[pkg-nagios-changes] [Git][nagios-team/pkg-nagios-plugins-contrib][master] check_ssl_cert: Update to 1.97.0
Jan Wagner
gitlab at salsa.debian.org
Wed Oct 9 19:34:17 BST 2019
Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / pkg-nagios-plugins-contrib
Commits:
54902b8d by Jan Wagner at 2019-10-09T18:21:09Z
check_ssl_cert: Update to 1.97.0
- - - - -
26 changed files:
- − check_ssl_cert/check_ssl_cert_1.96.0/VERSION
- check_ssl_cert/check_ssl_cert_1.96.0/._COPYRIGHT → check_ssl_cert/check_ssl_cert_1.97.0/._COPYRIGHT
- check_ssl_cert/check_ssl_cert_1.96.0/._Makefile → check_ssl_cert/check_ssl_cert_1.97.0/._Makefile
- check_ssl_cert/check_ssl_cert_1.96.0/._NEWS → check_ssl_cert/check_ssl_cert_1.97.0/._NEWS
- check_ssl_cert/check_ssl_cert_1.96.0/._check_ssl_cert → check_ssl_cert/check_ssl_cert_1.97.0/._check_ssl_cert
- check_ssl_cert/check_ssl_cert_1.96.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.97.0/AUTHORS
- check_ssl_cert/check_ssl_cert_1.96.0/COPYING → check_ssl_cert/check_ssl_cert_1.97.0/COPYING
- check_ssl_cert/check_ssl_cert_1.96.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.97.0/COPYRIGHT
- check_ssl_cert/check_ssl_cert_1.96.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.97.0/ChangeLog
- check_ssl_cert/check_ssl_cert_1.96.0/INSTALL → check_ssl_cert/check_ssl_cert_1.97.0/INSTALL
- check_ssl_cert/check_ssl_cert_1.96.0/Makefile → check_ssl_cert/check_ssl_cert_1.97.0/Makefile
- check_ssl_cert/check_ssl_cert_1.96.0/NEWS → check_ssl_cert/check_ssl_cert_1.97.0/NEWS
- check_ssl_cert/check_ssl_cert_1.96.0/README.md → check_ssl_cert/check_ssl_cert_1.97.0/README.md
- check_ssl_cert/check_ssl_cert_1.96.0/TODO → check_ssl_cert/check_ssl_cert_1.97.0/TODO
- + check_ssl_cert/check_ssl_cert_1.97.0/VERSION
- check_ssl_cert/check_ssl_cert_1.96.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.97.0/check_ssl_cert
- check_ssl_cert/check_ssl_cert_1.96.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.97.0/check_ssl_cert.1
- check_ssl_cert/check_ssl_cert_1.96.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.97.0/check_ssl_cert.spec
- check_ssl_cert/check_ssl_cert_1.96.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.97.0/test/cabundle.crt
- check_ssl_cert/check_ssl_cert_1.96.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.97.0/test/cacert.crt
- check_ssl_cert/check_ssl_cert_1.96.0/test/qvsslg2.crt → check_ssl_cert/check_ssl_cert_1.97.0/test/qvsslg2.crt
- check_ssl_cert/check_ssl_cert_1.96.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.97.0/test/unit_tests.sh
- check_ssl_cert/check_ssl_cert_1.96.0/test/www.ethz.ch.crt → check_ssl_cert/check_ssl_cert_1.97.0/test/www.ethz.ch.crt
- check_ssl_cert/check_ssl_cert_1.96.0/test/www.ethz.ch.error → check_ssl_cert/check_ssl_cert_1.97.0/test/www.ethz.ch.error
- check_ssl_cert/control
- check_ssl_cert/src
Changes:
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/VERSION deleted
=====================================
@@ -1 +0,0 @@
-1.96.0
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/._COPYRIGHT → check_ssl_cert/check_ssl_cert_1.97.0/._COPYRIGHT
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/._Makefile → check_ssl_cert/check_ssl_cert_1.97.0/._Makefile
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/._NEWS → check_ssl_cert/check_ssl_cert_1.97.0/._NEWS
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/._check_ssl_cert → check_ssl_cert/check_ssl_cert_1.97.0/._check_ssl_cert
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.97.0/AUTHORS
=====================================
@@ -65,7 +65,7 @@ Thanks:
* Many thanks to Łukasz Wąsikowski (https://github.com/IdahoPL) for the curl and date display patches
* Many thanks to booboo-at-gluga-de (https://github.com/booboo-at-gluga-de) for the CRL patch
* Many thanks to Georg (https://github.com/gbotti) for the fingerprint patch
-* Many thanks to Wim van Ravesteijn (https://github.com/wimvr) for the DER encoded CRL files patch
+* Many thanks to Wim van Ravesteijn (https://github.com/wimvr) for the DER encoded CRL files patch and the OCSP expiring date patch
* Many thanks to yasirathackersdotmu (https://github.com/yasirathackersdotmu)
* Many thanks to Christoph Moench-Tegeder (https://github.com/moench-tegeder) for the curl patch
* Many thanks to Dan Pritts for the --terse patch
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/COPYING → check_ssl_cert/check_ssl_cert_1.97.0/COPYING
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.97.0/COPYRIGHT
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.97.0/ChangeLog
=====================================
@@ -1,3 +1,12 @@
+2019-10-09 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: disables TLS 1.3 with --rsa
+ * check_ssl_cert: Validate OCSP stapling expiring date
+
+2019-09-26 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: stops if needed programs are not foud
+
2019-09-24 Matteo Corti <matteo at corti.li>
* check_ssl_cert: Fixed a bug in the processing of the SSL Labs options
@@ -278,7 +287,7 @@
2016-12-04 Matteo Corti <matteo at corti.li>
- * check_ssl_cert: fixed problem when file is returing PEM certificate on newer Linux distributions
+ * check_ssl_cert: fixed problem when file is returning PEM certificate on newer Linux distributions
2016-09-19 Matteo Corti <matteo at corti.li>
@@ -422,7 +431,7 @@
2013-03-02 Matteo Corti <matteo.corti at id.ethz.ch>
- * check_ssl_cert: Fixed a bug occuring with TLS and multiple names in
+ * check_ssl_cert: Fixed a bug occurring with TLS and multiple names in
the certificate
2012-12-07 Matteo Corti <matteo.corti at id.ethz.ch>
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/INSTALL → check_ssl_cert/check_ssl_cert_1.97.0/INSTALL
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/Makefile → check_ssl_cert/check_ssl_cert_1.97.0/Makefile
=====================================
@@ -4,7 +4,7 @@ DIST_DIR=$(PLUGIN)-$(VERSION)
DIST_FILES=AUTHORS COPYING ChangeLog INSTALL Makefile NEWS README.md TODO VERSION $(PLUGIN) $(PLUGIN).spec COPYRIGHT ${PLUGIN}.1 test
YEAR=`date +"%Y"`
-dist: version_check
+dist: version_check formatting_check
rm -rf $(DIST_DIR) $(DIST_DIR).tar.gz
mkdir $(DIST_DIR)
cp -r $(DIST_FILES) $(DIST_DIR)
@@ -18,13 +18,16 @@ install:
install -m 644 ${PLUGIN}.1 ${MANDIR}/man1/
version_check:
- grep -q "VERSION\ *=\ *[\'\"]*$(VERSION)" $(PLUGIN)
- grep -q "^%define\ version\ *$(VERSION)" $(PLUGIN).spec
- grep -q -- "- $(VERSION)-" $(PLUGIN).spec
- grep -q "\"$(VERSION)\"" $(PLUGIN).1
- grep -q "${VERSION}" NEWS
+ grep --quiet "VERSION\ *=\ *[\'\"]*$(VERSION)" $(PLUGIN)
+ grep --quiet "^%define\ version\ *$(VERSION)" $(PLUGIN).spec
+ grep --quiet -- "- $(VERSION)-" $(PLUGIN).spec
+ grep --quiet "\"$(VERSION)\"" $(PLUGIN).1
+ grep --quiet "${VERSION}" NEWS
echo "Version check: OK"
+formatting_check:
+ grep --invert-match --quiet '\\t' check_ssl_cert test/unit_tests.sh
+
clean:
rm -f *~
rm -rf rpmroot
@@ -38,12 +41,12 @@ test: dist
( export SHUNIT2="$$(pwd)/shunit2/shunit2" && cd test && ./unit_tests.sh )
shellcheck:
