timeout "${TIMEOUT}" "printf '${HTTP_REQUEST}' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -ign_eof -connect ${HOST}:${PORT} ${SERVERNAME} -showcerts -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
RET=$?
fi
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] storing a copy of the retrieved certificate in ${HOST}.crt"
- cp "${CERT}" "${HOST}.crt"
+ echo "[DBG] storing a copy of the retrieved certificate in ${TMPDIR}/${HOST}-${PORT}.crt"
+ cp "${CERT}" "${TMPDIR}/${HOST}-${PORT}.crt"
- echo "[DBG] storing a copy of the OpenSSL errors in ${HOST}.error"
- cp "${ERROR}" "${HOST}.error"
+ echo "[DBG] storing a copy of the OpenSSL errors in ${TMPDIR}/${HOST}-${PORT}.error"
+ cp "${ERROR}" "${TMPDIR}/${HOST}-${PORT}.error"
fi
if [ "${RET}" -ne 0 ] ; then
- if [ -n "${DEBUG}" ] ; then
+ if [ -n "${DEBUG}" ] ; then
sed 's/^/[DBG] SSL error: /' "${ERROR}"
- fi
+ fi
- # s_client could verify the server certificate because the server requires a client certificate
- if grep -q '^Acceptable client certificate CA names' "${CERT}" ; then
+ # s_client could verify the server certificate because the server requires a client certificate
+ if ascii_grep '^Acceptable client certificate CA names' "${CERT}" ; then
if [ -n "${VERBOSE}" ] ; then
- echo "The server requires a client certificate"
+ echo "The server requires a client certificate"
fi
- else
+ else
# Try to clean up the error message
# Remove the 'verify and depth' lines
@@ -509,10 +635,16 @@ fetch_certificate() {
| grep -v '^verify' \
| head -n 1
)
- critical "SSL error: ${ERROR_MESSAGE}"
+ prepend_critical_message "SSL error: ${ERROR_MESSAGE}"
fi
+ else
+
+ if ascii_grep usage "${ERROR}" && [ "${PROTOCOL}" = "ldap" ] ; then
+ unknown "it seems that OpenSSL -starttls does not support yet LDAP"
+ fi
+
fi
}
@@ -539,6 +671,21 @@ var_for_sed() {
echo "s|%$1%|$( echo "$2" | sed -e 's#|#\\\\|#g' )|g"
}
+################################################################################
+# Performs a grep removing the NULL characters first
+#
+# As the POSIX grep does not have the -a option, we remove the NULL characters
+# first to avoid the error Binary file matches
+#
+# Params
+# $1 pattern
+# $2 file
+#
+ascii_grep() {
+ tr -d '\000' < "$2" | grep -q "$1"
+}
+
+
################################################################################
# Main
################################################################################
@@ -562,6 +709,7 @@ main() {
REQUIRE_OCSP_STAPLING=""
OCSP="1" # enabled by default
FORMAT=""
+ HTTP_METHOD="HEAD"
# Set the default temp dir if not set
if [ -z "${TMPDIR}" ] ; then
@@ -599,6 +747,10 @@ main() {
FORCE_PERL_DATE=1
shift
;;
+ --http-use-get)
+ HTTP_METHOD="GET"
+ shift
+ ;;
--ignore-exp)
NOEXP=1
shift
@@ -691,11 +843,21 @@ main() {
echo "check_ssl_cert version ${VERSION}"
exit 3
;;
+ -4)
+ INETPROTO="-4"
+ shift
+ ;;
+ -6)
+ INETPROTO="-6"
+ shift
+ ;;
+
+
########################################
# Options with arguments
-c|--critical)
if [ $# -gt 1 ]; then
- CRITICAL="$2"
+ CRITICAL="$2"
shift 2
else
unknown "-c,--critical requires an argument"
@@ -1000,10 +1162,12 @@ main() {
done
################################################################################
- # Set COMMON_NAME to hostname if -N was given as argument
- if [ "$COMMON_NAME" = "__HOST__" ] ; then
- COMMON_NAME="${HOST}"
- fi
+ # Set COMMON_NAME to hostname if -N was given as argument.
+ # COMMON_NAME may be a space separated list of hostnames.
+ case ${COMMON_NAME} in
+ *__HOST__*) COMMON_NAME=$(echo "${COMMON_NAME}" | sed "s/__HOST__/${HOST}/") ;;
+ *) ;;
+ esac
################################################################################
# Sanity checks
@@ -1078,6 +1242,10 @@ main() {
if [ -n "${CRITICAL}" ] ; then
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] -c specified: ${CRITICAL}"
+ fi
+
if ! echo "${CRITICAL}" | grep -q '^[0-9][0-9]*$' ; then
unknown "invalid number of days ${CRITICAL}"
fi
@@ -1132,7 +1300,7 @@ main() {
if [ -n "${SSL_LAB_WARN_ASSESTMENT}" ] ; then
convert_ssl_lab_grade "${SSL_LAB_WARN_ASSESTMENT}"
SSL_LAB_WARN_ASSESTMENT_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
- if ( $SSL_LAB_WARN_ASSESTMENT_NUMERIC < $SSL_LAB_CRIT_ASSESSMENT_NUMERIC ); then
+ if [ "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" -lt "${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}" ]; then
unknown "--check-ssl-labs-warn-grade must be greater than -L|--check-ssl-labs"
fi
fi
@@ -1147,13 +1315,13 @@ main() {
# OpenSSL
if [ -z "${OPENSSL}" ] ; then
check_required_prog openssl
- OPENSSL=$PROG
+ OPENSSL=${PROG}
fi
# file
if [ -z "${FILE_BIN}" ] ; then
check_required_prog file
- FILE_BIN=$PROG
+ FILE_BIN=${PROG}
fi
# curl
@@ -1163,8 +1331,10 @@ main() {
echo "[DBG] cURL binary needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}"
echo "[DBG] cURL binary not specified"
fi
+
check_required_prog curl
- CURL_BIN=$PROG
+ CURL_BIN=${PROG}
+
if [ -n "${DEBUG}" ] ; then
echo "[DBG] cURL available: ${CURL_BIN}"
fi
@@ -1245,7 +1415,7 @@ main() {
else
- if $DATEBIN --version >/dev/null 2>&1 ; then
+ if "${DATEBIN}" --version >/dev/null 2>&1 ; then
DATETYPE="GNU"
else
DATETYPE="BSD"
@@ -1316,7 +1486,7 @@ main() {
#
if ${OPENSSL} s_client -help 2>&1 | grep -q -- -xmpphost ; then
- XMPPHOST="-xmpphost ${XMPPHOST:-$HOST}"
+ XMPPHOST="-xmpphost ${XMPPHOST:-${HOST}}"
if [ -n "${DEBUG}" ] ; then
echo "[DBG] '${OPENSSL} s_client' supports '-xmpphost': using ${XMPPHOST}"
@@ -1344,6 +1514,37 @@ main() {
fi
fi
+ ################################################################################
+ # --inetproto validation
+ if [ -n "${INETPROTO}" ] ; then
+
+ # validate the arguments
+ if [ "${INETPROTO}" != "-4" ] && [ "${INETPROTO}" != "-6" ] ; then
+ VERSION=$(echo "${INETPROTO}" | awk '{ string=substr($0, 2); print string; }' )
+ unknown "Invalid argument '${VERSION}': the value must be 4 or 6"
+ fi
+
+ # Check if openssl s_client supports the -4 or -6 option
+ if ! "${OPENSSL}" s_client -help 2>&1 | grep -q -- "${INETPROTO}" ; then
+ unknown "OpenSSL does not support the ${INETPROTO} option"
+ fi
+
+ # Check if cURL is needed and if it supports the -4 and -6 options
+ if [ -z "${CURL_BIN}" ] ; then
+ if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] || [ -n "${OCSP}" ] ; then
+ if ! "${CURL_BIN}" --manual | grep -q -- -6 && [ -n "${INETPROTO}" ] ; then
+ unknown "cURL does not support the ${INETPROTO} option"
+ fi
+ fi
+ fi
+
+ # check if IPv6 is available locally
+ if [ -n "${INETPROTO}" ] && [ "${INETPROTO}" -eq "-6" ] && ! ifconfig -a | grep -q inet6 ; then
+ unknown "cannot connect using IPv6 as no local interface has IPv6 configured"
+ fi
+
+ fi
+
################################################################################
# define the HTTP request string
if [ -n "${SNI}" ]; then
@@ -1352,24 +1553,24 @@ main() {
HOST_HEADER="${HOST}"
fi
- HTTP_REQUEST="HEAD / HTTP/1.1\\nHost: ${HOST_HEADER}\\nUser-Agent: check_ssl_cert/${VERSION}\\nConnection: close\\n\\n"
+ HTTP_REQUEST="${HTTP_METHOD} / HTTP/1.1\\nHost: ${HOST_HEADER}\\nUser-Agent: check_ssl_cert/${VERSION}\\nConnection: close\\n\\n"
################################################################################
# Fetch the X.509 certificate
# Temporary storage for the certificate and the errors
- create_temporary_file; CERT=$TEMPFILE
- create_temporary_file; ERROR=$TEMPFILE
+ create_temporary_file; CERT=${TEMPFILE}
+ create_temporary_file; ERROR=${TEMPFILE}
if [ -n "${OCSP}" ] ; then
- create_temporary_file; ISSUER_CERT_TMP=$TEMPFILE
- create_temporary_file; ISSUER_CERT_TMP2=$TEMPFILE
+ create_temporary_file; ISSUER_CERT_TMP=${TEMPFILE}
+ create_temporary_file; ISSUER_CERT_TMP2=${TEMPFILE}
fi
if [ -n "${REQUIRE_OCSP_STAPLING}" ] ; then
- create_temporary_file; OCSP_RESPONSE_TMP=$TEMPFILE
+ create_temporary_file; OCSP_RESPONSE_TMP=${TEMPFILE}
fi
if [ -n "${VERBOSE}" ] ; then
@@ -1392,11 +1593,11 @@ main() {
# Cleanup before program termination
# Using named signals to be POSIX compliant
# shellcheck disable=SC2086
- trap_with_arg cleanup $SIGNALS
+ trap_with_arg cleanup ${SIGNALS}
fetch_certificate
- if grep -q 'sslv3\ alert\ unexpected\ message' "${ERROR}" ; then
+ if ascii_grep 'sslv3\ alert\ unexpected\ message' "${ERROR}" ; then
