[pkg-nagios-changes] [Git][nagios-team/pkg-nagios-plugins-contrib][master] Update check_ssl_cert to 1.113.0
Jan Wagner
gitlab at salsa.debian.org
Tue May 26 08:49:29 BST 2020
Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / pkg-nagios-plugins-contrib
Commits:
8c8a7701 by Jan Wagner at 2020-05-26T08:33:56+02:00
Update check_ssl_cert to 1.113.0
- - - - -
24 changed files:
- − check_ssl_cert/check_ssl_cert_1.109.0/._COPYRIGHT
- − check_ssl_cert/check_ssl_cert_1.109.0/._Makefile
- − check_ssl_cert/check_ssl_cert_1.109.0/._NEWS
- − check_ssl_cert/check_ssl_cert_1.109.0/._check_ssl_cert
- − check_ssl_cert/check_ssl_cert_1.109.0/VERSION
- check_ssl_cert/check_ssl_cert_1.109.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.113.0/AUTHORS
- check_ssl_cert/check_ssl_cert_1.109.0/COPYING → check_ssl_cert/check_ssl_cert_1.113.0/COPYING
- check_ssl_cert/check_ssl_cert_1.109.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.113.0/COPYRIGHT
- check_ssl_cert/check_ssl_cert_1.109.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.113.0/ChangeLog
- check_ssl_cert/check_ssl_cert_1.109.0/INSTALL → check_ssl_cert/check_ssl_cert_1.113.0/INSTALL
- check_ssl_cert/check_ssl_cert_1.109.0/Makefile → check_ssl_cert/check_ssl_cert_1.113.0/Makefile
- check_ssl_cert/check_ssl_cert_1.109.0/NEWS → check_ssl_cert/check_ssl_cert_1.113.0/NEWS
- check_ssl_cert/check_ssl_cert_1.109.0/README.md → check_ssl_cert/check_ssl_cert_1.113.0/README.md
- check_ssl_cert/check_ssl_cert_1.109.0/TODO → check_ssl_cert/check_ssl_cert_1.113.0/TODO
- + check_ssl_cert/check_ssl_cert_1.113.0/VERSION
- check_ssl_cert/check_ssl_cert_1.109.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert
- check_ssl_cert/check_ssl_cert_1.109.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert.1
- check_ssl_cert/check_ssl_cert_1.109.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert.spec
- check_ssl_cert/check_ssl_cert_1.109.0/test/._unit_tests.sh → check_ssl_cert/check_ssl_cert_1.113.0/test/._unit_tests.sh
- check_ssl_cert/check_ssl_cert_1.109.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.113.0/test/cabundle.crt
- check_ssl_cert/check_ssl_cert_1.109.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.113.0/test/cacert.crt
- check_ssl_cert/check_ssl_cert_1.109.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.113.0/test/unit_tests.sh
- check_ssl_cert/control
- check_ssl_cert/src
Changes:
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/._COPYRIGHT deleted
=====================================
Binary files a/check_ssl_cert/check_ssl_cert_1.109.0/._COPYRIGHT and /dev/null differ
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/._Makefile deleted
=====================================
Binary files a/check_ssl_cert/check_ssl_cert_1.109.0/._Makefile and /dev/null differ
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/._NEWS deleted
=====================================
Binary files a/check_ssl_cert/check_ssl_cert_1.109.0/._NEWS and /dev/null differ
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/._check_ssl_cert deleted
=====================================
Binary files a/check_ssl_cert/check_ssl_cert_1.109.0/._check_ssl_cert and /dev/null differ
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/VERSION deleted
=====================================
@@ -1 +0,0 @@
-1.109.0
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.113.0/AUTHORS
=====================================
@@ -90,4 +90,7 @@ Thanks:
* Many thanks to iasdeoupxe (https://github.com/iasdeoupxe) for various fixes
* Many thanks to Andre Klärner (https://github.com/klaernie) for the typos corrections
* Many thanks to Дилян Палаузов (https://github.com/dilyanpalauzov) for the DANE checks