- if shellcheck --help 2>&1 | grep -q -- '-o\ ' ; then shellcheck -o all check_ssl_cert test/unit_tests.sh ; else shellcheck check_ssl_cert test/unit_tests.sh ; fi
+ if shellcheck --help 2>&1 | grep --quiet -- '-o\ ' ; then shellcheck -o all check_ssl_cert test/unit_tests.sh ; else shellcheck check_ssl_cert test/unit_tests.sh ; fi
copyright_check:
- grep -q "(c) Matteo Corti, 2007-$(YEAR)" README.md
- grep -q "Copyright (c) 2007-$(YEAR) Matteo Corti" COPYRIGHT
- grep -q "Copyright (c) 2007-$(YEAR) Matteo Corti <matteo at corti.li>" $(PLUGIN)
+ grep --quiet "(c) Matteo Corti, 2007-$(YEAR)" README.md
+ grep --quiet "Copyright (c) 2007-$(YEAR) Matteo Corti" COPYRIGHT
+ grep --quiet "Copyright (c) 2007-$(YEAR) Matteo Corti <matteo at corti.li>" $(PLUGIN)
echo "Copyright year check: OK"
rpm: dist
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/NEWS → check_ssl_cert/check_ssl_cert_1.97.0/NEWS
=====================================
@@ -1,3 +1,4 @@
+2019-10-09 Version 1.97.0: Validate OCSP stapling expiring date, option to disable TLS 1.3
2019-09-25 Version 1.96.0: Bug fixes
2019-09-24 Version 1.95.0: Bug fixes
2019-09-24 Version 1.94.0: Several bugs fixed
@@ -68,7 +69,7 @@
2016-12-23 Version 1.37.0: Added a patch to specify multiple CNs
2016-12-13 Version 1.36.2: fixed a minor problem with --debug
2016-12-06 Version 1.36.1: fixed a problem when specifying a CN beginning with *
-2016-12-04 Version 1.36.0: fixed problem when file is returing PEM certificate on newer
+2016-12-04 Version 1.36.0: fixed problem when file is returning PEM certificate on newer
Linux distributions
added an option to specify the location of the file utility
2016-10-18 Version 1.35.0: added support for the selection of the cipher authentication
@@ -109,7 +110,7 @@
to Max Winterstein)
2013-05-12 Version 1.14.6 Added XMPP and timeout support (thanks to Christian
Ruppert and Robin H. Johnson)
-2013-03-02 Version 1.14.5 Fixed a bug occuring with TLS and multiple names in
+2013-03-02 Version 1.14.5 Fixed a bug occurring with TLS and multiple names in
the certificate
2012-12-07 Version 1.14.4 Fixed a bug causing -N to always compare the CN
with 'localhost'
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/README.md → check_ssl_cert/check_ssl_cert_1.97.0/README.md
=====================================
@@ -73,14 +73,19 @@ Options:
--no_tls1 disable TLS version 1
--no_tls1_1 disable TLS version 1.1
--no_tls1_2 disable TLS version 1.2
+ --no_tls1_3 disable TLS version 1.3
-N,--host-cn match CN with the host name
+ --ocsp-critical hours minimum number of hours an OCSP response has to be valid to
+ issue a critical status
+ --ocsp-warning hours minimum number of hours an OCSP response has to be valid to
+ issue a warning status
-o,--org org pattern to match the organization of the certificate
--openssl path path of the openssl binary to be used
-p,--port port TCP port
-P,--protocol protocol use the specific protocol
- {ftp|ftps|http|imap|imaps|irc|ldap|ldaps|pop3|pop3s|smtp|smtps|xmpp}
+ {ftp|ftps|http|imap|imaps|irc|ircs|ldap|ldaps|pop3|pop3s|smtp|smtps|xmpp}
http: default
- ftp,imap,ldap,pop3,smtp: switch to TLS using StartTLS
+ ftp,imap,irc,ldap,pop3,smtp: switch to TLS using StartTLS
-s,--selfsigned allows self-signed certificates
--serial serialnum pattern to match the serial number
--sni name sets the TLS SNI (Server Name Indication) extension
@@ -94,7 +99,7 @@ Options:
certificate validation
--rootcert-dir path root directory to be used for certificate validation
--rootcert-file path root certificate to be used for certificate validation
- --rsa cipher selection: force RSA authentication
+ --rsa cipher selection: force RSA authentication (disables TLS 1.3)
--temp dir directory where to store the temporary files
--terse terse output
-t,--timeout seconds timeout after the specified time
@@ -169,7 +174,7 @@ $ sudo security find-certificate -a \
and then submitted to `check_ssl_cert` with the `-r,--rootcert path` option
```
- ./check_ssl_cert -H www.google.com -r ./cabundle.crt
+ ./check_ssl_cert -H www.google.com -r ./cabundle.crt
```
## Bugs
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/TODO → check_ssl_cert/check_ssl_cert_1.97.0/TODO
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.97.0/VERSION
=====================================
@@ -0,0 +1 @@
+1.97.0
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.97.0/check_ssl_cert
=====================================
@@ -19,7 +19,7 @@
################################################################################
# Constants
-VERSION=1.96.0
+VERSION=1.97.0
SHORTNAME="SSL_CERT"
VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,serial,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -110,14 +110,19 @@ usage() {
echo " --no_tls1 disable TLS version 1"
echo " --no_tls1_1 disable TLS version 1.1"
echo " --no_tls1_2 disable TLS version 1.2"
+ echo " --no_tls1_3 disable TLS version 1.3"
echo " -N,--host-cn match CN with the host name"
+ echo " --ocsp-critical hours minimum number of hours an OCSP response has to be valid to"
+ echo " issue a critical status"
+ echo " --ocsp-warning hours minimum number of hours an OCSP response has to be valid to"
+ echo " issue a warning status"
echo " -o,--org org pattern to match the organization of the certificate"
echo " --openssl path path of the openssl binary to be used"
echo " -p,--port port TCP port"
echo " -P,--protocol protocol use the specific protocol"
- echo " {ftp|ftps|http|imap|imaps|irc|ldap|ldaps|pop3|pop3s|smtp|smtps|xmpp}"
+ echo " {ftp|ftps|http|imap|imaps|irc|ircs|ldap|ldaps|pop3|pop3s|smtp|smtps|xmpp}"
echo " http: default"
- echo " ftp,imap,ldap,pop3,smtp: switch to TLS using StartTLS"
+ echo " ftp,imap,irc,ldap,pop3,smtp: switch to TLS using StartTLS"
echo " -s,--selfsigned allows self-signed certificates"
echo " --serial serialnum pattern to match the serial number"
echo " --sni name sets the TLS SNI (Server Name Indication) extension"
@@ -131,7 +136,7 @@ usage() {
echo " certificate validation"
echo " --rootcert-dir path root directory to be used for certificate validation"
echo " --rootcert-file path root certificate to be used for certificate validation"
- echo " --rsa cipher selection: force RSA authentication"
+ echo " --rsa cipher selection: force RSA authentication (disables TLS 1.3)"
echo " --temp dir directory where to store the temporary files"
echo " --terse terse output"
echo " -t,--timeout seconds timeout after the specified time"
@@ -168,7 +173,7 @@ usage() {
trap_with_arg() {
func="$1" ; shift
for sig ; do
- # shellcheck disable=SC2064
+ # shellcheck disable=SC2064
trap "${func} ${sig}" "${sig}"
done
}
@@ -192,7 +197,7 @@ remove_temporary_files() {
cleanup() {
SIGNAL=$1
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] signal caught ${SIGNAL}"
+ echo "[DBG] signal caught ${SIGNAL}"
fi
remove_temporary_files
# shellcheck disable=SC2086
@@ -209,7 +214,7 @@ create_temporary_file() {
fi
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] temporary file ${TEMPFILE} created"
+ echo "[DBG] temporary file ${TEMPFILE} created"
fi
