[pkg-nagios-changes] [Git][nagios-team/pkg-nagios-plugins-contrib][master] 2 commits: check_ssl_cert: Update to 1.129.0
Jan Wagner
gitlab at salsa.debian.org
Sun Dec 27 18:55:15 GMT 2020
Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / pkg-nagios-plugins-contrib
Commits:
12dbba02 by Jan Wagner at 2020-12-27T19:48:06+01:00
check_ssl_cert: Update to 1.129.0
- - - - -
f12ba2e1 by Jan Wagner at 2020-12-27T19:54:13+01:00
Merge branch 'development'
- - - - -
19 changed files:
- − check_ssl_cert/check_ssl_cert_1.124.0/VERSION
- check_ssl_cert/check_ssl_cert_1.124.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.129.0/AUTHORS
- check_ssl_cert/check_ssl_cert_1.124.0/COPYING → check_ssl_cert/check_ssl_cert_1.129.0/COPYING
- check_ssl_cert/check_ssl_cert_1.124.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.129.0/COPYRIGHT
- check_ssl_cert/check_ssl_cert_1.124.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.129.0/ChangeLog
- check_ssl_cert/check_ssl_cert_1.124.0/INSTALL → check_ssl_cert/check_ssl_cert_1.129.0/INSTALL
- check_ssl_cert/check_ssl_cert_1.124.0/Makefile → check_ssl_cert/check_ssl_cert_1.129.0/Makefile
- check_ssl_cert/check_ssl_cert_1.124.0/NEWS → check_ssl_cert/check_ssl_cert_1.129.0/NEWS
- check_ssl_cert/check_ssl_cert_1.124.0/README.md → check_ssl_cert/check_ssl_cert_1.129.0/README.md
- check_ssl_cert/check_ssl_cert_1.124.0/TODO → check_ssl_cert/check_ssl_cert_1.129.0/TODO
- + check_ssl_cert/check_ssl_cert_1.129.0/VERSION
- check_ssl_cert/check_ssl_cert_1.124.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.129.0/check_ssl_cert
- check_ssl_cert/check_ssl_cert_1.124.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.129.0/check_ssl_cert.1
- check_ssl_cert/check_ssl_cert_1.124.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.129.0/check_ssl_cert.spec
- check_ssl_cert/check_ssl_cert_1.124.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.129.0/test/cabundle.crt
- check_ssl_cert/check_ssl_cert_1.124.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.129.0/test/cacert.crt
- check_ssl_cert/check_ssl_cert_1.124.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.129.0/test/unit_tests.sh
- check_ssl_cert/control
- check_ssl_cert/src
Changes:
=====================================
check_ssl_cert/check_ssl_cert_1.124.0/VERSION deleted
=====================================
@@ -1 +0,0 @@
-1.122.0
=====================================
check_ssl_cert/check_ssl_cert_1.124.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.129.0/AUTHORS
=====================================
@@ -102,4 +102,7 @@ Thanks:
* Many thanks to skanx (https://github.com/skanx) for the --not-issued-by output patch
* Many thanks to Zadkiel (https://github.com/aslafy-z) for the --version, the
--skip-element patches
-* Many thanks to Marcel Burkhalter (https://github.com/explorer69) the custom HTTP header patch.
\ No newline at end of file
+* Many thanks to Marcel Burkhalter (https://github.com/explorer69) the custom HTTP header patch.