-* Many thanks to dupondje (https://github.com/dupondje) for the check_prog fix
\ No newline at end of file
+* Many thanks to dupondje (https://github.com/dupondje) for the check_prog fix
+* Many thanks to Jörg Thalheim (https://github.com/Mic92) for the xmpp-server patch
+* Many thanks to Arkadiusz Miśkiewicz (https://github.com/arekm) for the OCSP timeout patch
+* Many thanks to Thomas Weißschuh (https://github.com/t-8ch) for the PostgreSQL patch
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/COPYING → check_ssl_cert/check_ssl_cert_1.113.0/COPYING
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.113.0/COPYRIGHT
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.113.0/ChangeLog
=====================================
@@ -1,3 +1,19 @@
+2020-05-18 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: Propagates the -6 switch to nmap
+
+2020-03-26 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): show command line arguments in debug mode
+
+2020-03-09 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (check_attr): new option (--not-valid-longer-than) to check if a certificate is valid longer than the specified number of days
+
+2020-02-17 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (fetch_certificate): added support for xmpp-server in the STARTTLS negotiation
+
2020-01-07 Matteo Corti <matteo at corti.li>
* check_ssl_cert (fetch_certificate): option to force HTTP/2
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/INSTALL → check_ssl_cert/check_ssl_cert_1.113.0/INSTALL
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/Makefile → check_ssl_cert/check_ssl_cert_1.113.0/Makefile
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/NEWS → check_ssl_cert/check_ssl_cert_1.113.0/NEWS
=====================================
@@ -1,3 +1,8 @@
+2020-05-19 Version 1.113.0: Fixed a bug with nmap and hosts with IPv6 addresses only
+2020-04-07 Version 1.112.0: Timeout for OCSP queries and option to ignore timeout errors and PostgreSQL support
+2020-03-09 Version 1.111.0: New option (--not-valid-longer-than) to check if a certificate is valid longer than the
+ specified number of days
+2020-02-17 Version 1.110.0: Added support for xmpp-server in the STARTTLS negotiation
2020-01-07 Version 1.109.0: Option to force HTTP/2
2019-12-23 Version 1.108.0: Better error message in case of connection refused
2019-12-20 Version 1.107.0: Better error message in case of an invalid host
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/README.md → check_ssl_cert/check_ssl_cert_1.113.0/README.md
=====================================
@@ -89,9 +89,11 @@ Options:
--openssl path path of the openssl binary to be used
-p,--port port TCP port
-P,--protocol protocol use the specific protocol
- {ftp|ftps|http|imap|imaps|irc|ircs|ldap|ldaps|pop3|pop3s|sieve|smtp|smtps|xmpp}
- http: default
- ftp,imap,irc,ldap,pop3,sieve,smtp: switch to TLS using StartTLS
+ {ftp|ftps|http|https|h2|imap|imaps|irc|ircs|ldap|ldaps|pop3|pop3s|
+ postgres|sieve|smtp|smtps|xmpp|xmpp-server}
+ https: default
+ h2: forces HTTP/2
+ ftp,imap,irc,ldap,pop3,postgres,sieve,smtp: switch to TLS using StartTLS
--require-no-ssl2 critical if SSL version 2 is offered
--require-no-ssl3 critical if SSL version 3 is offered
--require-no-tls1 critical if TLS 1 is offered
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/TODO → check_ssl_cert/check_ssl_cert_1.113.0/TODO
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/VERSION
=====================================
@@ -0,0 +1 @@
+1.113.0
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert
=====================================
@@ -19,7 +19,7 @@