# add the file to the list of temporary files
@@ -217,6 +222,59 @@ create_temporary_file() {
}
+################################################################################
+# Compute the number of hours until a given date
+# Params
+# $1 date
+# Sets HOURS_UNTIL
+hours_until() {
+
+ DATE=$1
+
+ OLDLANG="${LANG}"
+ LANG=en_US
+
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] Date computations: ${DATETYPE}"
+ echo "[DBG] Computing number of hours until '${DATE}'"
+ fi
+
+ case "${DATETYPE}" in
+ "BSD")
+ HOURS_UNTIL=$(( ( $(${DATEBIN} -jf "%b %d %T %Y %Z" "${DATE}" +%s) - $(${DATEBIN} +%s) ) / 3600 ))
+ ;;
+
+ "GNU")
+ HOURS_UNTIL=$(( ( $(${DATEBIN} -d "${DATE}" +%s) - $(${DATEBIN} +%s) ) / 3600 ))
+ ;;
+
+ "PERL")
+ # Warning: some shell script formatting tools will indent the EOF! (should be at position 0)
+ if ! HOURS_UNTIL=$(perl - "${DATE}" <<-"EOF"
+ use strict;
+ use warnings;
+ use Date::Parse;
+ my $cert_date = str2time( $ARGV[0] );
+ my $hours = int (( $cert_date - time ) / 3600 + 0.5);
+ print "$hours\n";
+EOF
+ ) ; then
+ # something went wrong with the embedded Perl code: check the indentation of EOF
+ unknown "Error computing the certificate validity with Perl"
+ fi
+ ;;
+ *)
+ unknown "Internal error: unknown date type"
+ esac
+
+ LANG="${OLDLANG}"
+
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] Hours until ${DATE}: ${HOURS_UNTIL}"
+ fi
+
+}
+
################################################################################
# prepends critical messages to list of all messages
# Params
@@ -224,45 +282,45 @@ create_temporary_file() {
prepend_critical_message() {
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] CRITICAL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
- echo "[DBG] prepend_critical_message: new message = $1"
- echo "[DBG] prepend_critical_message: HOST = ${HOST}"
- echo "[DBG] prepend_critical_message: CN = ${CN}"
- echo "[DBG] prepend_critical_message: SNI = ${SNI}"
- echo "[DBG] prepend_critical_message: FILE = ${FILE}"
- echo "[DBG] prepend_critical_message: SHORTNAME = ${SHORTNAME}"
- echo "[DBG] prepend_critical_message: MSG = ${MSG}"
- echo "[DBG] prepend_critical_message: CRITICAL_MSG = ${CRITICAL_MSG}"
- echo "[DBG] prepend_critical_message: ALL_MSG 1 = ${ALL_MSG}"
+ echo "[DBG] CRITICAL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
+ echo "[DBG] prepend_critical_message: new message = $1"
+ echo "[DBG] prepend_critical_message: HOST = ${HOST}"
+ echo "[DBG] prepend_critical_message: CN = ${CN}"
+ echo "[DBG] prepend_critical_message: SNI = ${SNI}"
+ echo "[DBG] prepend_critical_message: FILE = ${FILE}"
+ echo "[DBG] prepend_critical_message: SHORTNAME = ${SHORTNAME}"
+ echo "[DBG] prepend_critical_message: MSG = ${MSG}"
+ echo "[DBG] prepend_critical_message: CRITICAL_MSG = ${CRITICAL_MSG}"
+ echo "[DBG] prepend_critical_message: ALL_MSG 1 = ${ALL_MSG}"
fi
-
+
if [ -n "${CN}" ] ; then
- tmp=" ${CN}"
+ tmp=" ${CN}"
else
- if [ -n "${HOST}" ] ; then
+ if [ -n "${HOST}" ] ; then
if [ -n "${SNI}" ] ; then
- tmp=" ${SNI}"
+ tmp=" ${SNI}"
elif [ -n "${FILE}" ] ; then
- tmp=" ${FILE}"
+ tmp=" ${FILE}"
else
- tmp=" ${HOST}"
+ tmp=" ${HOST}"
fi
- fi
+ fi
fi
-
+
MSG="${SHORTNAME} CRITICAL${tmp}: ${1}${PERFORMANCE_DATA}${LONG_OUTPUT}"
-
+
if [ "${CRITICAL_MSG}" = "" ]; then
- CRITICAL_MSG="${MSG}"
+ CRITICAL_MSG="${MSG}"
fi
-
+
ALL_MSG="\n ${MSG}${ALL_MSG}"
-
+
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] prepend_critical_message: MSG 2 = ${MSG}"
- echo "[DBG] prepend_critical_message: CRITICAL_MSG 2 = ${CRITICAL_MSG}"
- echo "[DBG] prepend_critical_message: ALL_MSG 2 = ${ALL_MSG}"
- echo "[DBG] CRITICAL <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
+ echo "[DBG] prepend_critical_message: MSG 2 = ${MSG}"
+ echo "[DBG] prepend_critical_message: CRITICAL_MSG 2 = ${CRITICAL_MSG}"
+ echo "[DBG] prepend_critical_message: ALL_MSG 2 = ${ALL_MSG}"
+ echo "[DBG] CRITICAL <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
fi
}
@@ -276,20 +334,20 @@ critical() {
remove_temporary_files
if [ -n "${DEBUG}" ] ; then
- echo '[DBG] exiting with CRITICAL'
- echo "[DBG] ALL_MSG = ${ALL_MSG}"
+ echo '[DBG] exiting with CRITICAL'
+ echo "[DBG] ALL_MSG = ${ALL_MSG}"
fi
NUMBER_OF_ERRORS=$( printf '%b' "${ALL_MSG}" | wc -l )
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] number of errors = ${NUMBER_OF_ERRORS}"
+ echo "[DBG] number of errors = ${NUMBER_OF_ERRORS}"
fi
-
+
if [ "${NUMBER_OF_ERRORS}" -ge 2 ] ; then
- printf '%s\nError(s):%b\n' "$1" "${ALL_MSG}"
+ printf '%s\nError(s):%b\n' "$1" "${ALL_MSG}"
else
- printf '%s\n' "$1"
+ printf '%s\n' "$1"
fi
exit 2
@@ -301,34 +359,34 @@ critical() {
# $1 warning message
append_warning_message() {
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] append_warning_message: HOST = ${HOST}"
- echo "[DBG] append_warning_message: CN = ${CN}"
- echo "[DBG] append_warning_message: SNI = ${SNI}"
- echo "[DBG] append_warning_message: FILE = ${FILE}"
- echo "[DBG] append_warning_message: SHORTNAME = ${SHORTNAME}"
- echo "[DBG] append_warning_message: $1 = $1"
- fi
-
- if [ -n "${CN}" ] ; then
- tmp=" ${CN}"
- else
- if [ -n "${HOST}" ] ; then
- if [ -n "${SNI}" ] ; then
- tmp=" ${SNI}"
- elif [ -n "${FILE}" ] ; then
- tmp=" ${FILE}"
- else
- tmp=" ${HOST}"
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] append_warning_message: HOST = ${HOST}"
+ echo "[DBG] append_warning_message: CN = ${CN}"
+ echo "[DBG] append_warning_message: SNI = ${SNI}"
+ echo "[DBG] append_warning_message: FILE = ${FILE}"
+ echo "[DBG] append_warning_message: SHORTNAME = ${SHORTNAME}"
+ echo "[DBG] append_warning_message: $1 = $1"
+ fi
+
+ if [ -n "${CN}" ] ; then
+ tmp=" ${CN}"
+ else
+ if [ -n "${HOST}" ] ; then
+ if [ -n "${SNI}" ] ; then
+ tmp=" ${SNI}"
+ elif [ -n "${FILE}" ] ; then
+ tmp=" ${FILE}"
+ else
+ tmp=" ${HOST}"
+ fi
fi
fi
- fi
- MSG="${SHORTNAME} WARN${tmp}: ${1}${PERFORMANCE_DATA}${LONG_OUTPUT}"
- if [ "${WARNING_MSG}" = "" ]; then
- WARNING_MSG="${MSG}"
- fi
- ALL_MSG="${ALL_MSG}\n ${MSG}"
+ MSG="${SHORTNAME} WARN${tmp}: ${1}${PERFORMANCE_DATA}${LONG_OUTPUT}"
+ if [ "${WARNING_MSG}" = "" ]; then
+ WARNING_MSG="${MSG}"
+ fi
+ ALL_MSG="${ALL_MSG}\n ${MSG}"
}
@@ -337,15 +395,15 @@ append_warning_message() {
# Param
# $1 warning message
warning() {
-
+
remove_temporary_files
NUMBER_OF_ERRORS=$( printf '%b' "${ALL_MSG}" | wc -l )
-
+
if [ "${NUMBER_OF_ERRORS}" -ge 2 ] ; then
- printf '%s\nError(s):%b\n' "$1" "${ALL_MSG}"
+ printf '%s\nError(s):%b\n' "$1" "${ALL_MSG}"
else
- printf '%s\n' "$1"
+ printf '%s\n' "$1"
fi
exit 1
@@ -357,13 +415,13 @@ warning() {
# $1 message
unknown() {
if [ -n "${HOST}" ] ; then
- if [ -n "${SNI}" ] ; then
- tmp=" ${SNI}"
- elif [ -n "${FILE}" ] ; then
+ if [ -n "${SNI}" ] ; then
+ tmp=" ${SNI}"
+ elif [ -n "${FILE}" ] ; then
tmp=" ${FILE}"
- else
+ else
tmp=" ${HOST}"
- fi
+ fi
fi
remove_temporary_files
printf '%s UNKNOWN%s: %s\n' "${SHORTNAME}" "${tmp}" "$1"
@@ -408,7 +466,7 @@ exec_with_timeout() {
expect -c "set echo \"-noecho\"; set timeout ${time}; spawn -noecho ${command}; expect timeout { exit 1 } eof { exit 0 }"
- RET=$?