+* Many thanks to Peter Newmann (https://github.com/peternewman) for the timeout
+ documentation patch and the issuers patch
+* Many thanks to cbiedl (https://github.com/cbiedl) for the proxy patch
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_1.124.0/COPYING → check_ssl_cert/check_ssl_cert_1.129.0/COPYING
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.124.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.129.0/COPYRIGHT
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.124.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.129.0/ChangeLog
=====================================
@@ -1,3 +1,29 @@
+2020-12-23 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): - instead of _ to separate words in the command line options
+
+2020-12-22 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): added the --no-proxy option
+
+2020-12-21 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): added a sanity check for the -f option
+ * check_ssl_cert (main): better handling of certificates without CN
+
+2020-12-16 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): fixed the regex for the proxy cleanup for s_client
+
+2020-12-15 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (require_s_client_option): Checks if s_client supports the -no_ssl[23] options
+ * check_ssl_cert (main): Better filtering of the nmap output
+
+2020-12-11 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: Corrected the handling of the issuer URI
+
2020-12-01 Matteo Corti <matteo at corti.li>
* check_ssl_cert: Correct handling of -proxy by s_client and --proxy by cURL
=====================================
check_ssl_cert/check_ssl_cert_1.124.0/INSTALL → check_ssl_cert/check_ssl_cert_1.129.0/INSTALL
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.124.0/Makefile → check_ssl_cert/check_ssl_cert_1.129.0/Makefile
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.124.0/NEWS → check_ssl_cert/check_ssl_cert_1.129.0/NEWS
=====================================
@@ -1,4 +1,9 @@
-2020-12-31 Version 1.124.0: Bug fix when using a proxy
+2020-12-24 Version 1.129.0: Bug fix in the proxy parameters handling
+2020-12-22 Version 1.128.0: Added --no-proxy to ignore proxy settings
+2020-12-21 Version 1.127.0: Better handling of certificates without CN in the subject
+2020-12-16 Version 1.126.0: Corrected the handling of old nmap versions
+2020-12-11 Version 1.125.0: Corrected the handling of the issuer URI
+2020-11-31 Version 1.124.0: Bug fix when using a proxy
2020-11-30 Version 1.123.0: Enhancement: option to check the nth element
2020-08-07 Version 1.122.0: Bug fix, --skip-element and --custom-header
2020-07-24 Version 1.121.0: Bug fix release
=====================================
check_ssl_cert/check_ssl_cert_1.124.0/README.md → check_ssl_cert/check_ssl_cert_1.129.0/README.md
=====================================
@@ -127,7 +127,7 @@ Options:
--temp dir directory where to store the temporary files
--terse terse output
-t,--timeout seconds timeout after the specified time
- (defaults to 15 seconds)
+ (defaults to 120 seconds)
--tls1 force TLS version 1
--tls1_1 force TLS version 1.1
--tls1_2 force TLS version 1.2
@@ -151,12 +151,13 @@ Report bugs to https://github.com/matteocorti/check_ssl_cert/issues
```
-## Expect
+## Expect & timeout
-check_ssl_cert requires 'expect' to enable timeouts. If expect is not
+check_ssl_cert requires 'expect' or 'timeout' to enable timeouts. If 'expect' or 'timeout' is not
present on your system timeouts will be disabled.
-See: http://en.wikipedia.org/wiki/Expect
+See: http://en.wikipedia.org/wiki/Expect and https://man7.org/linux/man-pages/man1/timeout.1.html
+
## Virtual servers
=====================================
check_ssl_cert/check_ssl_cert_1.124.0/TODO → check_ssl_cert/check_ssl_cert_1.129.0/TODO
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/VERSION
=====================================
@@ -0,0 +1 @@
+1.129.0