################################################################################
# Constants
-VERSION=1.109.0
+VERSION=1.113.0
SHORTNAME="SSL_CERT"
VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,serial,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -93,6 +93,7 @@ usage() {
echo " related checks"
echo " --ignore-exp ignore expiration date"
echo " --ignore-ocsp do not check revocation with OCSP"
+ echo " --ignore-ocsp-timeout ignore OCSP result when timeout occurs while checking"
echo " --ignore-sig-alg do not check if the certificate was signed with SHA1"
echo " or MD5"
echo " --ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)"
@@ -102,7 +103,7 @@ usage() {
echo " -K,--clientkey path use client certificate key to authenticate"
echo " -L,--check-ssl-labs grade SSL Labs assessment"
echo " (please check https://www.ssllabs.com/about/terms.html)"
- echo " --check-ssl-labs-warn-grade SSL-Labs grade on which to warn"
+ echo " --check-ssl-labs-warn grade SSL-Labs grade on which to warn"
echo " --long-output list append the specified comma separated (no spaces) list"
echo " of attributes to the plugin output on additional lines"
echo " Valid attributes are:"
@@ -118,6 +119,7 @@ usage() {
echo " --no_tls1_1 disable TLS version 1.1"
echo " --no_tls1_2 disable TLS version 1.2"
echo " --no_tls1_3 disable TLS version 1.3"
+ echo " --not-valid-longer-than days critical if the certificate validity is longer than the specified period"
echo " -N,--host-cn match CN with the host name"
echo " --ocsp-critical hours minimum number of hours an OCSP response has to be valid to"
echo " issue a critical status"
@@ -127,9 +129,10 @@ usage() {
echo " --openssl path path of the openssl binary to be used"
echo " -p,--port port TCP port"
echo " -P,--protocol protocol use the specific protocol"
- echo " {ftp|ftps|http|h2|imap|imaps|irc|ircs|ldap|ldaps|pop3|pop3s|sieve|smtp|smtps|xmpp}"
- echo " http: default"
- echo " ftp,imap,irc,ldap,pop3,sieve,smtp: switch to TLS using StartTLS"
+ echo " {ftp|ftps|http|https|h2|imap|imaps|irc|ircs|ldap|ldaps|pop3|pop3s|postgres|sieve|smtp|smtps|xmpp|xmpp-server}"
+ echo " https: default"
+ echo " h2: forces HTTP/2"
+ echo " ftp,imap,irc,ldap,pop3,postgres,sieve,smtp: switch to TLS using StartTLS"
echo " --require-no-ssl2 critical if SSL version 2 is offered"
echo " --require-no-ssl3 critical if SSL version 3 is offered"
echo " --require-no-tls1 critical if TLS 1 is offered"
@@ -397,11 +400,11 @@ append_warning_message() {
fi
MSG="${SHORTNAME} WARN${tmp}: ${1}${PERFORMANCE_DATA}${LONG_OUTPUT}"
-
+
if [ "${WARNING_MSG}" = "" ]; then
WARNING_MSG="${MSG}"
fi
-
+
ALL_MSG="${ALL_MSG}\n ${MSG}"
@@ -412,7 +415,6 @@ append_warning_message() {
echo "[DBG] WARNING <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
fi
-
}
@@ -462,6 +464,7 @@ unknown() {
# ...
# HEREDOC
set_variable() {
+ # shellcheck disable=SC2016
eval "$1"'=$(cat)'
}
@@ -514,7 +517,7 @@ exec_with_timeout() {
# (in fact the value is assigned with the function set_value)
EXPECT_SCRIPT=''
TIMEOUT_ERROR_CODE=42
-
+
set_variable EXPECT_SCRIPT << EOT
set echo \"-noecho\"
@@ -523,7 +526,7 @@ set timeout ${time}
# spawn the process
spawn -noecho sh -c { ${command} }
-expect {
+expect {
timeout { exit ${TIMEOUT_ERROR_CODE} }
eof
}
@@ -656,7 +659,7 @@ fetch_certificate() {
RET=0
ALPN=''
-
+
# IPv6 addresses need brackets in a URI
if [ "${HOST}" != "${HOST#*[0-9].[0-9]}" ]; then
if [ -n "${DEBUG}" ] ; then
@@ -726,11 +729,15 @@ fetch_certificate() {
exec_with_timeout "${TIMEOUT}" "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
+ postgres)
+ exec_with_timeout "${TIMEOUT}" "printf 'X\0\0\0\4' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
+ RET=$?