+ RET=$?
if [ -n "${DEBUG}" ] ; then
echo "[DBG] expect returned ${RET}"
@@ -416,7 +474,7 @@ exec_with_timeout() {
if [ "${RET}" -eq 1 ] ; then
prepend_critical_message "Timeout after ${time} seconds"
- critical "${SHORTNAME} CRITICAL: Timeout after ${time} seconds"
+ critical "${SHORTNAME} CRITICAL: Timeout after ${time} seconds"
fi
else
@@ -438,10 +496,12 @@ check_required_prog() {
if [ -z "${PROG}" ] ; then
prepend_critical_message "cannot find program: $1"
+ unkown "${SHORTNAME} CRITICAL: cannot find program: $1"
fi
if [ ! -x "${PROG}" ] ; then
prepend_critical_message "${PROG} is not executable"
+ unkown "${SHORTNAME} CRITICAL: ${PROG} is not executable"
fi
}
@@ -504,7 +564,7 @@ convert_ssl_lab_grade() {
shift
;;
*)
- unknown "Connot convert SSL Lab grade ${GRADE}"
+ unknown "Cannot convert SSL Lab grade ${GRADE}"
;;
esac
@@ -519,66 +579,66 @@ fetch_certificate() {
# IPv6 addresses need brackets in a URI
if [ "${HOST}" != "${HOST#*[0-9].[0-9]}" ]; then
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] ${HOST} is an IPv4 address"
- fi
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] ${HOST} is an IPv4 address"
+ fi
elif [ "${HOST}" != "${HOST#*:[0-9a-fA-F]}" ]; then
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] ${HOST} is an IPv6 address"
- fi
- if [ -z "${HOST##*[*}" ] ; then
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] ${HOST} is already specified with brakcets"
- fi
- else
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] adding brackets to ${HOST}"
- fi
- HOST="[${HOST}]"
- fi
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] ${HOST} is an IPv6 address"
+ fi
+ if [ -z "${HOST##*[*}" ] ; then
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] ${HOST} is already specified with brakcets"
+ fi
+ else
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] adding brackets to ${HOST}"
+ fi
+ HOST="[${HOST}]"
+ fi
else
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] ${HOST} is not an IP address"
- fi
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] ${HOST} is not an IP address"
+ fi
fi
if [ -n "${REQUIRE_OCSP_STAPLING}" ] ; then
- STATUS='-status'
+ STATUS='-status'
fi
-
+
+ if [ -n "${DEBUG}" ] ; then
+ IGN_EOF='-ign_eof'
+ fi
+
# Check if a protocol was specified (if not HTTP switch to TLS)
if [ -n "${PROTOCOL}" ] && [ "${PROTOCOL}" != "http" ] && [ "${PROTOCOL}" != "https" ] ; then
case "${PROTOCOL}" in
smtp|pop3|ftp)
- exec_with_timeout "${TIMEOUT}" "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -ign_eof -starttls ${PROTOCOL} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
- RET=$?
- ;;
- smtps|ftps)
- exec_with_timeout "${TIMEOUT}" "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -ign_eof -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "${TIMEOUT}" "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -starttls ${PROTOCOL} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
- pop3s)
- exec_with_timeout "${TIMEOUT}" "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
+ smtps|pop3s|ftps)
+ exec_with_timeout "${TIMEOUT}" "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
- ldap)
+ irc|ldap)
exec_with_timeout "${TIMEOUT}" "echo | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
- irc|ldaps)
+ ircs|ldaps)
exec_with_timeout "${TIMEOUT}" "echo | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
imap)
- exec_with_timeout "${TIMEOUT}" "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -ign_eof -starttls ${PROTOCOL} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "${TIMEOUT}" "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -starttls ${PROTOCOL} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
imaps)
- exec_with_timeout "${TIMEOUT}" "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -ign_eof -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "${TIMEOUT}" "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
- xmpp)
+ xmpp)
exec_with_timeout "${TIMEOUT}" "echo 'Q' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST}:${XMPPPORT} ${XMPPHOST} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
@@ -598,7 +658,7 @@ fetch_certificate() {
else
- exec_with_timeout "${TIMEOUT}" "printf '${HTTP_REQUEST}' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -ign_eof -connect ${HOST}:${PORT} ${SERVERNAME} -showcerts -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "${TIMEOUT}" "printf '${HTTP_REQUEST}' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -connect ${HOST}:${PORT} ${SERVERNAME} -showcerts -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} 2> ${ERROR} 1> ${CERT}"
RET=$?
fi
@@ -614,18 +674,18 @@ fetch_certificate() {
if [ "${RET}" -ne 0 ] ; then
- if [ -n "${DEBUG}" ] ; then
+ if [ -n "${DEBUG}" ] ; then
sed 's/^/[DBG] SSL error: /' "${ERROR}"
- fi
+ fi
- # s_client could verify the server certificate because the server requires a client certificate
- if ascii_grep '^Acceptable client certificate CA names' "${CERT}" ; then
+ # s_client could verify the server certificate because the server requires a client certificate
+ if ascii_grep '^Acceptable client certificate CA names' "${CERT}" ; then
if [ -n "${VERBOSE}" ] ; then
- echo "The server requires a client certificate"
+ echo "The server requires a client certificate"
fi
- else
+ else
# Try to clean up the error message
# Remove the 'verify and depth' lines
@@ -641,9 +701,9 @@ fetch_certificate() {
else
- if ascii_grep usage "${ERROR}" && [ "${PROTOCOL}" = "ldap" ] ; then
- unknown "it seems that OpenSSL -starttls does not support yet LDAP"
- fi
+ if ascii_grep usage "${ERROR}" && [ "${PROTOCOL}" = "ldap" ] ; then
+ unknown "it seems that OpenSSL -starttls does not support yet LDAP"
+ fi
fi
@@ -783,6 +843,10 @@ main() {
SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_tls1_2"
shift
;;
+ --no_tls1_3)
+ SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_tls1_3"
+ shift
+ ;;
-N|--host-cn)
COMMON_NAME="__HOST__"
shift
@@ -793,6 +857,8 @@ main() {
;;
--rsa)
SSL_AU="-cipher aRSA"
+ # https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/ says “RSA encryption was removed from TLS 1.3”.
+ SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_tls1_3"
shift
;;
--ecdsa)
@@ -843,24 +909,24 @@ main() {
echo "check_ssl_cert version ${VERSION}"
exit 3
;;
- -4)
- INETPROTO="-4"
- shift
- ;;
- -6)
- INETPROTO="-6"
- shift
- ;;
+ -4)
+ INETPROTO="-4"
+ shift
+ ;;
+ -6)
+ INETPROTO="-6"
+ shift
+ ;;
########################################
# Options with arguments
-c|--critical)
if [ $# -gt 1 ]; then
- CRITICAL="$2"
+ CRITICAL="$2"
shift 2
else
- unknown "-c,--critical requires an argument"
+ unknown "-c,--critical requires an argument"
fi
;;
--curl-bin)
@@ -987,15 +1053,31 @@ main() {
-n|--cn)
if [ $# -gt 1 ]; then
if [ -n "${COMMON_NAME}" ]; then
- COMMON_NAME="${COMMON_NAME} ${2}"
+ COMMON_NAME="${COMMON_NAME} ${2}"
else
- COMMON_NAME="${2}"
+ COMMON_NAME="${2}"
fi
shift 2
else
unknown "-n,--cn requires an argument"
fi
;;
+ --ocsp-critical)
+ if [ $# -gt 1 ]; then
+ OCSP_CRITICAL="$2"
+ shift 2
+ else
+ unknown "--ocsp-critical requires an argument"
+ fi
+ ;;
+ --ocsp-warning)
+ if [ $# -gt 1 ]; then
+ OCSP_WARNING="$2"
+ shift 2
+ else
+ unknown "--ocsp-warning requires an argument"
+ fi
+ ;;
-o|--org)
if [ $# -gt 1 ]; then
ORGANIZATION="$2"
@@ -1015,7 +1097,7 @@ main() {
-p|--port)
if [ $# -gt 1 ]; then
PORT="$2"
- XMPPPORT="$2"
+ XMPPPORT="$2"
shift 2
else
unknown "-p,--port requires an argument"
@@ -1078,9 +1160,9 @@ main() {
fi
;;
--require-ocsp-stapling)
- REQUIRE_OCSP_STAPLING=1
- shift
- ;;
+ REQUIRE_OCSP_STAPLING=1
+ shift
+ ;;
--require-san)
REQUIRE_SAN=1
shift
@@ -1134,8 +1216,8 @@ main() {
unknown "-w,--warning requires an argument"
fi
;;
- --xmpphost)
- if [ $# -gt 1 ]; then
+ --xmpphost)
+ if [ $# -gt 1 ]; then
XMPPHOST="$2"