=====================================
check_ssl_cert/check_ssl_cert_1.124.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.129.0/check_ssl_cert
=====================================
@@ -19,7 +19,7 @@
################################################################################
# Constants
-VERSION=1.124.0
+VERSION=1.129.0
SHORTNAME="SSL_CERT"
VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,serial,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -122,12 +122,13 @@ usage() {
echo " -n,--cn name pattern to match the CN of the certificate (can be"
echo " specified multiple times)"
echo " --nmap-bin path path of the nmap binary to be used"
- echo " --no_ssl2 disable SSL version 2"
- echo " --no_ssl3 disable SSL version 3"
- echo " --no_tls1 disable TLS version 1"
- echo " --no_tls1_1 disable TLS version 1.1"
- echo " --no_tls1_2 disable TLS version 1.2"
- echo " --no_tls1_3 disable TLS version 1.3"
+ echo " --no-proxy ignores the http_proxy and https_proxy environment variables"
+ echo " --no-ssl2 disable SSL version 2"
+ echo " --no-ssl3 disable SSL version 3"
+ echo " --no-tls1 disable TLS version 1"
+ echo " --no-tls1_1 disable TLS version 1.1"
+ echo " --no-tls1_2 disable TLS version 1.2"
+ echo " --no-tls1_3 disable TLS version 1.3"
echo " --not-issued-by issuer check that the issuer of the certificate does not match"
echo " the given pattern"
echo " --not-valid-longer-than days critical if the certificate validity is longer than"
@@ -170,7 +171,7 @@ usage() {
echo " --temp dir directory where to store the temporary files"
echo " --terse terse output"
echo " -t,--timeout seconds timeout after the specified time"
- echo " (defaults to 15 seconds)"
+ echo " (defaults to ${TIMEOUT} seconds)"
echo " --tls1 force TLS version 1"
echo " --tls1_1 force TLS version 1.1"
echo " --tls1_2 force TLS version 1.2"
@@ -465,6 +466,20 @@ unknown() {
exit "${STATUS_UNKNOWN}"
}
+
+################################################################################
+# Exits with unknown if s_client does not support the given option
+#
+# Usage:
+# require_s_client_option '-no_ssl2'
+#
+require_s_client_option() {
+ debuglog "Checking if s_client supports the $1 option"
+ if ! "${OPENSSL}" s_client -help 2>&1 | grep -q -- "$1" ; then
+ unknown "s_client does not support the $1 option"
+ fi
+}
+
################################################################################
# To set a variable with an HEREDOC in a POSIX compliant way
# see: https://unix.stackexchange.com/questions/340718/how-do-i-bring-heredoc-text-into-a-shell-script-variable
@@ -1000,6 +1015,8 @@ main() {
CRITICAL_DAYS=15
ELEMENT=0
SKIP_ELEMENT=0
+ NO_PROXY=""
+ PROXY=""
# after 2020-09-01 we could set the default to 398 days because of Apple
# https://support.apple.com/en-us/HT211025
@@ -1064,27 +1081,31 @@ main() {
IGNORE_SSL_LABS_CACHE="&startNew=on"
shift
;;
- --no_ssl2)
+ --no-proxy)
+ NO_PROXY=1
+ shift
+ ;;
+ --no-ssl2|--no_ssl2) # we keep the old variant for compatibility
SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_ssl2"
shift
;;
- --no_ssl3)
+ --no-ssl3|--no_ssl3) # we keep the old variant for compatibility
SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_ssl3"
shift
;;
- --no_tls1)
+ --no-tls1|--no_tls1) # we keep the old variant for compatibility
SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_tls1"
shift
;;
- --no_tls1_1)
+ --no-tls1_1|--no_tls1_1) # we keep the old variant for compatibility
SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_tls1_1"
shift
;;
- --no_tls1_2)
+ --no-tls1_2|--no_tls1_2) # we keep the old variant for compatibility
SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_tls1_2"
shift
;;
- --no_tls1_3)
+ --no-tls1_3|--no_tls1_3) # we keep the old variant for compatibility
SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_tls1_3"
shift
;;
@@ -1346,6 +1367,7 @@ main() {
;;
--proxy)
check_option_argument '--proxy' "$2"
+ PROXY="$2"
export http_proxy="$2"