+ ;;
sieve)
exec_with_timeout "${TIMEOUT}" "echo 'LOGOUT' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
- xmpp)
+ xmpp|xmpp-server)
exec_with_timeout "${TIMEOUT}" "echo 'Q' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST}:${XMPPPORT} ${XMPPHOST} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
@@ -753,7 +760,7 @@ fetch_certificate() {
if [ "${PROTOCOL}" = 'h2' ] ; then
ALPN='-alpn h2'
fi
-
+
exec_with_timeout "${TIMEOUT}" "printf '${HTTP_REQUEST}' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} ${ALPN} -connect ${HOST}:${PORT} ${SERVERNAME} -showcerts -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
@@ -762,7 +769,7 @@ fetch_certificate() {
if [ -n "${DEBUG}" ] ; then
echo "[DBG] Return value of the command = ${RET}"
-
+
echo "[DBG] storing a copy of the retrieved certificate in ${TMPDIR}/${HOST}-${PORT}.crt"
cp "${CERT}" "${TMPDIR}/${HOST}-${PORT}.crt"
@@ -796,7 +803,7 @@ fetch_certificate() {
ERROR='Connection refused'
prepend_critical_message "${ERROR}"
critical "${SHORTNAME} CRITICAL: ${ERROR}"
-
+
else
# Try to clean up the error message
@@ -895,6 +902,7 @@ main() {
REQUIRE_SAN=""
REQUIRE_OCSP_STAPLING=""
OCSP="1" # enabled by default
+ OCSP_IGNORE_TIMEOUT=""
FORMAT=""
HTTP_METHOD="HEAD"
RSA=""
@@ -902,6 +910,10 @@ main() {
DANE=""
DISALLOWED_PROTOCOLS=""
+ # after 2020-09-01 we could set the default to 398 days because of Apple
+ # https://support.apple.com/en-us/HT211025
+ NOT_VALID_LONGER_THAN=""
+
# Set the default temp dir if not set
if [ -z "${TMPDIR}" ] ; then
TMPDIR="/tmp"
@@ -913,6 +925,8 @@ main() {
# We do not use getopts since it is unable to process long options and it is
# Bash specific.
+ COMMAND_LINE_ARGUMENTS=$*
+
while true; do
case "$1" in
@@ -1052,6 +1066,10 @@ main() {
OCSP=""
shift
;;
+ --ignore-ocsp-timeout)
+ OCSP_IGNORE_TIMEOUT=1
+ shift
+ ;;
--terse)
TERSE=1
shift
@@ -1147,8 +1165,8 @@ main() {
SSL_LAB_CRIT_ASSESSMENT="$2"
shift 2
;;
- --check-ssl-labs-warn-grade)
- check_option_argument '--check-ssl-labs-warn-grade' "$2"
+ --check-ssl-labs-warn)
+ check_option_argument '--check-ssl-labs-warn' "$2"
SSL_LAB_WARN_ASSESTMENT="$2"
shift 2
;;
@@ -1176,6 +1194,11 @@ main() {
fi
shift 2
;;
+ --not-valid-longer-than)
+ check_option_argument '--not-valid-longer-than' "$2"
+ NOT_VALID_LONGER_THAN=$2
+ shift 2
+ ;;
--ocsp-critical)
check_option_argument '--ocsp-critical' "$2"
OCSP_CRITICAL="$2"
@@ -1324,12 +1347,12 @@ main() {
if [ -z "${PORT}" ] ; then
if [ -z "${PROTOCOL}" ] ; then
-
+
# default is HTTPS
PORT='443'
else
-
+
case "${PROTOCOL}" in
smtp)
PORT=25
@@ -1361,6 +1384,9 @@ main() {
imaps)
PORT=993
;;
+ postgres)
+ PORT=5432
+ ;;
sieve)
PORT=4190
;;
@@ -1376,9 +1402,13 @@ main() {
esac
fi
-
+
fi
-
+
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] Command line arguments: ${COMMAND_LINE_ARGUMENTS}"