if [ -n "${SERVERNAME}" ] ; then
@@ -1411,27 +1612,27 @@ main() {
fi
- if grep -q 'sslv3\ alert\ unexpected\ message' "${ERROR}" ; then
+ if ascii_grep 'sslv3\ alert\ unexpected\ message' "${ERROR}" ; then
- critical "cannot fetch certificate: OpenSSL got an unexpected message"
+ prepend_critical_message "cannot fetch certificate: OpenSSL got an unexpected message"
fi
fi
- if grep -q "BEGIN X509 CRL" "${CERT}" ; then
+ if ascii_grep "BEGIN X509 CRL" "${CERT}" ; then
# we are dealing with a CRL file
OPENSSL_COMMAND="crl"
OPENSSL_PARAMS="-nameopt utf8,oneline,-esc_msb"
OPENSSL_ENDDATE_OPTION="-nextupdate"
else
# look if we are dealing with a regular certificate file (x509)
- if ! grep -q "CERTIFICATE" "${CERT}" ; then
+ if ! ascii_grep "CERTIFICATE" "${CERT}" ; then
if [ -n "${FILE}" ] ; then
if [ -r "${FILE}" ] ; then
-
+
if "${OPENSSL}" crl -in "${CERT}" -inform DER | grep -q "BEGIN X509 CRL" ; then
if [ -n "${VERBOSE}" ] ; then
echo "File is DER encoded CRL"
@@ -1440,15 +1641,15 @@ main() {
OPENSSL_PARAMS="-inform DER -nameopt utf8,oneline,-esc_msb"
OPENSSL_ENDDATE_OPTION="-nextupdate"
else
- critical "'${FILE}' is not a valid certificate file"
+ prepend_critical_message "'${FILE}' is not a valid certificate file"
fi
else
- critical "'${FILE}' is not readable"
+ prepend_critical_message "'${FILE}' is not readable"
fi
-
+
else
# See
# http://stackoverflow.com/questions/1251999/sed-how-can-i-replace-a-newline-n
@@ -1464,7 +1665,8 @@ main() {
if [ -n "${VERBOSE}" ] ; then
echo "Error: ${ERROR_MESSAGE}"
fi
- critical "No certificate returned"
+ prepend_critical_message "No certificate returned"
+ critical "${CRITICAL_MSG}"
fi
else
# parameters for regular x509 certifcates
@@ -1481,34 +1683,33 @@ main() {
################################################################################
# Parse the X.509 certificate or crl
-
# shellcheck disable=SC2086
- DATE="$($OPENSSL "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" ${OPENSSL_ENDDATE_OPTION} -noout | sed -e "s/^notAfter=//" -e "s/^nextUpdate=//")"
+ DATE="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" "${OPENSSL_ENDDATE_OPTION}" -noout | sed -e "s/^notAfter=//" -e "s/^nextUpdate=//")"
- if [ ${OPENSSL_COMMAND} = "crl" ]; then
+ if [ "${OPENSSL_COMMAND}" = "crl" ]; then
CN=""
SUBJECT=""
SERIAL=0
OCSP_URI=""
VALID_ATTRIBUTES=",lastupdate,nextupdate,issuer,"
# shellcheck disable=SC2086
- ISSUERS="$($OPENSSL "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -issuer -noout)"
+ ISSUERS="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -issuer -noout)"
else
# we need to remove everything before 'CN = ', to remove an eventual email supplied with / and additional elements (after ', ')
# shellcheck disable=SC2086
- CN="$($OPENSSL x509 -in "${CERT}" -subject -noout ${OPENSSL_PARAMS} |
+ CN="$(${OPENSSL} x509 -in "${CERT}" -subject -noout ${OPENSSL_PARAMS} |
sed -e "s/^.*[[:space:]]*CN[[:space:]]=[[:space:]]//" -e "s/\\/[[:alpha:]][[:alpha:]]*=.*\$//" -e "s/,.*//" )"
# shellcheck disable=SC2086
- SUBJECT="$($OPENSSL x509 -in "${CERT}" -subject -noout ${OPENSSL_PARAMS})"
+ SUBJECT="$(${OPENSSL} x509 -in "${CERT}" -subject -noout ${OPENSSL_PARAMS})"
- SERIAL="$($OPENSSL x509 -in "${CERT}" -serial -noout | sed -e "s/^serial=//")"
+ SERIAL="$(${OPENSSL} x509 -in "${CERT}" -serial -noout | sed -e "s/^serial=//")"
- FINGERPRINT="$($OPENSSL x509 -in "${CERT}" -fingerprint -sha1 -noout | sed -e "s/^SHA1 Fingerprint=//")"
+ FINGERPRINT="$(${OPENSSL} x509 -in "${CERT}" -fingerprint -sha1 -noout | sed -e "s/^SHA1 Fingerprint=//")"
# TO DO: we just take the first result: a loop over all the hosts should
# shellcheck disable=SC2086
- OCSP_URI="$($OPENSSL "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -ocsp_uri -noout | head -n 1)"
+ OCSP_URI="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -ocsp_uri -noout | head -n 1)"
# count the certificates in the chain
NUM_CERTIFICATES=$(grep -c -- "-BEGIN CERTIFICATE-" "${CERT}")
@@ -1516,14 +1717,14 @@ main() {
# start with first certificate
CERT_IN_CHAIN=1
# shellcheck disable=SC2086
- while [ $CERT_IN_CHAIN -le $NUM_CERTIFICATES ]; do
- if [ -n "$ISSUERS" ]; then
- ISSUERS="$ISSUERS\\n"
+ while [ "${CERT_IN_CHAIN}" -le "${NUM_CERTIFICATES}" ]; do
+ if [ -n "${ISSUERS}" ]; then
+ ISSUERS="${ISSUERS}\\n"
fi
# shellcheck disable=SC2086
- ISSUERS="$ISSUERS$(sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' "${CERT}" | \
- awk -v n=$CERT_IN_CHAIN '/-BEGIN CERTIFICATE-/{l++} (l==n) {print}' | \
- $OPENSSL "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -issuer -noout)"
+ ISSUERS="${ISSUERS}$(sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' "${CERT}" | \
+ awk -v n="${CERT_IN_CHAIN}" '/-BEGIN CERTIFICATE-/{l++} (l==n) {print}' | \
+ ${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -issuer -noout)"
CERT_IN_CHAIN=$(( CERT_IN_CHAIN + 1 ))
done
@@ -1533,12 +1734,17 @@ main() {
# OpenSSL 1.1.0: issuer=C = XY, ST = Alpha, L = Bravo, O = Charlie, CN = Charlie SSL CA
# OpenSSL 1.0.2: issuer= /C=XY/ST=Alpha/L=Bravo/O=Charlie/CN=Charlie SSL CA 3
# shellcheck disable=SC2086
- ISSUERS=$(echo "$ISSUERS" | sed 's/\\n/\n/g' | sed -e "s/^.*\\/CN=//" -e "s/^.* CN = //" -e "s/^.*, O = //" -e "s/\\/[A-Za-z][A-Za-z]*=.*\$//" -e "s/, [A-Za-z][A-Za-z]* =.*\$//")
+ ISSUERS=$(echo "${ISSUERS}" | sed 's/\\n/\n/g' | sed -e "s/^.*\\/CN=//" -e "s/^.* CN = //" -e "s/^.*, O = //" -e "s/\\/[A-Za-z][A-Za-z]*=.*\$//" -e "s/, [A-Za-z][A-Za-z]* =.*\$//")
+ if [ -n "${DEBUG}" ] ; then
+ echo '[DBG] ISSUERS = '
+ echo "${ISSUERS}" | sed 's/^/[DBG]\ \ \ \ \ \ \ \ \ \ \ /'
+ fi
+
# we just consider the first URI
# TODO check SC2016
# shellcheck disable=SC2086,SC2016
- ISSUER_URI="$($OPENSSL "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -text -noout | grep "CA Issuers" | head -n 1 | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;$(){}<>`&')"
+ ISSUER_URI="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -text -noout | grep "CA Issuers" | head -n 1 | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;$(){}<>`&')"
# TODO: should be checked
# shellcheck disable=SC2021
@@ -1563,33 +1769,33 @@ main() {
if [ -n "${REQUIRE_OCSP_STAPLING}" ] ; then
if [ -n "${VERBOSE}" ] ; then
- echo "checking OCSP stapling"
+ echo "checking OCSP stapling"
fi
- exec_with_timeout "$TIMEOUT" "printf '${HTTP_REQUEST}' | openssl s_client -connect ${HOST}:${PORT} ${SERVERNAME} -status 2> /dev/null | grep -A 17 'OCSP response:' > $OCSP_RESPONSE_TMP"
+ grep -A 17 'OCSP response:' "${CERT}" > "${OCSP_RESPONSE_TMP}"
if [ -n "${DEBUG}" ] ; then
sed 's/^/[DBG]\ /' "${OCSP_RESPONSE_TMP}"
fi
-
- if ! grep -q 'Next Update' "${OCSP_RESPONSE_TMP}" ; then
- critical "OCSP stapling not enabled"
+
+ if ! ascii_grep 'Next Update' "${OCSP_RESPONSE_TMP}" ; then
+ prepend_critical_message "OCSP stapling not enabled"
else
if [ -n "${VERBOSE}" ] ; then
- echo " OCSP stapling enabled"
+ echo " OCSP stapling enabled"
fi
fi
fi
# shellcheck disable=SC2086
- SIGNATURE_ALGORITHM="$($OPENSSL "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -text -noout | grep 'Signature Algorithm' | head -n 1)"
+ SIGNATURE_ALGORITHM="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -text -noout | grep 'Signature Algorithm' | head -n 1)"
if [ -n "${DEBUG}" ] ; then
echo "[DBG] ${SUBJECT}"
echo "[DBG] CN = ${CN}"
# shellcheck disable=SC2162
- echo "$ISSUERS" | while read LINE; do
+ echo "${ISSUERS}" | while read LINE; do
echo "[DBG] CA = ${LINE}"
done
echo "[DBG] SERIAL = ${SERIAL}"
@@ -1609,7 +1815,7 @@ main() {
else
- critical "${OPENSSL_COMMAND} Certificate is signed with SHA-1"
+ prepend_critical_message "${OPENSSL_COMMAND} Certificate is signed with SHA-1"
fi
@@ -1625,7 +1831,7 @@ main() {
else
- critical "${OPENSSL_COMMAND} Certificate is signed with MD5"
+ prepend_critical_message "${OPENSSL_COMMAND} Certificate is signed with MD5"
fi
@@ -1640,7 +1846,7 @@ main() {
if ! echo "${VALID_ATTRIBUTES}" | grep -q ",${ATTR}," ; then
unknown "Invalid certificate attribute: ${ATTR}"
else
- # shellcheck disable=SC2086
+ # shellcheck disable=SC2086
value="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -noout -nameopt utf8,oneline,-esc_msb -"${ATTR}" | sed -e "s/.*=//")"
LONG_OUTPUT="${LONG_OUTPUT}\\n${ATTR}: ${value}"
fi