shift 2
;;
@@ -1610,6 +1632,12 @@ main() {
fi
+ if [ -n "${FILE}" ] ; then
+ if [ ! -r "${FILE}" ] ; then
+ unknown "Cannot read file ${FILE}"
+ fi
+ fi
+
if [ -n "${CRITICAL_DAYS}" ] ; then
debuglog "-c specified: ${CRITICAL_DAYS}"
@@ -1882,11 +1910,35 @@ main() {
fi
+ if [ -n "${PROXY}" ] && [ -n "${NO_PROXY}" ] ; then
+ unknown "Only one of --proxy or --no_proxy can be specfied"
+ fi
+
+ ################################################################################
+ # If --no-proxy was specified unset the http_proxy variables
+ if [ -n "${NO_PROXY}" ] ; then
+ debuglog "Disabling the proxy"
+ unset http_proxy
+ unset https_proxy
+ unset HTTP_PROXY
+ unset HTTPS_PROXY
+ fi
+
################################################################################
# Check if openssl s_client supports the -proxy option
#
SCLIENT_PROXY=
+ SCLIENT_PROXY_ARGUMENT=
+ CURL_PROXY=
+ CURL_PROXY_ARGUMENT=
if [ -n "${http_proxy}" ] || [ -n "${HTTP_PROXY}" ] ; then
+
+ debuglog "Proxy settings (before):"
+ debuglog " http_proxy = ${http_proxy}"
+ debuglog " https_proxy = ${https_proxy}"
+ debuglog " HTTP_PROXY = ${HTTP_PROXY}"
+ debuglog " HTTPS_PROXY = ${HTTPS_PROXY}"
+
if [ -n "${http_proxy}" ] ; then
HTTP_PROXY="${http_proxy}"
fi
@@ -1908,14 +1960,25 @@ main() {
fi
if ${OPENSSL} s_client -help 2>&1 | grep -q -- -proxy || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -q -- -proxy; then
- debuglog "Adding -proxy ${HTTP_PROXY} to the s_client options"
SCLIENT_PROXY="-proxy"
- SCLIENT_PROXY_ARGUMENT="${HTTP_PROXY}"
+ SCLIENT_PROXY_ARGUMENT="$( echo "${HTTP_PROXY}" | sed 's/.*:\/\///' | sed 's/\/$//' )"
+
+ debuglog "Adding -proxy ${SCLIENT_PROXY_ARGUMENT} to the s_client options"
+
else
verboselog "'${OPENSSL} s_client' does not support '-proxy': HTTP_PROXY could be ignored"
fi
+
+ debuglog "Proxy settings (after):"
+ debuglog " http_proxy = ${http_proxy}"
+ debuglog " https_proxy = ${https_proxy}"
+ debuglog " HTTP_PROXY = ${HTTP_PROXY}"
+ debuglog " HTTPS_PROXY = ${HTTPS_PROXY}"
+ debuglog " s_client = ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT}"
+ debuglog " cURL = ${CURL_PROXY} ${CURL_PROXY_ARGUMENT}"
+
fi
################################################################################
@@ -1938,8 +2001,6 @@ main() {
################################################################################
# Check if openssl s_client supports the -xmpphost option
#
- # Check if openssl s_client supports the -xmpphost option
- #
if ${OPENSSL} s_client -help 2>&1 | grep -q -- -xmpphost ; then
XMPPHOST="-xmpphost ${XMPPHOST:-${HOST}}"
debuglog "'${OPENSSL} s_client' supports '-xmpphost': using ${XMPPHOST}"
@@ -1997,6 +2058,12 @@ main() {
fi
+ ################################################################################
+ # Check if s_client supports the no_ssl options
+ for S_CLIENT_OPTION in ${SSL_VERSION_DISABLED} ; do
+ require_s_client_option "${S_CLIENT_OPTION}"
+ done
+
################################################################################
# define the HTTP request string
if [ -n "${SNI}" ]; then
@@ -2023,16 +2090,16 @@ main() {
NMAP_INETPROTO='-6'
fi
- debuglog "Executing ${NMAP_BIN} -Pn -p \"${PORT}\" \"${NMAP_INETPROTO}\" --script ssl-enum-ciphers \"${HOST}\" | grep '^|'"
+ debuglog "Executing ${NMAP_BIN} -Pn -p \"${PORT}\" \"${NMAP_INETPROTO}\" --script ssl-enum-ciphers \"${HOST}\" 2>&1 | grep '^|'"
- OFFERED_PROTOCOLS=$( ${NMAP_BIN} -Pn -p "${PORT}" "${NMAP_INETPROTO}" --script ssl-enum-ciphers "${HOST}" | grep '^|' )
+ OFFERED_PROTOCOLS=$( ${NMAP_BIN} -Pn -p "${PORT}" "${NMAP_INETPROTO}" --script ssl-enum-ciphers "${HOST}" 2>&1 | grep '^|' )
debuglog "offered cyphers and protocols:"
debuglog "${OFFERED_PROTOCOLS}" | sed 's/^|/[DBG] /'
for protocol in ${DISALLOWED_PROTOCOLS} ; do
debuglog "Checking if '${protocol}' is offered"
- if echo "${OFFERED_PROTOCOLS}" | grep -q "${protocol}" ; then
+ if echo "${OFFERED_PROTOCOLS}" | grep -v 'No supported ciphers found' | grep -q "${protocol}" ; then