shift 2
else
@@ -1166,7 +1248,7 @@ main() {
# COMMON_NAME may be a space separated list of hostnames.
case ${COMMON_NAME} in
*__HOST__*) COMMON_NAME=$(echo "${COMMON_NAME}" | sed "s/__HOST__/${HOST}/") ;;
- *) ;;
+ *) ;;
esac
################################################################################
@@ -1242,9 +1324,9 @@ main() {
if [ -n "${CRITICAL}" ] ; then
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] -c specified: ${CRITICAL}"
- fi
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] -c specified: ${CRITICAL}"
+ fi
if ! echo "${CRITICAL}" | grep -q '^[0-9][0-9]*$' ; then
unknown "invalid number of days ${CRITICAL}"
@@ -1283,11 +1365,11 @@ main() {
if [ -n "${OPENSSL}" ] ; then
if [ ! -x "${OPENSSL}" ] ; then
- unknown "${OPENSSL} ist not an executable"
+ unknown "${OPENSSL} is not an executable"
fi
#if ! "${OPENSSL}" list-standard-commands | grep -q s_client ; then
- # unknown "${OPENSSL} ist not an openssl executable"
+ # unknown "${OPENSSL} is not an openssl executable"
#fi
fi
@@ -1326,23 +1408,23 @@ main() {
# curl
if [ -z "${CURL_BIN}" ] ; then
- if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] || [ -n "${OCSP}" ] ; then
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] cURL binary needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}"
- echo "[DBG] cURL binary not specified"
- fi
+ if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] || [ -n "${OCSP}" ] ; then
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] cURL binary needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}"
+ echo "[DBG] cURL binary not specified"
+ fi
check_required_prog curl
CURL_BIN=${PROG}
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] cURL available: ${CURL_BIN}"
- fi
- else
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] cURL binary not needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}"
- fi
- fi
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] cURL available: ${CURL_BIN}"
+ fi
+ else
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] cURL binary not needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}"
+ fi
+ fi
fi
# Expect (optional)
@@ -1436,17 +1518,17 @@ main() {
echo "[DBG] OpenSSL binary: ${OPENSSL}"
echo "[DBG] OpenSSL version: $( ${OPENSSL} version )"
- OPENSSL_DIR="$( ${OPENSSL} version -d | sed -E 's/OPENSSLDIR: "([^"]*)"/\1/' )"
+ OPENSSL_DIR="$( ${OPENSSL} version -d | sed -E 's/OPENSSLDIR: "([^"]*)"/\1/' )"
- echo "[DBG] OpenSSL configuration directory: ${OPENSSL_DIR}"
+ echo "[DBG] OpenSSL configuration directory: ${OPENSSL_DIR}"
- DEFAULT_CA=0
- if [ -f "${OPENSSL_DIR}"/cert.pem ] ; then
- DEFAULT_CA="$( grep -c BEGIN "${OPENSSL_DIR}"/cert.pem )"
- elif [ -f "${OPENSSL_DIR}"/certs ] ; then
- DEFAULT_CA="$( grep -c BEGIN "${OPENSSL_DIR}"/certs )"
- fi
- echo "[DBG] ${DEFAULT_CA} root certificates installed by default"
+ DEFAULT_CA=0
+ if [ -f "${OPENSSL_DIR}"/cert.pem ] ; then
+ DEFAULT_CA="$( grep -c BEGIN "${OPENSSL_DIR}"/cert.pem )"
+ elif [ -f "${OPENSSL_DIR}"/certs ] ; then
+ DEFAULT_CA="$( grep -c BEGIN "${OPENSSL_DIR}"/certs )"
+ fi
+ echo "[DBG] ${DEFAULT_CA} root certificates installed by default"
echo "[DBG] System info: $( uname -a )"
echo "[DBG] Date computation: ${DATETYPE}"
@@ -1494,11 +1576,11 @@ main() {
else
- if [ -n "${XMPPHOST}" ] ; then
- unknown " s_client' does not support '-xmpphost'"
- fi
+ if [ -n "${XMPPHOST}" ] ; then
+ unknown " s_client' does not support '-xmpphost'"
+ fi
- XMPPHOST=
+ XMPPHOST=
if [ -n "${VERBOSE}" ] ; then
echo "'${OPENSSL} s_client' does not support '-xmpphost': disabling 'to' attribute"
@@ -1509,39 +1591,39 @@ main() {
################################################################################
# check if openssl s_client supports the SSL TLS version
if [ -n "${SSL_VERSION}" ] ; then
- if ! "${OPENSSL}" s_client -help 2>&1 | grep -q -- "${SSL_VERSION}" ; then
- unknown "OpenSSL does not support the ${SSL_VERSION} version"
- fi
+ if ! "${OPENSSL}" s_client -help 2>&1 | grep -q -- "${SSL_VERSION}" ; then
+ unknown "OpenSSL does not support the ${SSL_VERSION} version"
+ fi
fi
################################################################################
# --inetproto validation
if [ -n "${INETPROTO}" ] ; then
- # validate the arguments
- if [ "${INETPROTO}" != "-4" ] && [ "${INETPROTO}" != "-6" ] ; then
- VERSION=$(echo "${INETPROTO}" | awk '{ string=substr($0, 2); print string; }' )
- unknown "Invalid argument '${VERSION}': the value must be 4 or 6"
- fi
+ # validate the arguments
+ if [ "${INETPROTO}" != "-4" ] && [ "${INETPROTO}" != "-6" ] ; then
+ VERSION=$(echo "${INETPROTO}" | awk '{ string=substr($0, 2); print string; }' )
+ unknown "Invalid argument '${VERSION}': the value must be 4 or 6"
+ fi
- # Check if openssl s_client supports the -4 or -6 option
- if ! "${OPENSSL}" s_client -help 2>&1 | grep -q -- "${INETPROTO}" ; then
+ # Check if openssl s_client supports the -4 or -6 option
+ if ! "${OPENSSL}" s_client -help 2>&1 | grep -q -- "${INETPROTO}" ; then
unknown "OpenSSL does not support the ${INETPROTO} option"
- fi
+ fi
- # Check if cURL is needed and if it supports the -4 and -6 options
- if [ -z "${CURL_BIN}" ] ; then
- if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] || [ -n "${OCSP}" ] ; then
- if ! "${CURL_BIN}" --manual | grep -q -- -6 && [ -n "${INETPROTO}" ] ; then
- unknown "cURL does not support the ${INETPROTO} option"
- fi
- fi
- fi
+ # Check if cURL is needed and if it supports the -4 and -6 options
+ if [ -z "${CURL_BIN}" ] ; then
+ if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] || [ -n "${OCSP}" ] ; then
+ if ! "${CURL_BIN}" --manual | grep -q -- -6 && [ -n "${INETPROTO}" ] ; then
+ unknown "cURL does not support the ${INETPROTO} option"
+ fi
+ fi
+ fi
- # check if IPv6 is available locally
- if [ -n "${INETPROTO}" ] && [ "${INETPROTO}" -eq "-6" ] && ! ifconfig -a | grep -q inet6 ; then
- unknown "cannot connect using IPv6 as no local interface has IPv6 configured"
- fi
+ # check if IPv6 is available locally
+ if [ -n "${INETPROTO}" ] && [ "${INETPROTO}" -eq "-6" ] && ! ifconfig -a | grep -q inet6 ; then
+ unknown "cannot connect using IPv6 as no local interface has IPv6 configured"
+ fi
fi
@@ -1564,13 +1646,13 @@ main() {
if [ -n "${OCSP}" ] ; then
- create_temporary_file; ISSUER_CERT_TMP=${TEMPFILE}
- create_temporary_file; ISSUER_CERT_TMP2=${TEMPFILE}
+ create_temporary_file; ISSUER_CERT_TMP=${TEMPFILE}
+ create_temporary_file; ISSUER_CERT_TMP2=${TEMPFILE}
fi
if [ -n "${REQUIRE_OCSP_STAPLING}" ] ; then