@@ -1651,12 +1857,12 @@ main() {
if [ "${LONG_OUTPUT_ATTR}" = "all" ] ; then
LONG_OUTPUT_ATTR="${VALID_ATTRIBUTES}"
fi
- attributes=$( echo ${LONG_OUTPUT_ATTR} | tr ',' "\\n" )
- for attribute in $attributes ; do
+ attributes=$( echo "${LONG_OUTPUT_ATTR}" | tr ',' "\\n" )
+ for attribute in ${attributes} ; do
check_attr "${attribute}"
done
- LONG_OUTPUT="$(echo "$LONG_OUTPUT" | sed 's/\\n/\n/g')"
+ LONG_OUTPUT="$(echo "${LONG_OUTPUT}" | sed 's/\\n/\n/g')"
fi
@@ -1664,10 +1870,10 @@ main() {
# Compute for how many days the certificate will be valid
if [ -n "${DATETYPE}" ]; then
- # shellcheck disable=SC2086
- CERT_END_DATE=$($OPENSSL "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -noout ${OPENSSL_ENDDATE_OPTION} | sed -e "s/.*=//")
+ # shellcheck disable=SC2086
+ CERT_END_DATE=$("${OPENSSL}" "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -noout "${OPENSSL_ENDDATE_OPTION}" | sed -e "s/.*=//")
- OLDLANG=$LANG
+ OLDLANG="${LANG}"
LANG=en_US
if [ -n "${DEBUG}" ] ; then
@@ -1698,9 +1904,11 @@ EOF
unknown "Error computing the certificate validity with Perl"
fi
;;
+ *)
+ unknown "Internal error: unknown date type"
esac
- LANG=$OLDLANG
+ LANG="${OLDLANG}"
if [ -n "${VERBOSE}" ] ; then
@@ -1711,7 +1919,7 @@ EOF
fi
fi
- add_performance_data "days=$DAYS_VALID;${WARNING};${CRITICAL};;"
+ add_performance_data "days=${DAYS_VALID};${WARNING};${CRITICAL};;"
fi
@@ -1719,7 +1927,7 @@ EOF
# Check the presence of a subjectAlternativeName (required for Chrome)
# shellcheck disable=SC2086
- SUBJECT_ALTERNATIVE_NAME=$($OPENSSL "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -text |
+ SUBJECT_ALTERNATIVE_NAME=$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -text |
grep --after-context=1 "509v3 Subject Alternative Name:" |
tail -n 1 |
sed -e "s/DNS://g" |
@@ -1729,13 +1937,13 @@ EOF
if [ -n "${DEBUG}" ] ; then
echo "[DBG] subjectAlternativeName = ${SUBJECT_ALTERNATIVE_NAME}"
fi
- if [ -n "${REQUIRE_SAN}" ] && [ -z "${SUBJECT_ALTERNATIVE_NAME}" ] && [ ${OPENSSL_COMMAND} != "crl" ] ; then
- critical "The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address."
+ if [ -n "${REQUIRE_SAN}" ] && [ -z "${SUBJECT_ALTERNATIVE_NAME}" ] && [ "${OPENSSL_COMMAND}" != "crl" ] ; then
+ prepend_critical_message "The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address."
fi
################################################################################
# Check the CN
- if [ -n "$COMMON_NAME" ] ; then
+ if [ -n "${COMMON_NAME}" ] ; then
ok=""
@@ -1791,13 +1999,14 @@ EOF
fi
# Check alternate names
- if [ -n "${ALTNAMES}" ] && [ -z "$ok" ]; then
+ if [ -n "${ALTNAMES}" ] && [ -z "${ok}" ]; then
for cn in ${COMMON_NAME} ; do
ok=""
if [ -n "${DEBUG}" ] ; then
+ echo '[DBG] ==============================='
echo "[DBG] checking altnames against ${cn}"
fi
@@ -1852,15 +2061,14 @@ EOF
fi
- if [ -n "$ok" ] ; then
- #fail=$cn
+ if [ -n "${ok}" ] ; then
break;
fi
done
- if [ -z "$ok" ] ; then
- fail=$cn
+ if [ -z "${ok}" ] ; then
+ fail="${cn}"
break;
fi
@@ -1868,13 +2076,13 @@ EOF
fi
- if [ -n "$fail" ] ; then
- critical "invalid CN ('$CN' does not match '$fail')"
- fi
-
- if [ -z "$ok" ] ; then
- critical "invalid CN ('$CN' does not match '$COMMON_NAME')"
- fi
+ if [ -n "${fail}" ] ; then
+ prepend_critical_message "invalid CN ('$(echo "${CN}" | sed "s/|/ PIPE /g")' does not match '${fail}')"
+ else
+ if [ -z "${ok}" ] ; then
+ prepend_critical_message "invalid CN ('$(echo "${CN}" | sed "s/|/ PIPE /g")' does not match '${COMMON_NAME}')"
+ fi
+ fi
if [ -n "${DEBUG}" ] ; then
echo "[DBG] CN check finished"
@@ -1891,13 +2099,17 @@ EOF
fi
ok=""
- CA_ISSUER_MATCHED=$(echo "${ISSUERS}" | grep "^${ISSUER}\$" | head -n1)
+ CA_ISSUER_MATCHED=$(echo "${ISSUERS}" | grep -E "^${ISSUER}\$" | head -n1)
+
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] issuer matched = ${CA_ISSUER_MATCHED}"
+ fi
if [ -n "${CA_ISSUER_MATCHED}" ]; then
ok="true"
else
# this looks ugly but preserves spaces in CA name
- critical "invalid CA ('${ISSUER}' does not match '$(echo "${ISSUERS}" | tr '\n' '|' | sed "s/|\$//g" | sed "s/|/\\' or \\'/g")')"
+ prepend_critical_message "invalid CA ('$(echo "${ISSUER}" | sed "s/|/ PIPE /g")' does not match '$(echo "${ISSUERS}" | tr '\n' '|' | sed "s/|\$//g" | sed "s/|/\\' or \\'/g")')"
fi
else
@@ -1916,8 +2128,8 @@ EOF
ok="true"
fi
- if [ -z "$ok" ] ; then
- critical "invalid serial number ('${SERIAL}' does not match '${SERIAL_LOCK}')"
+ if [ -z "${ok}" ] ; then
+ prepend_critical_message "invalid serial number ('$(echo "${SERIAL_LOCK}" | sed "s/|/ PIPE /g")' does not match '${SERIAL}')"
fi
fi
@@ -1927,12 +2139,12 @@ EOF
ok=""
- if echo "${FINGERPRINT}" | grep -q "^${FINGERPRINT_LOCK}\$" ; then
+ if echo "${FINGERPRINT}" | grep -q -E "^${FINGERPRINT_LOCK}\$" ; then
ok="true"
fi
- if [ -z "$ok" ] ; then
- critical "invalid SHA1 Fingerprint ('${FINGERPRINT}' does not match '${FINGERPRINT_LOCK}')"
+ if [ -z "${ok}" ] ; then
+ prepend_critical_message "invalid SHA1 Fingerprint ('$(echo "${FINGERPRINT_LOCK}" | sed "s/|/ PIPE /g")' does not match '${FINGERPRINT}')"
fi
fi
@@ -1945,22 +2157,23 @@ EOF
echo "[DBG] Checking expiration date"
fi
- if [ ${OPENSSL_COMMAND} = "x509" ]; then
+ if [ "${OPENSSL_COMMAND}" = "x509" ]; then
# x509 certificates (default)
# We always check expired certificates
- if ! $OPENSSL x509 -in "${CERT}" -noout -checkend 0 > /dev/null ; then
- critical "${OPENSSL_COMMAND} certificate is expired (was valid until $DATE)"
+ if ! ${OPENSSL} x509 -in "${CERT}" -noout -checkend 0 > /dev/null ; then
+ prepend_critical_message "${OPENSSL_COMMAND} certificate is expired (was valid until ${DATE})"
fi
if [ -n "${CRITICAL}" ] ; then
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing: $OPENSSL x509 -in ${CERT} -noout -checkend $(( CRITICAL * 86400 ))"
+ echo "[DBG] critical = ${CRITICAL}"
+ echo "[DBG] executing: ${OPENSSL} x509 -in ${CERT} -noout -checkend $(( CRITICAL * 86400 ))"
fi
- if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( CRITICAL * 86400 )) > /dev/null ; then
- critical "${OPENSSL_COMMAND} certificate will expire in ${DAYS_VALID} day(s) on $DATE"
+ if ! ${OPENSSL} x509 -in "${CERT}" -noout -checkend $(( CRITICAL * 86400 )) > /dev/null ; then
+ prepend_critical_message "${OPENSSL_COMMAND} certificate will expire in ${DAYS_VALID} day(s) on ${DATE}"
fi
fi
@@ -1968,32 +2181,32 @@ EOF
if [ -n "${WARNING}" ] ; then
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing: $OPENSSL x509 -in ${CERT} -noout -checkend $(( WARNING * 86400 ))"
+ echo "[DBG] executing: ${OPENSSL} x509 -in ${CERT} -noout -checkend $(( WARNING * 86400 ))"
fi
- if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( WARNING * 86400 )) > /dev/null ; then
- warning "${OPENSSL_COMMAND} certificate will expire in ${DAYS_VALID} day(s) on $DATE"
+ if ! ${OPENSSL} x509 -in "${CERT}" -noout -checkend $(( WARNING * 86400 )) > /dev/null ; then
+ append_warning_message "${OPENSSL_COMMAND} certificate will expire in ${DAYS_VALID} day(s) on ${DATE}"
fi
fi
- elif [ ${OPENSSL_COMMAND} = "crl" ]; then
+ elif [ "${OPENSSL_COMMAND}" = "crl" ]; then
# CRL certificates
# We always check expired certificates
if [ "${DAYS_VALID}" -lt 1 ] ; then
- critical "${OPENSSL_COMMAND} certificate is expired (was valid until $DATE)"
+ prepend_critical_message "${OPENSSL_COMMAND} certificate is expired (was valid until ${DATE})"
fi
if [ -n "${CRITICAL}" ] ; then
if [ "${DAYS_VALID}" -lt "${CRITICAL}" ] ; then
- critical "${OPENSSL_COMMAND} certificate will expire in ${DAYS_VALID} day(s) on $DATE"
+ prepend_critical_message "${OPENSSL_COMMAND} certificate will expire in ${DAYS_VALID} day(s) on ${DATE}"
fi
fi
if [ -n "${WARNING}" ] ; then
if [ "${DAYS_VALID}" -lt "${WARNING}" ] ; then
- warning "${OPENSSL_COMMAND} certificate will expire in ${DAYS_VALID} day(s) on $DATE"
+ append_warning_message "${OPENSSL_COMMAND} certificate will expire in ${DAYS_VALID} day(s) on ${DATE}"
fi
fi
@@ -2014,7 +2227,7 @@ EOF
if [ -n "${DEBUG}" ] ; then
echo "[DBG] executing ${CURL_BIN} --silent \"https://api.ssllabs.com/api/v2/analyze?host=${HOST}${IGNORE_SSL_LABS_CACHE}\""
fi
-
+
if [ -n "${SNI}" ] ; then
JSON="$(${CURL_BIN} --silent "https://api.ssllabs.com/api/v2/analyze?host=${SNI}${IGNORE_SSL_LABS_CACHE}")"
CURL_RETURN_CODE=$?