+ fi
+
################################################################################
# Set COMMON_NAME to hostname if -N was given as argument.
# COMMON_NAME may be a space separated list of hostnames.
@@ -1486,6 +1516,18 @@ main() {
fi
+ if [ -n "${NOT_VALID_LONGER_THAN}" ] ; then
+
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] --not-valid-longer-than specified: ${NOT_VALID_LONGER_THAN}"
+ fi
+
+ if ! echo "${NOT_VALID_LONGER_THAN}" | grep -q '^[0-9][0-9]*$' ; then
+ unknown "invalid number of days ${NOT_VALID_LONGER_THAN}"
+ fi
+
+ fi
+
if [ -n "${TMPDIR}" ] ; then
if [ ! -d "${TMPDIR}" ] ; then
@@ -1515,7 +1557,7 @@ main() {
convert_ssl_lab_grade "${SSL_LAB_WARN_ASSESTMENT}"
SSL_LAB_WARN_ASSESTMENT_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
if [ "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" -lt "${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}" ]; then
- unknown '--check-ssl-labs-warn-grade must be greater than -L|--check-ssl-labs'
+ unknown '--check-ssl-labs-warn must be greater than -L|--check-ssl-labs'
fi
fi
@@ -1608,8 +1650,8 @@ main() {
else
# we check if the provided binary actually works
check_required_prog "${NMAP_BIN}"
- fi
-
+ fi
+
# Expect (optional)
EXPECT="$(command -v expect 2> /dev/null)"
test -x "${EXPECT}" || EXPECT=""
@@ -1752,11 +1794,11 @@ main() {
S_CLIENT_NAME=
if ${OPENSSL} s_client -help 2>&1 | grep -q -- -name || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -q -- -name; then
- HOSTNAME=$( hostname )
- S_CLIENT_NAME="-name ${HOSTNAME}"
+ CURRENT_HOSTNAME=$( hostname )
+ S_CLIENT_NAME="-name ${CURRENT_HOSTNAME}"
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] '${OPENSSL} s_client' supports '-name': using ${HOSTNAME}"
+ echo "[DBG] '${OPENSSL} s_client' supports '-name': using ${CURRENT_HOSTNAME}"
fi
else
@@ -1829,6 +1871,13 @@ main() {
unknown "cannot connect using IPv6 as no local interface has IPv6 configured"
fi
+ # nmap does not have a -4 switch
+ NMAP_INETPROTO=''
+ if [ -n "${INETPROTO}" ] && [ "${INETPROTO}" = '-6' ] ; then
+ NMAP_INETPROTO='-6'
+ fi
+
+
fi
################################################################################
@@ -1840,18 +1889,30 @@ main() {
fi
HTTP_REQUEST="${HTTP_METHOD} / HTTP/1.1\\nHost: ${HOST_HEADER}\\nUser-Agent: check_ssl_cert/${VERSION}\\nConnection: close\\n\\n"
-
+
##############################################################################
# Check for disallowed protocols
if [ -n "${DISALLOWED_PROTOCOLS}" ] ; then
- OFFERED_PROTOCOLS=$( ${NMAP_BIN} -Pn -p "${PORT}" --script ssl-enum-ciphers "${HOST}" | grep '^|' )
+ # check if the host has an IPv6 address only (as nmap is not able to resolve without the -6 switch
+ if ${NMAP_BIN} "${HOST}" 2>&1 | grep -q 'Failed to resolve' ; then
+ if [ -n "${DEBUG}" ] ; then
+ echo '[DBG] nmap is not able to resolve the host name. Trying with -6 to force IPv6 for an IPv6-only host'
+ fi
+ NMAP_INETPROTO='-6'
+ fi
+
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] Executing ${NMAP_BIN} -Pn -p \"${PORT}\" \"${NMAP_INETPROTO}\" --script ssl-enum-ciphers \"${HOST}\" | grep '^|'"
+ fi
+
+ OFFERED_PROTOCOLS=$( ${NMAP_BIN} -Pn -p "${PORT}" "${NMAP_INETPROTO}" --script ssl-enum-ciphers "${HOST}" | grep '^|' )
if [ -n "${DEBUG}" ] ; then
echo "[DBG] offered cyphers and protocols:"
echo "${OFFERED_PROTOCOLS}" | sed 's/^|/[DBG] /'
fi
-
+
for protocol in ${DISALLOWED_PROTOCOLS} ; do
if [ -n "${DEBUG}" ] ; then
echo "[DBG] Checking if '${protocol}' is offered"
@@ -1866,7 +1927,7 @@ main() {
done
fi
-
+