- create_temporary_file; OCSP_RESPONSE_TMP=${TEMPFILE}
+ create_temporary_file; OCSP_RESPONSE_TMP=${TEMPFILE}
fi
if [ -n "${VERBOSE}" ] ; then
@@ -1631,24 +1713,24 @@ main() {
if [ -n "${FILE}" ] ; then
- if [ -r "${FILE}" ] ; then
+ if [ -r "${FILE}" ] ; then
if "${OPENSSL}" crl -in "${CERT}" -inform DER | grep -q "BEGIN X509 CRL" ; then
- if [ -n "${VERBOSE}" ] ; then
+ if [ -n "${VERBOSE}" ] ; then
echo "File is DER encoded CRL"
- fi
- OPENSSL_COMMAND="crl"
- OPENSSL_PARAMS="-inform DER -nameopt utf8,oneline,-esc_msb"
- OPENSSL_ENDDATE_OPTION="-nextupdate"
+ fi
+ OPENSSL_COMMAND="crl"
+ OPENSSL_PARAMS="-inform DER -nameopt utf8,oneline,-esc_msb"
+ OPENSSL_ENDDATE_OPTION="-nextupdate"
else
- prepend_critical_message "'${FILE}' is not a valid certificate file"
+ prepend_critical_message "'${FILE}' is not a valid certificate file"
fi
- else
+ else
- prepend_critical_message "'${FILE}' is not readable"
+ prepend_critical_message "'${FILE}' is not readable"
- fi
+ fi
else
# See
@@ -1669,7 +1751,7 @@ main() {
critical "${CRITICAL_MSG}"
fi
else
- # parameters for regular x509 certifcates
+ # parameters for regular x509 certificates
OPENSSL_COMMAND="x509"
OPENSSL_PARAMS="-nameopt utf8,oneline,-esc_msb"
OPENSSL_ENDDATE_OPTION="-enddate"
@@ -1737,10 +1819,10 @@ main() {
ISSUERS=$(echo "${ISSUERS}" | sed 's/\\n/\n/g' | sed -e "s/^.*\\/CN=//" -e "s/^.* CN = //" -e "s/^.*, O = //" -e "s/\\/[A-Za-z][A-Za-z]*=.*\$//" -e "s/, [A-Za-z][A-Za-z]* =.*\$//")
if [ -n "${DEBUG}" ] ; then
- echo '[DBG] ISSUERS = '
- echo "${ISSUERS}" | sed 's/^/[DBG]\ \ \ \ \ \ \ \ \ \ \ /'
+ echo '[DBG] ISSUERS = '
+ echo "${ISSUERS}" | sed 's/^/[DBG]\ \ \ \ \ \ \ \ \ \ \ /'
fi
-
+
# we just consider the first URI
# TODO check SC2016
# shellcheck disable=SC2086,SC2016
@@ -1768,23 +1850,36 @@ main() {
# Check OCSP stapling
if [ -n "${REQUIRE_OCSP_STAPLING}" ] ; then
- if [ -n "${VERBOSE}" ] ; then
+ if [ -n "${VERBOSE}" ] ; then
echo "checking OCSP stapling"
- fi
+ fi
- grep -A 17 'OCSP response:' "${CERT}" > "${OCSP_RESPONSE_TMP}"
+ grep -A 17 'OCSP response:' "${CERT}" > "${OCSP_RESPONSE_TMP}"
- if [ -n "${DEBUG}" ] ; then
- sed 's/^/[DBG]\ /' "${OCSP_RESPONSE_TMP}"
- fi
-
- if ! ascii_grep 'Next Update' "${OCSP_RESPONSE_TMP}" ; then
- prepend_critical_message "OCSP stapling not enabled"
- else
- if [ -n "${VERBOSE}" ] ; then
- echo " OCSP stapling enabled"
- fi
- fi
+ if [ -n "${DEBUG}" ] ; then
+ sed 's/^/[DBG]\ /' "${OCSP_RESPONSE_TMP}"
+ fi
+
+ if ! ascii_grep 'Next Update' "${OCSP_RESPONSE_TMP}" ; then
+ prepend_critical_message "OCSP stapling not enabled"
+ else
+ if [ -n "${VERBOSE}" ] ; then
+ echo " OCSP stapling enabled"
+ fi
+ NEXT_UPDATE=$(grep -o 'Next Update: .*$' "${OCSP_RESPONSE_TMP}" | cut -b14-)
+
+ hours_until "${NEXT_UPDATE}"
+
+ OCSP_EXPIRES_IN_HOURS="${HOURS_UNTIL}"
+ if [ -n "${VERBOSE}" ] ; then
+ echo " OCSP stapling expires in ${OCSP_EXPIRES_IN_HOURS} hours"
+ fi
+ if [ -n "${OCSP_CRITICAL}" ] && [ "${OCSP_CRITICAL}" -ge "${OCSP_EXPIRES_IN_HOURS}" ] ; then
+ prepend_critical_message "${OPENSSL_COMMAND} OCSP stapling will expire in ${OCSP_EXPIRES_IN_HOURS} hour(s) on ${NEXT_UPDATE}"
+ elif [ -n "${OCSP_WARNING}" ] && [ "${OCSP_WARNING}" -ge "${OCSP_EXPIRES_IN_HOURS}" ] ; then
+ append_warning_message "${OPENSSL_COMMAND} OCSP stapling will expire in ${OCSP_EXPIRES_IN_HOURS} hour(s) on ${NEXT_UPDATE}"
+ fi
+ fi
fi
@@ -1870,46 +1965,12 @@ main() {
# Compute for how many days the certificate will be valid
if [ -n "${DATETYPE}" ]; then
- # shellcheck disable=SC2086
+ # shellcheck disable=SC2086
CERT_END_DATE=$("${OPENSSL}" "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -noout "${OPENSSL_ENDDATE_OPTION}" | sed -e "s/.*=//")
- OLDLANG="${LANG}"
- LANG=en_US
-
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] Date computations: ${DATETYPE}"
- fi
-
- case "${DATETYPE}" in
- "BSD")
- DAYS_VALID=$(( ( $(${DATEBIN} -jf "%b %d %T %Y %Z" "${CERT_END_DATE}" +%s) - $(${DATEBIN} +%s) ) / 86400 ))
- ;;
-
- "GNU")
- DAYS_VALID=$(( ( $(${DATEBIN} -d "${CERT_END_DATE}" +%s) - $(${DATEBIN} +%s) ) / 86400 ))
- ;;
-
- "PERL")
- # Warning: some shell script formatting tools will indent the EOF! (should be at position 0)
- if ! DAYS_VALID=$(perl - "${CERT_END_DATE}" <<-"EOF"
- use strict;
- use warnings;
- use Date::Parse;
- my $cert_date = str2time( $ARGV[0] );
- my $days = int (( $cert_date - time ) / 86400 + 0.5);
- print "$days\n";
-EOF
- ) ; then
- # somethig went wrong with the embedded Perl code: check the indentation of EOF
- unknown "Error computing the certificate validity with Perl"
- fi
- ;;
- *)
- unknown "Internal error: unknown date type"
- esac
-
- LANG="${OLDLANG}"
-
+ hours_until "${CERT_END_DATE}"
+ DAYS_VALID=$(( HOURS_UNTIL / 24 ))
+
if [ -n "${VERBOSE}" ] ; then
if [ "${DAYS_VALID}" -ge 0 ] ; then
@@ -2006,7 +2067,7 @@ EOF
ok=""
if [ -n "${DEBUG}" ] ; then
- echo '[DBG] ==============================='
+ echo '[DBG] ==============================='
echo "[DBG] checking altnames against ${cn}"
fi
@@ -2078,11 +2139,11 @@ EOF
if [ -n "${fail}" ] ; then
prepend_critical_message "invalid CN ('$(echo "${CN}" | sed "s/|/ PIPE /g")' does not match '${fail}')"
- else
+ else
if [ -z "${ok}" ] ; then
- prepend_critical_message "invalid CN ('$(echo "${CN}" | sed "s/|/ PIPE /g")' does not match '${COMMON_NAME}')"
+ prepend_critical_message "invalid CN ('$(echo "${CN}" | sed "s/|/ PIPE /g")' does not match '${COMMON_NAME}')"
fi
- fi
+ fi
if [ -n "${DEBUG}" ] ; then
echo "[DBG] CN check finished"
@@ -2101,9 +2162,9 @@ EOF
ok=""
CA_ISSUER_MATCHED=$(echo "${ISSUERS}" | grep -E "^${ISSUER}\$" | head -n1)
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] issuer matched = ${CA_ISSUER_MATCHED}"
- fi
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] issuer matched = ${CA_ISSUER_MATCHED}"
+ fi
if [ -n "${CA_ISSUER_MATCHED}" ]; then
ok="true"
@@ -2168,7 +2229,7 @@ EOF
if [ -n "${CRITICAL}" ] ; then
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] critical = ${CRITICAL}"
+ echo "[DBG] critical = ${CRITICAL}"
echo "[DBG] executing: ${OPENSSL} x509 -in ${CERT} -noout -checkend $(( CRITICAL * 86400 ))"
fi
@@ -2228,8 +2289,8 @@ EOF
echo "[DBG] executing ${CURL_BIN} --silent \"https://api.ssllabs.com/api/v2/analyze?host=${HOST}${IGNORE_SSL_LABS_CACHE}\""
fi
- if [ -n "${SNI}" ] ; then
- JSON="$(${CURL_BIN} --silent "https://api.ssllabs.com/api/v2/analyze?host=${SNI}${IGNORE_SSL_LABS_CACHE}")"
+ if [ -n "${SNI}" ] ; then
+ JSON="$(${CURL_BIN} --silent "https://api.ssllabs.com/api/v2/analyze?host=${SNI}${IGNORE_SSL_LABS_CACHE}")"
CURL_RETURN_CODE=$?