@@ -2023,7 +2236,7 @@ EOF
CURL_RETURN_CODE=$?
fi
- if [ ${CURL_RETURN_CODE} -ne 0 ] ; then
+ if [ "${CURL_RETURN_CODE}" -ne 0 ] ; then
if [ -n "${DEBUG}" ] ; then
echo "[DBG] curl returned ${CURL_RETURN_CODE}: ${CURL_BIN} --silent \"https://api.ssllabs.com/api/v2/analyze?host=${HOST}${IGNORE_SSL_LABS_CACHE}\""
@@ -2054,7 +2267,7 @@ EOF
'ERROR')
SSL_LABS_STATUS_MESSAGE=$(echo "${JSON}" \
| sed 's/.*"statusMessage":[ ]*"\([^"]*\)".*/\1/')
- critical "Error checking SSL Labs: ${SSL_LABS_STATUS_MESSAGE}"
+ prepend_critical_message "Error checking SSL Labs: ${SSL_LABS_STATUS_MESSAGE}"
;;
'READY')
if ! echo "${JSON}" | grep -q "grade" ; then
@@ -2062,7 +2275,7 @@ EOF
# Something went wrong
SSL_LABS_STATUS_MESSAGE=$(echo "${JSON}" \
| sed 's/.*"statusMessage":[ ]*"\([^"]*\)".*/\1/')
- critical "SSL Labs error: ${SSL_LABS_STATUS_MESSAGE}"
+ prepend_critical_message "SSL Labs error: ${SSL_LABS_STATUS_MESSAGE}"
else
@@ -2084,10 +2297,10 @@ EOF
# Check the grade
if [ "${SSL_LABS_HOST_GRADE_NUMERIC}" -lt "${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}" ] ; then
- critical "SSL Labs grade is ${SSL_LABS_HOST_GRADE} (instead of ${SSL_LAB_CRIT_ASSESSMENT})"
+ prepend_critical_message "SSL Labs grade is ${SSL_LABS_HOST_GRADE} (instead of ${SSL_LAB_CRIT_ASSESSMENT})"
elif [ -n "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" ]; then
if [ "${SSL_LABS_HOST_GRADE_NUMERIC}" -lt "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" ] ; then
- warning "SSL Labs grade is ${SSL_LABS_HOST_GRADE} (instead of ${SSL_LAB_WARN_ASSESTMENT})"
+ append_warning_message "SSL Labs grade is ${SSL_LABS_HOST_GRADE} (instead of ${SSL_LAB_WARN_ASSESTMENT})"
fi
fi
@@ -2120,7 +2333,7 @@ EOF
SSL_LABS_ERROR_MESSAGE="${JSON}"
fi
- critical "Cannot check status on SSL Labs: ${SSL_LABS_ERROR_MESSAGE}"
+ prepend_critical_message "Cannot check status on SSL Labs: ${SSL_LABS_ERROR_MESSAGE}"
esac
WAIT_TIME=60
@@ -2142,7 +2355,7 @@ EOF
echo "[DBG] Checking revokation via OCSP"
fi
- ISSUER_HASH="$($OPENSSL x509 -in "${CERT}" -noout -issuer_hash)"
+ ISSUER_HASH="$(${OPENSSL} x509 -in "${CERT}" -noout -issuer_hash)"
if [ -z "${ISSUER_HASH}" ] ; then
unknown 'unable to find issuer certificate hash.'
@@ -2174,9 +2387,9 @@ EOF
fi
if [ -n "${CURL_USER_AGENT}" ] ; then
- exec_with_timeout "$TIMEOUT" "${CURL_BIN} --silent --user-agent '${CURL_USER_AGENT}' --location ${ISSUER_URI} > ${ISSUER_CERT_TMP}"
+ exec_with_timeout "${TIMEOUT}" "${CURL_BIN} --silent --user-agent '${CURL_USER_AGENT}' --location ${ISSUER_URI} > ${ISSUER_CERT_TMP}"
else
- exec_with_timeout "$TIMEOUT" "${CURL_BIN} --silent --location ${ISSUER_URI} > ${ISSUER_CERT_TMP}"
+ exec_with_timeout "${TIMEOUT}" "${CURL_BIN} --silent --location ${ISSUER_URI} > ${ISSUER_CERT_TMP}"
fi
if [ -n "${DEBUG}" ] ; then
@@ -2196,7 +2409,7 @@ EOF
cp "${ISSUER_CERT_TMP}" "${ISSUER_CERT_TMP2}"
- $OPENSSL x509 -inform DER -outform PEM -in "${ISSUER_CERT_TMP2}" -out "${ISSUER_CERT_TMP}"
+ ${OPENSSL} x509 -inform DER -outform PEM -in "${ISSUER_CERT_TMP2}" -out "${ISSUER_CERT_TMP}"
else
@@ -2247,15 +2460,15 @@ EOF
# check if -header is supported
OCSP_HEADER=""
-
+
# ocsp -header is supported in OpenSSL versions from 1.0.0, but not documented until 1.1.0
# so we check if the major version is greater than 0
if "${OPENSSL}" version | grep -q '^LibreSSL' || [ "$( ${OPENSSL} version | sed -e 's/OpenSSL \([0-9]\).*/\1/g' )" -gt 0 ] ; then
-
+
if [ -n "${DEBUG}" ] ; then
echo "[DBG] openssl ocsp supports the -header option"
fi
-
+
# the -header option was first accepting key and value separated by space. The newer versions are using key=value
KEYVALUE=""
if openssl ocsp -help 2>&1 | grep header | grep -q 'key=value' ; then
@@ -2268,57 +2481,57 @@ EOF
echo "[DBG] openssl ocsp -header requires 'key value'"
fi
fi
-
+
# http_proxy is sometimes lower- and sometimes uppercase. Programs usually check both
# shellcheck disable=SC2154
if [ -n "${http_proxy}" ] ; then
HTTP_PROXY="${http_proxy}"
fi
-
+
if [ -n "${HTTP_PROXY:-}" ] ; then
-
+
if [ -n "${KEYVALUE}" ] ; then
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
+ echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
fi
- OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
+ OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
else
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
+ echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
fi
- OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+ OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
fi
-
+
else
-
+
if [ -n "${KEYVALUE}" ] ; then
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
+ echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
fi
- OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
+ OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
else
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
+ echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
fi
- OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+ OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
fi
-
+
fi
-
+
if [ -n "${DEBUG}" ] ; then
echo "${OCSP_RESP}" | sed 's/^/[DBG] OCSP: response = /'
fi
-
+
if echo "${OCSP_RESP}" | grep -qi "revoked" ; then
-
+
if [ -n "${DEBUG}" ] ; then
echo '[DBG] OCSP: revoked'
- fi
-
- critical "certificate is revoked"
-
+ fi
+
+ prepend_critical_message "certificate is revoked"
+
elif ! echo "${OCSP_RESP}" | grep -qi "good" ; then
-
+
if [ -n "${DEBUG}" ] ; then
echo "[DBG] OCSP: not good. HTTP_PROXY = ${HTTP_PROXY}"
fi
@@ -2326,33 +2539,37 @@ EOF
if [ -n "${HTTP_PROXY:-}" ] ; then
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}]\" -host \"${HTTP_PROXY#*://}\" -path \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
+ echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}]\" -host \"${HTTP_PROXY#*://}\" -path \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
fi
-
+
if [ -n "${OCSP_HEADER}" ] ; then
- OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+ OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
else
- OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" 2>&1 )"
+ OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" 2>&1 )"
fi
-
+
else