##############################################################################
# DANE
@@ -1876,7 +1937,6 @@ main() {
echo '[DBG] checking DANE'
fi
- # dig can be replaced with delv, on the next eight lines, if it is working on the system, in order to verify DNSSEC
if [ -z "${DIG_BIN}" ] ; then
DIG_BIN='dig'
fi
@@ -2516,7 +2576,7 @@ main() {
fi
if [ "${OPENSSL_COMMAND}" = "x509" ]; then
-
+
# x509 certificates (default)
# We always check expired certificates
@@ -2549,9 +2609,27 @@ main() {
fi
fi
-
+
+ if [ -n "${NOT_VALID_LONGER_THAN}" ] ; then
+
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] checking if the certificate is valid longer than ${NOT_VALID_LONGER_THAN} days"
+ echo "[DBG] valid for ${DAYS_VALID} days"
+ fi
+
+ if [ "${DAYS_VALID}" -gt "${NOT_VALID_LONGER_THAN}" ] ; then
+
+ if [ -n "${DEBUG}" ] ; then
+ echo "[DBG] Certificate expires in ${DAYS_VALID} days which is more than ${NOT_VALID_LONGER_THAN} days"
+ fi
+
+ prepend_critical_message "Certificate expires in ${DAYS_VALID} days which is more than ${NOT_VALID_LONGER_THAN} days"
+ fi
+
+ fi
+
elif [ "${OPENSSL_COMMAND}" = "crl" ]; then
-
+
# CRL certificates
# We always check expired certificates
@@ -2855,28 +2933,28 @@ main() {
if [ -n "${KEYVALUE}" ] ; then
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
+ echo "[DBG] executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
fi
- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
else
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
+ echo "[DBG] executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
fi
- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
fi
else
if [ -n "${KEYVALUE}" ] ; then
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
+ echo "[DBG] executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
fi
- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
else
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
+ echo "[DBG] executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
fi
- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
fi
fi
@@ -2885,7 +2963,13 @@ main() {
echo "${OCSP_RESP}" | sed 's/^/[DBG] OCSP: response = /'
fi
- if echo "${OCSP_RESP}" | grep -qi "revoked" ; then
+ if [ -n "${OCSP_IGNORE_TIMEOUT}" ] && echo "${OCSP_RESP}" | grep -qi "timeout on connect" ; then
+
+ if [ -n "${DEBUG}" ] ; then
+ echo '[DBG] OCSP: Timeout on connect'
+ fi
+
+ elif echo "${OCSP_RESP}" | grep -qi "revoked" ; then
if [ -n "${DEBUG}" ] ; then
echo '[DBG] OCSP: revoked'
@@ -2902,25 +2986,25 @@ main() {
if [ -n "${HTTP_PROXY:-}" ] ; then
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}]\" -host \"${HTTP_PROXY#*://}\" -path \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
+ echo "[DBG] executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}]\" -host \"${HTTP_PROXY#*://}\" -path \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
fi
if [ -n "${OCSP_HEADER}" ] ; then
- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
else
- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" 2>&1 )"
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" 2>&1 )"
fi
else
if [ -n "${DEBUG}" ] ; then
- echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}\" -url \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
+ echo "[DBG] executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}\" -url \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
fi
if [ -n "${OCSP_HEADER}" ] ; then
- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
else
- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" 2>&1 )"