else
JSON="$(${CURL_BIN} --silent "https://api.ssllabs.com/api/v2/analyze?host=${HOST}${IGNORE_SSL_LABS_CACHE}")"
@@ -2456,7 +2517,7 @@ EOF
echo "[DBG] OCSP: host = ${OCSP_HOST}"
fi
- if [ -n "${OCSP_HOST}" ] ; then
+ if [ -n "${OCSP_HOST}" ] ; then
# check if -header is supported
OCSP_HEADER=""
@@ -2465,126 +2526,126 @@ EOF
# so we check if the major version is greater than 0
if "${OPENSSL}" version | grep -q '^LibreSSL' || [ "$( ${OPENSSL} version | sed -e 's/OpenSSL \([0-9]\).*/\1/g' )" -gt 0 ] ; then
- if [ -n "${DEBUG}" ] ; then
+ if [ -n "${DEBUG}" ] ; then
echo "[DBG] openssl ocsp supports the -header option"
- fi
+ fi
- # the -header option was first accepting key and value separated by space. The newer versions are using key=value
- KEYVALUE=""
- if openssl ocsp -help 2>&1 | grep header | grep -q 'key=value' ; then
+ # the -header option was first accepting key and value separated by space. The newer versions are using key=value
+ KEYVALUE=""
+ if openssl ocsp -help 2>&1 | grep header | grep -q 'key=value' ; then
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] openssl ocsp -header requires 'key=value'"
+ echo "[DBG] openssl ocsp -header requires 'key=value'"
fi
KEYVALUE=1
- else
+ else
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] openssl ocsp -header requires 'key value'"
+ echo "[DBG] openssl ocsp -header requires 'key value'"
fi
- fi
+ fi
- # http_proxy is sometimes lower- and sometimes uppercase. Programs usually check both
- # shellcheck disable=SC2154
- if [ -n "${http_proxy}" ] ; then
+ # http_proxy is sometimes lower- and sometimes uppercase. Programs usually check both
+ # shellcheck disable=SC2154
+ if [ -n "${http_proxy}" ] ; then
HTTP_PROXY="${http_proxy}"
- fi
+ fi
- if [ -n "${HTTP_PROXY:-}" ] ; then
+ if [ -n "${HTTP_PROXY:-}" ] ; then
if [ -n "${KEYVALUE}" ] ; then
- if [ -n "${DEBUG}" ] ; then
+ if [ -n "${DEBUG}" ] ; then
echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
- fi
- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
+ fi
+ OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
else
- if [ -n "${DEBUG}" ] ; then
+ if [ -n "${DEBUG}" ] ; then
echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
- fi
- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+ fi
+ OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
fi
- else
+ else
if [ -n "${KEYVALUE}" ] ; then
- if [ -n "${DEBUG}" ] ; then
+ if [ -n "${DEBUG}" ] ; then
echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
- fi
+ fi
OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
else
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
- fi
- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
+ fi
+ OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
fi
- fi
+ fi
- if [ -n "${DEBUG}" ] ; then
+ if [ -n "${DEBUG}" ] ; then
echo "${OCSP_RESP}" | sed 's/^/[DBG] OCSP: response = /'
- fi
+ fi
- if echo "${OCSP_RESP}" | grep -qi "revoked" ; then
+ if echo "${OCSP_RESP}" | grep -qi "revoked" ; then
- if [ -n "${DEBUG}" ] ; then
- echo '[DBG] OCSP: revoked'
- fi
+ if [ -n "${DEBUG}" ] ; then
+ echo '[DBG] OCSP: revoked'
+ fi
- prepend_critical_message "certificate is revoked"
+ prepend_critical_message "certificate is revoked"
- elif ! echo "${OCSP_RESP}" | grep -qi "good" ; then
+ elif ! echo "${OCSP_RESP}" | grep -qi "good" ; then
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] OCSP: not good. HTTP_PROXY = ${HTTP_PROXY}"
- fi
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] OCSP: not good. HTTP_PROXY = ${HTTP_PROXY}"
+ fi
if [ -n "${HTTP_PROXY:-}" ] ; then
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}]\" -host \"${HTTP_PROXY#*://}\" -path \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
- fi
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}]\" -host \"${HTTP_PROXY#*://}\" -path \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
+ fi
- if [ -n "${OCSP_HEADER}" ] ; then
- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
- else
- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" 2>&1 )"
- fi
+ if [ -n "${OCSP_HEADER}" ] ; then
+ OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+ else
+ OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" 2>&1 )"
+ fi
else
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}\" -url \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
- fi
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}\" -url \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
+ fi
- if [ -n "${OCSP_HEADER}" ] ; then
- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
- else
- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" 2>&1 )"
- fi
+ if [ -n "${OCSP_HEADER}" ] ; then
+ OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+ else
+ OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" 2>&1 )"
+ fi
+
+ fi
+ if [ -n "${VERBOSE}" ] ; then
+ echo "OCSP Error: ${OCSP_RESP}"
fi
- if [ -n "${VERBOSE}" ] ; then
- echo "OCSP Error: ${OCSP_RESP}"
- fi
-
prepend_critical_message "OCSP error (-v for details)"
- fi
+ fi
else
- if [ -n "${VERBOSE}" ] ; then
+ if [ -n "${VERBOSE}" ] ; then
echo "openssl ocsp does not support the -header option: disabling OCSP checks"
- fi
+ fi
fi
- else
+ else
- if [ -n "${VERBOSE}" ] ; then
+ if [ -n "${VERBOSE}" ] ; then
echo "no OCSP host found: disabling OCSP checks"
- fi
+ fi
- fi
+ fi
fi
@@ -2609,22 +2670,22 @@ EOF
if [ -n "${VERBOSE}" ] ; then
echo "checking email (${ADDR}): ${EMAIL}"
fi
-
+
if [ -z "${EMAIL}" ] ; then
- if [ -n "${DEBUG}" ] ; then
- echo "[DBG] no email in certificate"
- fi
-
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] no email in certificate"
+ fi
+
prepend_critical_message "the certificate does not contain an email address"
-
- else
-
+
+ else
+
if ! echo "${EMAIL}" | grep -q -E "^${ADDR}" ; then
- prepend_critical_message "invalid email ('$(echo "${ADDR}" | sed "s/|/ PIPE /g")' does not match ${EMAIL})"
+ prepend_critical_message "invalid email ('$(echo "${ADDR}" | sed "s/|/ PIPE /g")' does not match ${EMAIL})"
fi
- fi
+ fi
fi
@@ -2640,12 +2701,12 @@ EOF
SELFSIGNEDCERT="self signed "
fi
- elif ascii_grep '^verify\ error:num=[0-9][0-9]*:certificate\ has\ expired' "${ERROR}" ; then
+ elif ascii_grep '^verify\ error:num=[0-9][0-9]*:certificate\ has\ expired' "${ERROR}" ; then
+
+ if [ -n "${DEBUG}" ] ; then
+ echo '[DBG] Cannot verify since the certificate has expired.'
+ fi
- if [ -n "${DEBUG}" ] ; then
- echo '[DBG] Cannot verify since the certificate has expired.'
- fi
-
else
if [ -n "${DEBUG}" ] ; then
@@ -2696,6 +2757,21 @@ EOF
fi
fi
+ if [ -n "${OCSP_EXPIRES_IN_HOURS}" ] ; then
+ # nicer formatting
+ if [ "${OCSP_EXPIRES_IN_HOURS}" -gt 1 ] ; then
+ OCSP_EXPIRES_IN_HOURS=" (OCSP stapling expires in ${OCSP_EXPIRES_IN_HOURS} hours)"
+ elif [ "${OCSP_EXPIRES_IN_HOURS}" -eq 1 ] ; then
+ OCSP_EXPIRES_IN_HOURS=" (OCSP stapling expires in one hour)"
+ elif [ "${OCSP_EXPIRES_IN_HOURS}" -eq 0 ] ; then
+ OCSP_EXPIRES_IN_HOURS=" (OCSP stapling expires now)"
+ elif [ "${OCSP_EXPIRES_IN_HOURS}" -eq -1 ] ; then
+ OCSP_EXPIRES_IN_HOURS=" (OCSP stapling expired one hour ago)"
+ else
+ OCSP_EXPIRES_IN_HOURS=" (OCSP stapling expired ${OCSP_EXPIRES_IN_HOURS} hours ago)"
+ fi
+ fi
+
if [ -n "${SSL_LABS_HOST_GRADE}" ] ; then
SSL_LABS_HOST_GRADE=", SSL Labs grade: ${SSL_LABS_HOST_GRADE}"
fi
@@ -2710,7 +2786,7 @@ EOF
if [ -n "${TERSE}" ]; then
FORMAT="%SHORTNAME% OK %CN% %DAYS_VALID%"
else
- FORMAT="%SHORTNAME% OK - %OPENSSL_COMMAND% %SELFSIGNEDCERT%certificate %DISPLAY_CN%%CHECKEDNAMES%from '%CA_ISSUER_MATCHED%' valid until %DATE%%DAYS_VALID%%SSL_LABS_HOST_GRADE%"
+ FORMAT="%SHORTNAME% OK - %OPENSSL_COMMAND% %SELFSIGNEDCERT%certificate %DISPLAY_CN%%CHECKEDNAMES%from '%CA_ISSUER_MATCHED%' valid until %DATE%%DAYS_VALID%%OCSP_EXPIRES_IN_HOURS%%SSL_LABS_HOST_GRADE%"
fi
fi
@@ -2721,16 +2797,17 @@ EOF
fi
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] output parameters: CA_ISSUER_MATCHED = ${CA_ISSUER_MATCHED}"
- echo "[DBG] output parameters: CHECKEDNAMES = ${CHECKEDNAMES}"