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing $OPENSSL ocsp -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}\" -url \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
+ echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}\" -url \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
fi
if [ -n "${OCSP_HEADER}" ] ; then
- OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+ OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
else
- OCSP_RESP="$($OPENSSL ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" 2>&1 )"
+ OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" 2>&1 )"
fi
fi
- critical "OCSP error: '${OCSP_RESP}'"
+ if [ -n "${VERBOSE}" ] ; then
+ echo "OCSP Error: ${OCSP_RESP}"
+ fi
- fi
-
+ prepend_critical_message "OCSP error (-v for details)"
+
+ fi
+
else
if [ -n "${VERBOSE}" ] ; then
@@ -2373,48 +2590,62 @@ EOF
################################################################################
# Check the organization
- if [ -n "$ORGANIZATION" ] ; then
+ if [ -n "${ORGANIZATION}" ] ; then
- ORG=$($OPENSSL x509 -in "${CERT}" -subject -noout | sed -e "s/.*\\/O=//" -e "s/\\/.*//")
+ ORG=$(${OPENSSL} x509 -in "${CERT}" -subject -noout | sed -e "s/.*\\/O=//" -e "s/\\/.*//")
- if ! echo "$ORG" | grep -q "^$ORGANIZATION" ; then
- critical "invalid organization ('$ORGANIZATION' does not match '$ORG')"
+ if ! echo "${ORG}" | grep -q -E "^${ORGANIZATION}" ; then
+ prepend_critical_message "invalid organization ('$(echo "${ORGANIZATION}" | sed "s/|/ PIPE /g")' does not match '${ORG}')"
fi
fi
################################################################################
# Check the organization
- if [ -n "$ADDR" ] ; then
+ if [ -n "${ADDR}" ] ; then
- EMAIL=$($OPENSSL x509 -in "${CERT}" -email -noout)
+ EMAIL=$(${OPENSSL} x509 -in "${CERT}" -email -noout)
if [ -n "${VERBOSE}" ] ; then
echo "checking email (${ADDR}): ${EMAIL}"
fi
-
+
if [ -z "${EMAIL}" ] ; then
- critical "the certificate does not contain an email address"
- fi
- if ! echo "$EMAIL" | grep -q "^$ADDR" ; then
- critical "invalid email ($ADDR does not match $EMAIL)"
- fi
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] no email in certificate"
+ fi
+
+ prepend_critical_message "the certificate does not contain an email address"
+
+ else
+
+ if ! echo "${EMAIL}" | grep -q -E "^${ADDR}" ; then
+ prepend_critical_message "invalid email ('$(echo "${ADDR}" | sed "s/|/ PIPE /g")' does not match ${EMAIL})"
+ fi
+
+ fi
fi
################################################################################
# Check if the certificate was verified
- if [ -z "${NOAUTH}" ] && grep -q '^verify\ error:' "${ERROR}" ; then
+ if [ -z "${NOAUTH}" ] && ascii_grep '^verify\ error:' "${ERROR}" ; then
- if grep -q '^verify\ error:num=[0-9][0-9]*:self\ signed\ certificate' "${ERROR}" ; then
+ if ascii_grep '^verify\ error:num=[0-9][0-9]*:self\ signed\ certificate' "${ERROR}" ; then
if [ -z "${SELFSIGNED}" ] ; then
- critical "Cannot verify certificate, self signed certificate"
+ prepend_critical_message "Cannot verify certificate, self signed certificate"
else
SELFSIGNEDCERT="self signed "
fi
+ elif ascii_grep '^verify\ error:num=[0-9][0-9]*:certificate\ has\ expired' "${ERROR}" ; then
+
+ if [ -n "${DEBUG}" ] ; then
+ echo '[DBG] Cannot verify since the certificate has expired.'
+ fi
+
else
if [ -n "${DEBUG}" ] ; then
@@ -2423,12 +2654,21 @@ EOF
# Process errors
details=$( grep '^verify\ error:' "${ERROR}" | sed 's/verify\ error:num=[0-9]*://' | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/, /g' )
- critical "Cannot verify certificate: ${details}"
+ prepend_critical_message "Cannot verify certificate: ${details}"
fi
fi
+ # if errors exist at this point return
+ if [ "${CRITICAL_MSG}" != "" ] ; then
+ critical "${CRITICAL_MSG}"
+ fi
+
+ if [ "${WARNING_MSG}" != "" ] ; then
+ warning "${WARNING_MSG}"
+ fi
+
################################################################################
# If we get this far, assume all is well. :)
@@ -2466,7 +2706,7 @@ EOF
DISPLAY_CN="'${CN}' "
fi
- if [ -z "$FORMAT" ]; then
+ if [ -z "${FORMAT}" ]; then
if [ -n "${TERSE}" ]; then
FORMAT="%SHORTNAME% OK %CN% %DAYS_VALID%"
else
@@ -2480,6 +2720,19 @@ EOF
EXTRA_OUTPUT="${LONG_OUTPUT}${PERFORMANCE_DATA}"
fi
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] output parameters: CA_ISSUER_MATCHED = ${CA_ISSUER_MATCHED}"
+ echo "[DBG] output parameters: CHECKEDNAMES = ${CHECKEDNAMES}"
+ echo "[DBG] output parameters: CN = ${CN}"
+ echo "[DBG] output parameters: DATE = ${DATE}"
+ echo "[DBG] output parameters: DAYS_VALID = ${DAYS_VALID}"
+ echo "[DBG] output parameters: DYSPLAY_CN = ${DISPLAY_CN}"
+ echo "[DBG] output parameters: OPENSSL_COMMAND = ${OPENSSL_COMMAND}"
+ echo "[DBG] output parameters: SELFSIGNEDCERT = ${SELFSIGNEDCERT}"
+ echo "[DBG] output parameters: SHORTNAME = ${SHORTNAME}"
+ echo "[DBG] output parameters: SSL_LABS_HOST_GRADE = ${SSL_LABS_HOST_GRADE}"
+ fi
+
echo "${FORMAT}${EXTRA_OUTPUT}" | sed \
-e "$( var_for_sed CA_ISSUER_MATCHED "${CA_ISSUER_MATCHED}" )" \
-e "$( var_for_sed CHECKEDNAMES "${CHECKEDNAMES}" )" \
@@ -2498,6 +2751,8 @@ EOF
}
+# Defined externally
+# shellcheck disable=SC2154
if [ -z "${SOURCE_ONLY}" ]; then
main "${@}"
fi
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.96.0/check_ssl_cert.1
=====================================
@@ -1,7 +1,7 @@
.\" Process this file with
-.\" groff -man -Tascii foo.1
+.\" groff -man -Tascii check_ssl_cert.1
.\"
-.TH "check_ssl_cert" 1 "June, 2019" "1.85.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "September, 2019" "1.96.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
@@ -66,6 +66,9 @@ custom output format (e.g. "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'")
.BR "-h,--help,-?"
this help message
.TP
+.BR " --http-use-get"
+use GET instead of HEAD (default) for the HTTP related checks
+.TP
.BR " --ignore-exp"
ignore expiration date
.TP
@@ -128,7 +131,9 @@ path of the openssl binary to be used
TCP port
.TP
.BR "-P,--protocol" " protocol"
-use the specific protocol: http (default), irc or smtp,pop3,imap,ftp,ldap (switch to TLS)
+use the specific protocol: ftp, ftps, http (default), imap, imaps, irc, ldap, ldaps, pop3, pop3s, smtp, smtps, xmpp.
+.br
+These protocols switch to TLS using StartTLS: ftp, imap, ldap, pop3, smtp.