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" 2>&1 )"
fi
fi
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert.1
=====================================
@@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii check_ssl_cert.1
.\"
-.TH "check_ssl_cert" 1 "January, 2020" "1.109.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "May, 2020" "1.113.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
@@ -93,6 +93,9 @@ ignore expiration date
.BR " --ignore-ocsp"
do not check revocation with OCSP
.TP
+.BR " --ignore-ocsp-timeout"
+ignore OCSP result when timeout occurs while checking
+.TP
.BR " --ignore-sig-alg"
do not check if the certificate was signed with SHA1 or MD5
.TP
@@ -109,9 +112,9 @@ pattern to match the issuer of the certificate
use client certificate key to authenticate
.TP
.BR "-L,--check-ssl-labs grade"
-SSL Labs assestment (please check https://www.ssllabs.com/about/terms.html)
+SSL Labs assestment (please check https://www.ssllabs.com/about/terms.html). Critical if the grade is lower than specified.
.TP
-.BR " --check-ssl-warn-labs grade"
+.BR " --check-ssl-labs-warn grade"
SSL Labs grade on which to warn
.TP
.BR " --long-output" " list"
@@ -139,6 +142,9 @@ disable TLS version 1.3
.BR " --no_tls1_2"
disable TLS version 1.2
.TP
+.BR " --not-valid-longer-than" " days"
+critical if the certificate validity is longer than the specified period
+.TP
.BR "-N,--host-cn"
match CN with the host name
.TP
@@ -158,7 +164,7 @@ path of the openssl binary to be used
TCP port
.TP
.BR "-P,--protocol" " protocol"
-use the specific protocol: ftp, ftps, http (default), h2 (http/2), imap, imaps, irc, ircs, ldap, ldaps, pop3, pop3s, sieve, smtp, smtps, xmpp.
+use the specific protocol: ftp, ftps, http, https (default), h2 (http/2), imap, imaps, irc, ircs, ldap, ldaps, pop3, pop3s, postgres, sieve, smtp, smtps, xmpp, xmpp-server.
.br
These protocols switch to TLS using StartTLS: ftp, imap, irc, ldap, pop3, smtp.
.TP
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert.spec
=====================================
@@ -1,4 +1,4 @@
-%define version 1.109.0
+%define version 1.113.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
@@ -45,6 +45,18 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/%{sourcename}.1*
%changelog
+* Tue May 19 2020 Matteo Corti <matteo at corti.li> - 1.113.0-0
+- Updated to 1.113.0
+
+* Tue Apr 7 2020 Matteo Corti <matteo at corti.li> - 1.112.0-0
+- Updated to 1.112.0
+
+* Mon Mar 9 2020 Matteo Corti <matteo at corti.li> - 1.111.0-0
+- Updated to 1.111.0
+
+* Mon Feb 17 2020 Matteo Corti <matteo at corti.li> - 1.110.0-0
+- Updated to 1.110.0
+
* Tue Jan 7 2020 Matteo Corti <matteo at corti.li> - 1.109.0-0
- Updated to 1.109.0
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/test/._unit_tests.sh → check_ssl_cert/check_ssl_cert_1.113.0/test/._unit_tests.sh
=====================================
Binary files a/check_ssl_cert/check_ssl_cert_1.109.0/test/._unit_tests.sh and b/check_ssl_cert/check_ssl_cert_1.113.0/test/._unit_tests.sh differ
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.113.0/test/cabundle.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.113.0/test/cacert.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.109.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.113.0/test/unit_tests.sh
=====================================
@@ -38,8 +38,8 @@ oneTimeSetUp() {
# check in OpenSSL supports dane checks
if openssl s_client -help 2>&1 | grep -q -- -dane_tlsa_rrdata || openssl s_client not_a_real_option 2>&1 | grep -q -- -dane_tlsa_rrdata; then