- echo "[DBG] output parameters: CN = ${CN}"
- echo "[DBG] output parameters: DATE = ${DATE}"
- echo "[DBG] output parameters: DAYS_VALID = ${DAYS_VALID}"
- echo "[DBG] output parameters: DYSPLAY_CN = ${DISPLAY_CN}"
- echo "[DBG] output parameters: OPENSSL_COMMAND = ${OPENSSL_COMMAND}"
- echo "[DBG] output parameters: SELFSIGNEDCERT = ${SELFSIGNEDCERT}"
- echo "[DBG] output parameters: SHORTNAME = ${SHORTNAME}"
- echo "[DBG] output parameters: SSL_LABS_HOST_GRADE = ${SSL_LABS_HOST_GRADE}"
+ echo "[DBG] output parameters: CA_ISSUER_MATCHED = ${CA_ISSUER_MATCHED}"
+ echo "[DBG] output parameters: CHECKEDNAMES = ${CHECKEDNAMES}"
+ echo "[DBG] output parameters: CN = ${CN}"
+ echo "[DBG] output parameters: DATE = ${DATE}"
+ echo "[DBG] output parameters: DAYS_VALID = ${DAYS_VALID}"
+ echo "[DBG] output parameters: DYSPLAY_CN = ${DISPLAY_CN}"
+ echo "[DBG] output parameters: OPENSSL_COMMAND = ${OPENSSL_COMMAND}"
+ echo "[DBG] output parameters: SELFSIGNEDCERT = ${SELFSIGNEDCERT}"
+ echo "[DBG] output parameters: SHORTNAME = ${SHORTNAME}"
+ echo "[DBG] output parameters: OCSP_EXPIRES_IN_HOURS = ${OCSP_EXPIRES_IN_HOURS}"
+ echo "[DBG] output parameters: SSL_LABS_HOST_GRADE = ${SSL_LABS_HOST_GRADE}"
fi
echo "${FORMAT}${EXTRA_OUTPUT}" | sed \
@@ -2743,6 +2820,7 @@ EOF
-e "$( var_for_sed OPENSSL_COMMAND "${OPENSSL_COMMAND}" )" \
-e "$( var_for_sed SELFSIGNEDCERT "${SELFSIGNEDCERT}" )" \
-e "$( var_for_sed SHORTNAME "${SHORTNAME}" )" \
+ -e "$( var_for_sed OCSP_EXPIRES_IN_HOURS "${OCSP_EXPIRES_IN_HOURS}" )" \
-e "$( var_for_sed SSL_LABS_HOST_GRADE "${SSL_LABS_HOST_GRADE}" )"
remove_temporary_files
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.97.0/check_ssl_cert.1
=====================================
@@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii check_ssl_cert.1
.\"
-.TH "check_ssl_cert" 1 "September, 2019" "1.96.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "October, 2019" "1.97.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
@@ -115,12 +115,21 @@ disable TLS version 1
.BR " --no_tls1_1"
disable TLS version 1.1
.TP
+.BR " --no_tls1_3"
+disable TLS version 1.3
+.TP
.BR " --no_tls1_2"
disable TLS version 1.2
.TP
.BR "-N,--host-cn"
match CN with the host name
.TP
+.BR " --ocsp-critical" " hours"
+minimum number of hours an OCSP response has to be valid to issue a critical status
+.TP
+.BR " --ocsp-warning" " hours"
+minimum number of hours an OCSP response has to be valid to issue a warning status
+.TP
.BR "-o,--org" " org"
pattern to match the organization of the certificate
.TP
@@ -131,9 +140,9 @@ path of the openssl binary to be used
TCP port
.TP
.BR "-P,--protocol" " protocol"
-use the specific protocol: ftp, ftps, http (default), imap, imaps, irc, ldap, ldaps, pop3, pop3s, smtp, smtps, xmpp.
+use the specific protocol: ftp, ftps, http (default), imap, imaps, irc, ircs, ldap, ldaps, pop3, pop3s, smtp, smtps, xmpp.
.br
-These protocols switch to TLS using StartTLS: ftp, imap, ldap, pop3, smtp.
+These protocols switch to TLS using StartTLS: ftp, imap, irc, ldap, pop3, smtp.
.TP
.BR "-s,--selfsigned"
allows self-signed certificates
@@ -168,7 +177,7 @@ root certificate to be used for certificate validation (passed to openssl's -CAf
overrides option -r,--rootcert
.TP
.BR " --rsa"
-cipher selection: force RSA authentication
+cipher selection: force RSA authentication (disables TLS 1.3)
.TP
.BR " --temp" " dir"
directory where to store the temporary files
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.97.0/check_ssl_cert.spec
=====================================
@@ -1,4 +1,4 @@
-%define version 1.96.0
+%define version 1.97.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
@@ -45,6 +45,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/%{sourcename}.1*
%changelog
+* Wed Oct 9 2019 Matteo Corti <matteo at corti.li> - 1.97.0-0
+- Updated to 1.97.0
+
* Wed Sep 25 2019 Matteo Corti <matteo at corti.li> - 1.96.0-0
- Updated to 1.96.0
@@ -353,7 +356,7 @@ rm -rf $RPM_BUILD_ROOT
- ipdated to 1.10.1 (--altnames option)
* Thu Sep 1 2011 Matteo Corti <matteo.corti at id.ethz.ch> - 1.10.0-0
-- apllied patch from Sven Nierlein for client certificate authentication
+- applied patch from Sven Nierlein for client certificate authentication
* Thu Mar 10 2011 Matteo Corti <matteo.corti at id.ethz.ch> - 1.9.1-0
- updated to 1.9.1: allows http as protocol and fixes -N with wildcards
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.97.0/test/cabundle.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.97.0/test/cacert.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/test/qvsslg2.crt → check_ssl_cert/check_ssl_cert_1.97.0/test/qvsslg2.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.97.0/test/unit_tests.sh
=====================================
@@ -30,6 +30,27 @@ NAGIOS_WARNING=1
NAGIOS_CRITICAL=2
NAGIOS_UNKNOWN=3
+testHoursUntilNow() {
+ # testing with perl
+ export DATETYPE='PERL'
+ hours_until "$( date )"
+ assertEquals "error computing the missing hours until now" 0 "${HOURS_UNTIL}"
+}
+
+testHoursUntil5Hours() {
+ # testing with perl
+ export DATETYPE='PERL'
+ hours_until "$( perl -e '$x=localtime(time+(5*3600));print $x' )"
+ assertEquals "error computing the missing hours until now" 5 "${HOURS_UNTIL}"
+}
+
+testHoursUntil42Hours() {
+ # testing with perl
+ export DATETYPE='PERL'
+ hours_until "$( perl -e '$x=localtime(time+(42*3600));print $x' )"
+ assertEquals "error computing the missing hours until now" 42 "${HOURS_UNTIL}"
+}
+
testDependencies() {
check_required_prog openssl
# $PROG is defined in the script
@@ -234,13 +255,13 @@ testFTP() {
${SCRIPT} --rootcert cabundle.crt -H test.rebex.net --protocol ftp --port 21 --timeout 60
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
-}
+}
testFTPS() {
${SCRIPT} --rootcert cabundle.crt -H test.rebex.net --protocol ftps --port 990 --timeout 60
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
-}
+}
################################################################################
# From https://badssl.com
@@ -303,24 +324,6 @@ testBadSSLSHA256() {
fi
}
-# exired on Feb 17 2019
-#testBadSSL1000SANs() {
-# if [ -z "${TRAVIS+x}" ] ; then
-# ${SCRIPT} -H 1000-sans.badssl.com --host-cn
-# EXIT_CODE=$?
-# assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
-# else
-# echo "Skipping 1000 subject alternative names with badssl.com on Travis CI"
-# fi
-#}
-
-# Disabled as OpenSSL does not seem to handle it
-#testBadSSL10000SANs() {
-# ${SCRIPT} -H 10000-sans.badssl.com --host-cn
-# EXIT_CODE=$?
-# assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
-#}
-
testBadSSLEcc256() {
if [ -z "${TRAVIS+x}" ] ; then
${SCRIPT} -H ecc256.badssl.com --host-cn
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/test/www.ethz.ch.crt → check_ssl_cert/check_ssl_cert_1.97.0/test/www.ethz.ch.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.96.0/test/www.ethz.ch.error → check_ssl_cert/check_ssl_cert_1.97.0/test/www.ethz.ch.error
=====================================
=====================================
check_ssl_cert/control
=====================================
@@ -1,7 +1,7 @@
Uploaders: Jan Wagner <waja at cyconet.org>
Recommends: curl, file, openssl
Suggests: expect
-Version: 1.96.0
+Version: 1.97.0
Homepage: https://github.com/matteocorti/check_ssl_cert
Watch: https://github.com/matteocorti/check_ssl_cert/releases check_ssl_cert-([0-9.]+)\.tar\.gz
Description: plugin to check the CA and validity of an
=====================================
check_ssl_cert/src
=====================================
@@ -1 +1 @@
-check_ssl_cert_1.96.0
\ No newline at end of file
+check_ssl_cert_1.97.0
\ No newline at end of file
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/commit/54902b8d846c5752e41072f08b48d0e53389bb89
--
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/commit/54902b8d846c5752e41072f08b48d0e53389bb89
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20191009/533c0e7c/attachment-0001.html>
More information about the pkg-nagios-changes
mailing list