.TP
.BR "-s,--selfsigned"
allows self-signed certificates
@@ -169,7 +174,7 @@ cipher selection: force RSA authentication
directory where to store the temporary files
.TP
.BR " --terse"
-terse output (also see --verbose)
+terse output (also see --verbose)
.TP
.BR "-t,--timeout"
seconds timeout after the specified time (defaults to 15 seconds)
@@ -197,6 +202,12 @@ minimum number of days a certificate has to be valid to issue a warning status
.TP
.BR " --xmpphost" " name"
specifies the host for the "to" attribute of the stream element
+.TP
+.BR "-4"
+forces IPv4
+.TP
+.BR "-6"
+forces IPv6
.SH DEPRECATED OPTIONS
.TP
.BR "-d,--days" " days"
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.96.0/check_ssl_cert.spec
=====================================
@@ -1,4 +1,4 @@
-%define version 1.85.0
+%define version 1.96.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
@@ -45,6 +45,39 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/%{sourcename}.1*
%changelog
+* Wed Sep 25 2019 Matteo Corti <matteo at corti.li> - 1.96.0-0
+- Updated to 1.96.0
+
+* Tue Sep 24 2019 Matteo Corti <matteo at corti.li> - 1.95.0-0
+- Updated to 1.95.0
+
+* Tue Sep 24 2019 Matteo Corti <matteo at corti.li> - 1.94.0-0
+- Updated to 1.94.0
+
+* Tue Sep 24 2019 Matteo Corti <matteo at corti.li> - 1.93.0-0
+- Updated to 1.93.0
+
+* Tue Sep 24 2019 Matteo Corti <matteo at corti.li> - 1.92.0-0
+- Updated to 1.92.0
+
+* Tue Sep 24 2019 Matteo Corti <matteo at corti.li> - 1.91.0-0
+- Updated to 1.91.0
+
+* Thu Sep 19 2019 Matteo Corti <matteo at corti.li> - 1.90.0-0
+- Updated to 1.90.0
+
+* Thu Aug 22 2019 Matteo Corti <matteo at corti.li> - 1.89.0-0
+- Updated to 1.89.0
+
+* Thu Aug 9 2019 Matteo Corti <matteo at corti.li> - 1.88.0-0
+- Updated to 1.88.0
+
+* Thu Aug 8 2019 Matteo Corti <matteo at corti.li> - 1.87.0-0
+- Updated to 1.87.0
+
+* Sun Jul 21 2019 Matteo Corti <matteo at corti.li> - 1.86.0-0
+- Updated to 1.86.0
+
* Sun Jun 2 2019 Matteo Corti <matteo at corti.li> - 1.85.0-0
- Updated to 1.85.0
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.96.0/test/cabundle.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.96.0/test/cacert.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/test/qvsslg2.crt
=====================================
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFTDCCAzSgAwIBAgIUSJgt4qkssznhyPkzNYJ10+T4glUwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZ
+BgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMjAeFw0xMzA2MDExMzM1MDVaFw0yMzA2
+MDExMzM1MDVaME0xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1p
+dGVkMSMwIQYDVQQDExpRdW9WYWRpcyBHbG9iYWwgU1NMIElDQSBHMjCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHhhWmUwI9X+jT+wbho5JmQqYh6zle3
+0OS1VMIYfdDDGeipY4D3t9zSGaNasGDZdrQdMlY18WyjnEKhi4ojNZdBewVphCiO
+zh5Ni2Ak8bSI/sBQ9sKPrpd0+UCqbvaGs6Tpx190ZRT0Pdy+TqOYZF/jBmzBj7Yf
+XJmWxlfCy62UiQ6tvv+4C6W2OPu1R4HUD8oJ8Qo7Eg0cD+GFsBM2w8soffyl+Dc6
+pKtARmOClUC7EqyWP0V9953lA34kuJZlYxxdgghBTn9rWoaQw/Lr5Fn0Xgd7fYS3
+/zGhmXYvVsuAxIn8Gk+YaeoLZ8H9tUvnDD3lEHzvIsMPxqtd7IgcVaMCAwEAAaOC
+ASowggEmMBIGA1UdEwEB/wQIMAYBAf8CAQAwEQYDVR0gBAowCDAGBgRVHSAAMHIG
+CCsGAQUFBwEBBGYwZDAqBggrBgEFBQcwAYYeaHR0cDovL29jc3AucXVvdmFkaXNn
+bG9iYWwuY29tMDYGCCsGAQUFBzAChipodHRwOi8vdHJ1c3QucXVvdmFkaXNnbG9i
+YWwuY29tL3F2cmNhMi5jcnQwDgYDVR0PAQH/BAQDAgEGMB8GA1UdIwQYMBaAFBqE
+YrxITDMlBNTu0PYDxBlG0ZRrMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwu
+cXVvdmFkaXNnbG9iYWwuY29tL3F2cmNhMi5jcmwwHQYDVR0OBBYEFJEZYq1bF6cw
++/DeOSWxvYy5uFEnMA0GCSqGSIb3DQEBCwUAA4ICAQB8CmCCAEG1Lcw55fTba84A
+ipwMieZydFO5bcIh5UyXWgWZ6OP4jb/6LaifEMLjRCC0mU14G6PrPU+iZQiIae7X
+5EavhmETEA8JbLICjiD4c9Y6+bgMt4szEPiZ2SALOQj10Br4HKQfy/OvbedRbLax
+p9qlDG4qJgSt3uikDIJSarx6mpgEQXu00UZNkiEYUfeO8hXGXrZbtDnkuaiVDtM6
+s9yYpcoyFxFOrORrEgViaI7P3EJaDYmI6IDUIPaSBM6GrVMiaINYEMBL1v2jZi8r
+XDY0yVsZ/0DAIQiCBNNvT1NjQ5Sn1E+O+ZBiqDD+rBvBoPsI6ydfdKtJur5YL+Oo
+kJK2eLrce8287awIcd8FMRDcZw/NX1bc8uKye5OCtwpQ0d4jL4emuXwFv8TqUbZh
+2xJShyy57cqw3qWoBOs/WWza29/Hun8PXkQoZepwY/xc+9nI1NaKM8NqhSqJNTJl
+vXj7zb3mdpbe3YR9BkSXProlN7l5KOx54gJ7kJ7r6qJYJux03HyPM11Kp4wfdn1R
+sC2UQ5awC6fg/3XE2HZVkyqJjKwqh4nFaiK5EMV7DHQ4oJx9ckmDw6pBvDaoPokX
+yzdfJ72n+1JfHGP+workciKNldgqYX6J4jPrCIEIBrtDta4QxP10Tyd9RFu13XmE
+8SYi/VXvrf3nriQfAZ/nSA==
+-----END CERTIFICATE-----
=====================================
check_ssl_cert/check_ssl_cert-1.85.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.96.0/test/unit_tests.sh
=====================================
@@ -1,5 +1,7 @@
#!/bin/sh
+# $SHUNIT2 should be defined as an environment variable before running the tests
+# shellcheck disable=SC2154
if [ -z "${SHUNIT2}" ] ; then
cat <<EOF
To be able to run the unit test you need a copy of shUnit2
@@ -30,94 +32,96 @@ NAGIOS_UNKNOWN=3
testDependencies() {
check_required_prog openssl
+ # $PROG is defined in the script
+ # shellcheck disable=SC2154
assertNotNull 'openssl not found' "${PROG}"
}
testUsage() {
${SCRIPT} > /dev/null 2>&1
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_UNKNOWN} "${EXIT_CODE}"
-}
+ assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
+}
testETHZ() {
- ${SCRIPT} -H www.ethz.ch --cn www.ethz.ch --rootcert cabundle.crt
+ ${SCRIPT} -H ethz.ch --cn ethz.ch --rootcert cabundle.crt
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testLetsEncrypt() {
${SCRIPT} -H helloworld.letsencrypt.org --rootcert cabundle.crt
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
-}
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+}
testGoDaddy() {
${SCRIPT} -H www.godaddy.com --cn www.godaddy.com --rootcert cabundle.crt
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testETHZCaseInsensitive() {
# debugging: to be removed
- ${SCRIPT} -H www.ethz.ch --cn WWW.ETHZ.CH --rootcert cabundle.crt
+ ${SCRIPT} -H ethz.ch --cn ETHZ.CH --rootcert cabundle.crt
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testETHZWildCard() {
${SCRIPT} -H sherlock.sp.ethz.ch --cn sp.ethz.ch --rootcert cabundle.crt
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testETHZWildCardCaseInsensitive() {
${SCRIPT} -H sherlock.sp.ethz.ch --cn SP.ETHZ.CH --rootcert cabundle.crt
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testETHZWildCardSub() {
${SCRIPT} -H sherlock.sp.ethz.ch --cn sub.sp.ethz.ch --rootcert cabundle.crt
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testETHZWildCardSubCaseInsensitive() {
${SCRIPT} -H sherlock.sp.ethz.ch --cn SUB.SP.ETHZ.CH --rootcert cabundle.crt
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testRootIssuer() {
- ${SCRIPT} --rootcert cabundle.crt -H google.com --issuer GlobalSign
+ ${SCRIPT} --rootcert cabundle.crt -H google.com --issuer 'GlobalSign'
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testValidity() {
# Tests bug #8
${SCRIPT} --rootcert cabundle.crt -H www.ethz.ch -w 1000
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_WARNING} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_WARNING}" "${EXIT_CODE}"
}
-
+
testValidityWithPerl() {
${SCRIPT} --rootcert cabundle.crt -H www.ethz.ch -w 1000 --force-perl-date
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_WARNING} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_WARNING}" "${EXIT_CODE}"
}
testAltNames() {
${SCRIPT} -H www.inf.ethz.ch --cn www.inf.ethz.ch --rootcert cabundle.crt --altnames
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
#Do not require to match Alternative Name if CN already matched
testWildcardAltNames1() {
${SCRIPT} -H sherlock.sp.ethz.ch --rootcert cabundle.crt --altnames --host-cn
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
#Check for wildcard support in Alternative Names
@@ -128,57 +132,43 @@ testWildcardAltNames2() {
--cn spapps.ethz.ch \
--rootcert cabundle.crt --altnames
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testAltNamesCaseInsensitve() {
${SCRIPT} -H www.inf.ethz.ch --cn WWW.INF.ETHZ.CH --rootcert cabundle.crt --altnames
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
-}
-
-testMultipleAltNamesOK() {
- # Test with multiple CN's
- ${SCRIPT} -H inf.ethz.ch -n www.ethz.ch -n ethz.ch --rootcert cabundle.crt --altnames
- EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testMultipleAltNamesFailOne() {
# Test with wiltiple CN's but last one is wrong
${SCRIPT} -H inf.ethz.ch -n www.ethz.ch -n wrong.ch --rootcert cabundle.crt --altnames
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_CRITICAL} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testMultipleAltNamesFailTwo() {
# Test with multiple CN's but first one is wrong
${SCRIPT} -H inf.ethz.ch -n wrong.ch -n www.ethz.ch --rootcert cabundle.crt --altnames
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_CRITICAL} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testXMPPHost() {
+ # $TRAVIS is set an environment variable
+ # shellcheck disable=SC2154
if [ -z "${TRAVIS+x}" ] ; then
out=$(${SCRIPT} -H prosody.xmpp.is --port 5222 --protocol xmpp --xmpphost xmpp.is)
EXIT_CODE=$?
if echo "${out}" | grep -q "s_client' does not support '-xmpphost'" ; then
- assertEquals "wrong exit code" ${NAGIOS_UNKNOWN} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
else
- assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
fi
else
echo "Skipping XMPP tests on Travis CI"
- fi
-}
-
-# SSL Labs
-
-testETHZWithSSLLabs() {
- # we assume www.ethz.ch gets at least a C
- ${SCRIPT} -H www.ethz.ch --cn www.ethz.ch --check-ssl-labs A --rootcert cabundle.crt
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ fi
}
testTimeOut() {
@@ -194,7 +184,7 @@ testIMAP() {
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping IMAP tests on Travis CI"
- fi
+ fi
}
testIMAPS() {
@@ -204,12 +194,12 @@ testIMAPS() {
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping IMAP tests on Travis CI"
- fi
+ fi
}
testPOP3S() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} --rootcert cabundle.crt -H pop.gmail.com --port 993 --timeout 30 --protocol pop3s
+ ${SCRIPT} --rootcert cabundle.crt -H pop.gmail.com --port 995 --timeout 30 --protocol pop3s
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
@@ -225,9 +215,33 @@ testSMTP() {
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping SMTP tests on Travis CI"
- fi
+ fi
+}
+
+testSMTPSubmbission() {
+ ${SCRIPT} --rootcert cabundle.crt -H smtp.gmail.com --protocol smtp --port 587 --timeout 60
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
+testSMTPS() {
+ ${SCRIPT} --rootcert cabundle.crt -H smtp.gmail.com --protocol smtps --port 465 --timeout 60
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+}
+
+testFTP() {
+ ${SCRIPT} --rootcert cabundle.crt -H test.rebex.net --protocol ftp --port 21 --timeout 60
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+}
+
+testFTPS() {
+ ${SCRIPT} --rootcert cabundle.crt -H test.rebex.net --protocol ftps --port 990 --timeout 60
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+}
+
################################################################################
# From https://badssl.com
@@ -237,6 +251,12 @@ testBadSSLExpired() {
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
+testBadSSLExpiredAndWarnThreshold() {
+ ${SCRIPT} -H expired.badssl.com --host-cn --warning 3000
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+}
+
testBadSSLWrongHost() {
${SCRIPT} -H wrong.host.badssl.com --host-cn
EXIT_CODE=$?