debuglog "'${protocol}' is offered"
prepend_critical_message "${protocol} is offered"
fi
@@ -2221,8 +2288,16 @@ main() {
else
# we need to remove everything before 'CN = ', to remove an eventual email supplied with / and additional elements (after ', ')
# shellcheck disable=SC2086
- CN="$(${OPENSSL} x509 -in "${CERT}" -subject -noout ${OPENSSL_PARAMS} |
+ if ${OPENSSL} x509 -in "${CERT}" -subject -noout ${OPENSSL_PARAMS} | grep -q 'CN' ; then
+ CN="$(${OPENSSL} x509 -in "${CERT}" -subject -noout ${OPENSSL_PARAMS} |
sed -e "s/^.*[[:space:]]*CN[[:space:]]=[[:space:]]//" -e "s/\\/[[:alpha:]][[:alpha:]]*=.*\$//" -e "s/,.*//" )"
+ else
+ CN='CN unavailable'
+ if [ -z "${ALTNAMES}" ] ; then
+ verboselog "Certificate without common name (CN), enabling altername names"
+ ALTNAMES=1
+ fi
+ fi
# shellcheck disable=SC2086
SUBJECT="$(${OPENSSL} x509 -in "${CERT}" -subject -noout ${OPENSSL_PARAMS})"
@@ -2270,10 +2345,11 @@ main() {
debuglog 'ISSUERS = '
debuglog "${ISSUERS}"
- # we just consider the first URI
+ # we just consider the first HTTP(S) URI
# TODO check SC2016
# shellcheck disable=SC2086,SC2016
- ISSUER_URI="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -text -noout | grep "CA Issuers" | head -n 1 | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;$(){}<>`&')"
+
+ ISSUER_URI="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -text -noout | grep "CA Issuers" | grep -i "http" | head -n 1 | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;$(){}<>`&')"
# TODO: should be checked
# shellcheck disable=SC2021
@@ -2772,9 +2848,9 @@ main() {
debuglog "OCSP: fetching issuer certificate ${ISSUER_URI} to ${ISSUER_CERT_TMP}"
if [ -n "${CURL_USER_AGENT}" ] ; then
- exec_with_timeout "${TIMEOUT}" "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --user-agent '${CURL_USER_AGENT}' --location ${ISSUER_URI} > ${ISSUER_CERT_TMP}"
+ exec_with_timeout "${TIMEOUT}" "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --user-agent '${CURL_USER_AGENT}' --location \\\"${ISSUER_URI}\\\" > ${ISSUER_CERT_TMP}"
else
- exec_with_timeout "${TIMEOUT}" "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --location ${ISSUER_URI} > ${ISSUER_CERT_TMP}"
+ exec_with_timeout "${TIMEOUT}" "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --location \\\"${ISSUER_URI}\\\" > ${ISSUER_CERT_TMP}"
fi
debuglog "OCSP: issuer certificate type: $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
@@ -2860,13 +2936,14 @@ main() {
fi
if [ -n "${HTTP_PROXY:-}" ] ; then
+ OCSP_PROXY_ARGUMENT="$( echo "${HTTP_PROXY}" | sed 's/.*:\/\///' | sed 's/\/$//' )"
if [ -n "${KEYVALUE}" ] ; then
- debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
- OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
+ debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host \"${OCSP_PROXY_ARGUMENT}\" -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${OCSP_PROXY_ARGUMENT}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
else
- debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
- OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+ debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host \"${OCSP_PROXY_ARGUMENT}\" -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${OCSP_PROXY_ARGUMENT}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
fi
else
=====================================
check_ssl_cert/check_ssl_cert_1.124.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.129.0/check_ssl_cert.1
=====================================
@@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii check_ssl_cert.1
.\"
-.TH "check_ssl_cert" 1 "December, 2020" "1.124.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "December, 2020" "1.129.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
@@ -130,22 +130,25 @@ Valid attributes are: enddate, startdate, subject, issuer, modulus, serial, hash
.BR "-n,--cn" " name"