@@ -280,7 +300,7 @@ testBadSSLSHA256() {
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping SHA 256 with badssl.com on Travis CI"
- fi
+ fi
}
# exired on Feb 17 2019
@@ -291,7 +311,7 @@ testBadSSLSHA256() {
# assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
# else
# echo "Skipping 1000 subject alternative names with badssl.com on Travis CI"
-# fi
+# fi
#}
# Disabled as OpenSSL does not seem to handle it
@@ -308,7 +328,7 @@ testBadSSLEcc256() {
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping ECC 256 with badssl.com on Travis CI"
- fi
+ fi
}
testBadSSLEcc384() {
@@ -318,7 +338,7 @@ testBadSSLEcc384() {
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping ECC 384 with badssl.com on Travis CI"
- fi
+ fi
}
testBadSSLRSA8192() {
@@ -328,7 +348,7 @@ testBadSSLRSA8192() {
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping RSA8192 with badssl.com on Travis CI"
- fi
+ fi
}
testBadSSLLongSubdomainWithDashes() {
@@ -338,7 +358,7 @@ testBadSSLLongSubdomainWithDashes() {
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping long subdomain with dashes with badssl.com on Travis CI"
- fi
+ fi
}
testBadSSLLongSubdomain() {
@@ -348,7 +368,7 @@ testBadSSLLongSubdomain() {
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping long subdomain with badssl.com on Travis CI"
- fi
+ fi
}
testBadSSLSHA12016() {
@@ -375,30 +395,80 @@ testRequireOCSP() {
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
-#testIPv4() {
-# ${SCRIPT} -H 129.132.19.216 --sni www.ethz.ch
-# EXIT_CODE=$?
-# assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
-#}
+# tests for -4 and -6
+testIPv4() {
+ if openssl s_client -help 2>&1 | grep -q -- -4 ; then
+ ${SCRIPT} -H www.google.com --rootcert cabundle.crt -4
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ else
+ echo "Skipping forcing IPv4: no OpenSSL support"
+ fi
+}
-#testIPv6() {
-# ${SCRIPT} -H 2001:67c:10ec:4380::216 --sni www.ethz.ch
-# EXIT_CODE=$?
-# assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
-#}
+testIPv6() {
+ if openssl s_client -help 2>&1 | grep -q -- -6 ; then
+
+ if ifconfig -a | grep -q inet6 ; then
+
+ ${SCRIPT} -H www.google.com --rootcert cabundle.crt -6
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+
+ else
+ echo "Skipping forcing IPv6: not IPv6 configured locally"
+ fi
+
+ else
+ echo "Skipping forcing IPv6: no OpenSSL support"
+ fi
+}
testFormatShort() {
- OUTPUT=$( ${SCRIPT} -H www.ethz.ch --cn www.ethz.ch --rootcert cabundle.crt --format "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'" | cut '-d|' -f 1 )
+ OUTPUT=$( ${SCRIPT} -H ethz.ch --cn ethz.ch --rootcert cabundle.crt --format "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'" | cut '-d|' -f 1 )
EXIT_CODE=$?
- assertEquals "wrong exit code" ${NAGIOS_OK} "${EXIT_CODE}"
- assertEquals "wrong output" "SSL_CERT OK www.ethz.ch from 'QuoVadis Global SSL ICA G2'" "${OUTPUT}"
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ assertEquals "wrong output" "SSL_CERT OK ethz.ch from 'QuoVadis Global SSL ICA G2'" "${OUTPUT}"
+}
+
+testMoreErrors() {
+ VALUE=1000
+ OUTPUT=$( ${SCRIPT} -H www.ethz.ch --email doesnotexist --critical "${VALUE}" --rootcert cabundle.crt | wc -l | sed 's/\ //g' )
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ # we should get three lines: the plugin output and two errors
+ assertEquals "wrong number of errors" 4 "${OUTPUT}"
}
+testMoreErrors2() {
+ VALUE=1000
+ OUTPUT=$( ${SCRIPT} -H www.ethz.ch --email doesnotexist --warning "${VALUE}" --rootcert cabundle.crt | wc -l | sed 's/\ //g' )
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ # we should get three lines: the plugin output and two errors
+ assertEquals "wrong number of errors" 4 "${OUTPUT}"
+}
+
+# SSL Labs (last one as it usually takes a lot of time
+
+testETHZWithSSLLabs() {
+ # we assume www.ethz.ch gets at least a C
+ ${SCRIPT} -H ethz.ch --cn ethz.ch --check-ssl-labs A --rootcert cabundle.crt
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+}
+
+# we trigger a test by Qualy's SSL so that when the last test is run the result will be cached
+echo 'Starting SSL Lab test (to cache the result)'
+curl --silent 'https://www.ssllabs.com/ssltest/analyze.html?d=ethz.ch&latest' > /dev/null
+
# the script will exit without executing main
export SOURCE_ONLY='test'
# source the script.
-. ${SCRIPT}
+# Do not follow
+# shellcheck disable=SC1090
+. "${SCRIPT}"
unset SOURCE_ONLY
@@ -409,9 +479,11 @@ unset SOURCE_ONLY
# We parse the output to check if a test failed
#
+# Do not follow
+# shellcheck disable=SC1090
. "${SHUNIT2}"
#if ! . "${SHUNIT2}" | tee /dev/tty | grep -q 'tests\ passed:\ *[0-9]*\ 100%' ; then
-# # at least one of the tests failed
+# # at least one of the tests failed
# exit 1
#fi
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/test/www.ethz.ch.crt
=====================================
@@ -0,0 +1,117 @@
+CONNECTED(00000006)
+---
+Certificate chain
+ 0 s:/C=CH/ST=Zuerich/L=Zuerich/O=ETH Zuerich/CN=ethz.ch
+ i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Global SSL ICA G2
+-----BEGIN CERTIFICATE-----
+MIIGWjCCBUKgAwIBAgIUScVaiOm1leLwyRoFjyYylcUngk8wDQYJKoZIhvcNAQEL
+BQAwTTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxIzAh
+BgNVBAMTGlF1b1ZhZGlzIEdsb2JhbCBTU0wgSUNBIEcyMB4XDTE5MDkwOTA3NDg0
+MFoXDTIxMDkwOTA3NTgwMFowWTELMAkGA1UEBhMCQ0gxEDAOBgNVBAgMB1p1ZXJp
+Y2gxEDAOBgNVBAcMB1p1ZXJpY2gxFDASBgNVBAoMC0VUSCBadWVyaWNoMRAwDgYD
+VQQDDAdldGh6LmNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3W8
+A9VtuI2nSCZK0qS7D08R9/jpWsJjD5ILrsS5Og6vFzG48d4Nkt9UVp/uTlbc2/0U
+5cRrB2GfFJoDR8DaDvSjrmE+x9eAPYcpN4GI0Q+kf/jtaUhr6WTyfI+UublJQekX
+LUZKoynPnz0oZhp8Wi51M7vGcDM7rAH6C0BZ48hQoFZlkPKcz3CbrBKrUpf0swV1
+jN3IPy11ilWvHGEK6ss4VIBKYQXoJT7ZOpWGmuRB1dmYC4Ra36ZDaEVSokVvCRDc
+gLutoFNpZRnV9EWnAFi/4UlZpa7ja/PDkCGq/va6okOtYoOTrww5FIDN+uO9H44M
++Q9JNSmXXxFivSj5vwIDAQABo4IDJDCCAyAwCQYDVR0TBAIwADAfBgNVHSMEGDAW
+gBSRGWKtWxenMPvw3jklsb2MubhRJzBzBggrBgEFBQcBAQRnMGUwNwYIKwYBBQUH
+MAKGK2h0dHA6Ly90cnVzdC5xdW92YWRpc2dsb2JhbC5jb20vcXZzc2xnMi5jcnQw
+KgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnF1b3ZhZGlzZ2xvYmFsLmNvbTAfBgNV
+HREEGDAWggdldGh6LmNoggt3d3cuZXRoei5jaDBRBgNVHSAESjBIMEYGDCsGAQQB
+vlgAAmQBATA2MDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnF1b3ZhZGlzZ2xvYmFs
+LmNvbS9yZXBvc2l0b3J5MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA6
+BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLnF1b3ZhZGlzZ2xvYmFsLmNvbS9x
+dnNzbGcyLmNybDAdBgNVHQ4EFgQUDtDmPpIiPB8Bhg6FHY+avd+79PMwDgYDVR0P
+AQH/BAQDAgWgMIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdQCkuQmQtBhYFIe7
+E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAW0VCC1KAAAEAwBGMEQCIHen8Ov7Uk3y
+SSiRV8A1NX7a75ALraIDARB0N7nqiKPUAiBUoKCwq2Mh6i/1Wl6V6CZTP6rIvsjO
+bZ+u0v6VEE9yQgB2AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAAB
+bRUILcoAAAQDAEcwRQIhAN7SI9UJQVoaANI9l756ckc7RWqKgHyXTwj5EA4F7ZeD
+AiBpMbqLv/3d5M5NsLvuTvFSIaWWwhcACLl6b+faJfuOjgB2AG9Tdqwx8DEZ2JkA
+pFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABbRUILokAAAQDAEcwRQIgIfGEPTfzu01A
+5/PPK56+gQ0uFcl5HhNlP9/C0Rj6ir8CIQDxbXOku+kBOgmaAJyd1LHG43JpCBF6
+iw+o+jqupU6KJjANBgkqhkiG9w0BAQsFAAOCAQEAxfioSrAt+8P+fNIbdVpM/SWN
+coMXUesk1QADoszrgA/zGEiw+BtL53LbkJEQlodTHqgRkYN6oRWLs/WSf//Rhu2N
+5mIvmtSH9UhnMja0wtk3bLWv5s4qDY+LbIF1vG6J8Xhd03wEoe6JxjAfV7K0fvGR
+8w5FJvXzAcLbKD/UEQEVUcDE01Qe0EjXzM/UownVS3WPKrgeUnYZ8PdpE4myZf5i
+PVAM0644CLDcRuuKwahZO7UblOILDcbawl5Kw1IaGYVgBgJGq1y/v7QVDhLRDJYJ
+JmfaATDJ+evCE4tN3kDBHTPqJ7V7eubOD5cKyzzn/0xYuC2aFFxRxoMH5YB4GQ==
+-----END CERTIFICATE-----
+ 1 s:/C=BM/O=QuoVadis Limited/CN=QuoVadis Global SSL ICA G2
+ i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
+-----BEGIN CERTIFICATE-----
+MIIFTDCCAzSgAwIBAgIUSJgt4qkssznhyPkzNYJ10+T4glUwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZ
+BgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMjAeFw0xMzA2MDExMzM1MDVaFw0yMzA2
+MDExMzM1MDVaME0xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1p
+dGVkMSMwIQYDVQQDExpRdW9WYWRpcyBHbG9iYWwgU1NMIElDQSBHMjCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHhhWmUwI9X+jT+wbho5JmQqYh6zle3
+0OS1VMIYfdDDGeipY4D3t9zSGaNasGDZdrQdMlY18WyjnEKhi4ojNZdBewVphCiO
+zh5Ni2Ak8bSI/sBQ9sKPrpd0+UCqbvaGs6Tpx190ZRT0Pdy+TqOYZF/jBmzBj7Yf
+XJmWxlfCy62UiQ6tvv+4C6W2OPu1R4HUD8oJ8Qo7Eg0cD+GFsBM2w8soffyl+Dc6
+pKtARmOClUC7EqyWP0V9953lA34kuJZlYxxdgghBTn9rWoaQw/Lr5Fn0Xgd7fYS3
+/zGhmXYvVsuAxIn8Gk+YaeoLZ8H9tUvnDD3lEHzvIsMPxqtd7IgcVaMCAwEAAaOC
+ASowggEmMBIGA1UdEwEB/wQIMAYBAf8CAQAwEQYDVR0gBAowCDAGBgRVHSAAMHIG
+CCsGAQUFBwEBBGYwZDAqBggrBgEFBQcwAYYeaHR0cDovL29jc3AucXVvdmFkaXNn
+bG9iYWwuY29tMDYGCCsGAQUFBzAChipodHRwOi8vdHJ1c3QucXVvdmFkaXNnbG9i
+YWwuY29tL3F2cmNhMi5jcnQwDgYDVR0PAQH/BAQDAgEGMB8GA1UdIwQYMBaAFBqE
+YrxITDMlBNTu0PYDxBlG0ZRrMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwu
+cXVvdmFkaXNnbG9iYWwuY29tL3F2cmNhMi5jcmwwHQYDVR0OBBYEFJEZYq1bF6cw
++/DeOSWxvYy5uFEnMA0GCSqGSIb3DQEBCwUAA4ICAQB8CmCCAEG1Lcw55fTba84A
+ipwMieZydFO5bcIh5UyXWgWZ6OP4jb/6LaifEMLjRCC0mU14G6PrPU+iZQiIae7X
+5EavhmETEA8JbLICjiD4c9Y6+bgMt4szEPiZ2SALOQj10Br4HKQfy/OvbedRbLax
+p9qlDG4qJgSt3uikDIJSarx6mpgEQXu00UZNkiEYUfeO8hXGXrZbtDnkuaiVDtM6
+s9yYpcoyFxFOrORrEgViaI7P3EJaDYmI6IDUIPaSBM6GrVMiaINYEMBL1v2jZi8r
+XDY0yVsZ/0DAIQiCBNNvT1NjQ5Sn1E+O+ZBiqDD+rBvBoPsI6ydfdKtJur5YL+Oo
+kJK2eLrce8287awIcd8FMRDcZw/NX1bc8uKye5OCtwpQ0d4jL4emuXwFv8TqUbZh
+2xJShyy57cqw3qWoBOs/WWza29/Hun8PXkQoZepwY/xc+9nI1NaKM8NqhSqJNTJl
+vXj7zb3mdpbe3YR9BkSXProlN7l5KOx54gJ7kJ7r6qJYJux03HyPM11Kp4wfdn1R
+sC2UQ5awC6fg/3XE2HZVkyqJjKwqh4nFaiK5EMV7DHQ4oJx9ckmDw6pBvDaoPokX
+yzdfJ72n+1JfHGP+workciKNldgqYX6J4jPrCIEIBrtDta4QxP10Tyd9RFu13XmE
+8SYi/VXvrf3nriQfAZ/nSA==
+-----END CERTIFICATE-----
+---
+Server certificate
+subject=/C=CH/ST=Zuerich/L=Zuerich/O=ETH Zuerich/CN=ethz.ch
+issuer=/C=BM/O=QuoVadis Limited/CN=QuoVadis Global SSL ICA G2
+---
+No client certificate CA names sent
+Peer signing digest: SHA256
+Server Temp Key: ECDH, P-256, 256 bits
+---
+SSL handshake has read 3472 bytes and written 454 bytes
+---
+New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
+Server public key is 2048 bit
+Secure Renegotiation IS supported
+Compression: NONE
+Expansion: NONE
+No ALPN negotiated
+SSL-Session:
+ Protocol : TLSv1.2
+ Cipher : ECDHE-RSA-AES256-GCM-SHA384
+ Session-ID:
+ Session-ID-ctx:
+ Master-Key: 1BC1720B42FD5F9E96B948C9AD9ABE31695CDCF1613DB637C2C928BC98F5787B9B8E429E59C50BE6DB7EB662F56B0C7E
+ Key-Arg : None
+ PSK identity: None
+ PSK identity hint: None
+ SRP username: None
+ Start Time: 1568723459
+ Timeout : 300 (sec)
+ Verify return code: 0 (ok)
+---
+HTTP/1.1 301 Moved Permanently
+Date: Tue, 17 Sep 2019 11:48:06 GMT
+Location: https://ethz.ch/
+Content-Length: 224
+Content-Type: text/html; charset=iso-8859-1
+vary: cookie
+Age: 2572
+X-RateLimit-Remaining: 15
+X-Powered-By: ETH Informatikdiensten
+X-Delievered-From: Zentrum
+Connection: close
+
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/test/www.ethz.ch.error
=====================================
@@ -0,0 +1,8 @@
+verify depth is 6
+depth=2 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2
+verify return:1
+depth=1 C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2
+verify return:1
+depth=0 C = CH, ST = Zuerich, L = Zuerich, O = ETH Zuerich, CN = ethz.ch
+verify return:1
+read:errno=0
=====================================
check_ssl_cert/control
=====================================
@@ -1,7 +1,7 @@
Uploaders: Jan Wagner <waja at cyconet.org>
Recommends: curl, file, openssl
Suggests: expect
-Version: 1.85.0
+Version: 1.96.0
Homepage: https://github.com/matteocorti/check_ssl_cert
Watch: https://github.com/matteocorti/check_ssl_cert/releases check_ssl_cert-([0-9.]+)\.tar\.gz
Description: plugin to check the CA and validity of an
=====================================
check_ssl_cert/src
=====================================
@@ -1 +1 @@
-check_ssl_cert-1.85.0/
\ No newline at end of file
+check_ssl_cert_1.96.0
\ No newline at end of file
=====================================
debian/control
=====================================
@@ -9,7 +9,7 @@ Build-Depends: debhelper (>= 8.0.0),
python-debian,
quilt (>= 0.46-7),
autotools-dev, flex, libmemcached-dev [!hurd-i386], pkg-config
-Standards-Version: 4.3.0
+Standards-Version: 4.4.1.0
Vcs-Git: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib.git
Vcs-Browser: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib
@@ -169,7 +169,7 @@ Description: Plugins for nagios compatible monitoring systems
HOST-RESOURCES-MIB::hrSystemDate.0 used here returns 8 or 11 byte octets.
SNMP translation needs to be switched off and to be converted the
received SNMP data into readable strings.
- * check_ssl_cert (1.85.0): plugin to check the CA and validity of an
+ * check_ssl_cert (1.96.0): plugin to check the CA and validity of an
X.509 certificate
* check_uptime (0.521): check_uptime returns uptime of a system
in text (readable) format as well as in minutes for performance graphing.
=====================================
debian/control.in
=====================================
@@ -9,7 +9,7 @@ Build-Depends: debhelper (>= 8.0.0),
python-debian,
quilt (>= 0.46-7),
#AUTO_UPDATE_Build-Depends#
-Standards-Version: 4.3.0
+Standards-Version: 4.4.1.0
Vcs-Git: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib.git
Vcs-Browser: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/compare/7bbdc8c3a8f7d9156f3e3311764b756c42aaa092...ad53eecf12aa4c719c5318eeec6d3920d6907828
--
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/compare/7bbdc8c3a8f7d9156f3e3311764b756c42aaa092...ad53eecf12aa4c719c5318eeec6d3920d6907828
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20191003/6bdaa3a2/attachment-0001.html>
More information about the pkg-nagios-changes
mailing list