pattern to match the CN of the certificate (can be specified multiple times)
.TP
-.BR " --no_ssl2"
+.BR " --no-proxy"
+ignores the http_proxy and https_proxy environment variables
+.TP
+.BR " --no-ssl2"
disable SSL version 2
.TP
-.BR " --no_ssl3"
+.BR " --no-ssl3"
disable SSL version 3
.TP
-.BR " --no_tls1"
+.BR " --no-tls1"
disable TLS version 1
.TP
-.BR " --no_tls1_1"
+.BR " --no-tls1_1"
disable TLS version 1.1
.TP
-.BR " --no_tls1_3"
+.BR " --no-tls1_3"
disable TLS version 1.3
.TP
-.BR " --no_tls1_2"
+.BR " --no-tls1_2"
disable TLS version 1.2
.TP
.BR " --not-issued-by" " issuer"
@@ -237,7 +240,7 @@ directory where to store the temporary files
terse output (also see --verbose)
.TP
.BR "-t,--timeout"
-seconds timeout after the specified time (defaults to 15 seconds)
+seconds timeout after the specified time (defaults to 120 seconds)
.TP
.BR " --tls1"
force TLS version 1
=====================================
check_ssl_cert/check_ssl_cert_1.124.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.129.0/check_ssl_cert.spec
=====================================
@@ -1,4 +1,4 @@
-%define version 1.124.0
+%define version 1.129.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
@@ -45,6 +45,21 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/%{sourcename}.1*
%changelog
+* Thu Dec 24 2020 Matteo Corti <matteo at corti.li> - 1.129.0-0
+- Updated to 1.129.0
+
+* Tue Dec 22 2020 Matteo Corti <matteo at corti.li> - 1.128.0-0
+- Updated to 1.128.0
+
+* Mon Dec 21 2020 Matteo Corti <matteo at corti.li> - 1.127.0-0
+- Updated to 1.127.0
+
+* Wed Dec 16 2020 Matteo Corti <matteo at corti.li> - 1.126.0-0
+- Updated to 1.126.0
+
+* Fri Dec 11 2020 Matteo Corti <matteo at corti.li> - 1.125.0-0
+- Updated to 1.125.0
+
* Mon Dec 1 2020 Matteo Corti <matteo at corti.li> - 1.124.0-0
- Updated to 1.124.0
=====================================
check_ssl_cert/check_ssl_cert_1.124.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.129.0/test/cabundle.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.124.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.129.0/test/cacert.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.124.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.129.0/test/unit_tests.sh
=====================================
@@ -571,6 +571,18 @@ testNotLongerValidThan() {
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
+testCertificsteWithoutCN() {
+ ${SCRIPT} -H localhost -n www.uue.org -f ./cert_with_subject_without_cn.crt --force-perl-date --ignore-sig-alg
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+}
+
+testCertificsteWithEmptySubject() {
+ ${SCRIPT} -H localhost -n www.uue.org -f ./cert_with_empty_subject.crt --force-perl-date --ignore-sig-alg
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+}
+
# SSL Labs (last one as it usually takes a lot of time
testETHZWithSSLLabs() {
=====================================
check_ssl_cert/control
=====================================
@@ -1,7 +1,7 @@
Uploaders: Jan Wagner <waja at cyconet.org>
Recommends: curl, file, openssl
Suggests: expect
-Version: 1.124.0
+Version: 1.129.0
Homepage: https://github.com/matteocorti/check_ssl_cert
Watch: https://github.com/matteocorti/check_ssl_cert/releases check_ssl_cert-([0-9.]+)\.tar\.gz
Description: plugin to check the CA and validity of an
=====================================
check_ssl_cert/src
=====================================
@@ -1 +1 @@
-check_ssl_cert_1.124.0
\ No newline at end of file
+check_ssl_cert_1.129.0/
\ No newline at end of file
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/compare/cdafe0749d1e9482ac5692036d8377f383223d54...f12ba2e198615bb6c077f6f78511d9338e93cde7
--
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/compare/cdafe0749d1e9482ac5692036d8377f383223d54...f12ba2e198615bb6c077f6f78511d9338e93cde7
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20201227/171f8d24/attachment-0001.html>
More information about the pkg-nagios-changes
mailing list