- echo "dane checks supported"
- DANE=1
+ echo "dane checks supported"
+ DANE=1
fi
}
@@ -79,13 +79,13 @@ testUsage() {
}
testMissingArgument() {
- ${SCRIPT} -H www.google.com -c > /dev/null 2>&1
+ ${SCRIPT} -H www.google.com --critical > /dev/null 2>&1
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
}
testMissingArgument2() {
- ${SCRIPT} -H www.google.com -c -w 10 > /dev/null 2>&1
+ ${SCRIPT} -H www.google.com --critical --warning 10 > /dev/null 2>&1
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
}
@@ -206,15 +206,15 @@ testXMPPHost() {
# $TRAVIS is set an environment variable
# shellcheck disable=SC2154
if [ -z "${TRAVIS+x}" ] ; then
- out=$(${SCRIPT} -H prosody.xmpp.is --port 5222 --protocol xmpp --xmpphost xmpp.is)
- EXIT_CODE=$?
- if echo "${out}" | grep -q "s_client' does not support '-xmpphost'" ; then
- assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
- else
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
- fi
+ out=$(${SCRIPT} -H prosody.xmpp.is --port 5222 --protocol xmpp --xmpphost xmpp.is)
+ EXIT_CODE=$?
+ if echo "${out}" | grep -q "s_client' does not support '-xmpphost'" ; then
+ assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
+ else
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ fi
else
- echo "Skipping XMPP tests on Travis CI"
+ echo "Skipping XMPP tests on Travis CI"
fi
}
@@ -226,42 +226,42 @@ testTimeOut() {
testIMAP() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} --rootcert cabundle.crt -H imap.gmx.com --port 143 --timeout 30 --protocol imap
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ ${SCRIPT} --rootcert cabundle.crt -H imap.gmx.com --port 143 --timeout 30 --protocol imap
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- echo "Skipping IMAP tests on Travis CI"
+ echo "Skipping IMAP tests on Travis CI"
fi
}
testIMAPS() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} --rootcert cabundle.crt -H imap.gmail.com --port 993 --timeout 30 --protocol imaps
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ ${SCRIPT} --rootcert cabundle.crt -H imap.gmail.com --port 993 --timeout 30 --protocol imaps
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- echo "Skipping IMAP tests on Travis CI"
+ echo "Skipping IMAP tests on Travis CI"
fi
}
testPOP3S() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} --rootcert cabundle.crt -H pop.gmail.com --port 995 --timeout 30 --protocol pop3s
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ ${SCRIPT} --rootcert cabundle.crt -H pop.gmail.com --port 995 --timeout 30 --protocol pop3s
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- echo "Skipping POP3S tests on Travis CI"
+ echo "Skipping POP3S tests on Travis CI"
fi
}
testSMTP() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} --rootcert cabundle.crt -H smtp.gmail.com --protocol smtp --port 25 --timeout 60
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ ${SCRIPT} --rootcert cabundle.crt -H smtp.gmail.com --protocol smtp --port 25 --timeout 60
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- echo "Skipping SMTP tests on Travis CI"
+ echo "Skipping SMTP tests on Travis CI"
fi
}
@@ -343,61 +343,61 @@ testBadSSLIncompleteChain() {
testBadSSLSHA256() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H sha256.badssl.com --host-cn
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ ${SCRIPT} -H sha256.badssl.com --host-cn
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- echo "Skipping SHA 256 with badssl.com on Travis CI"
+ echo "Skipping SHA 256 with badssl.com on Travis CI"
fi
}
testBadSSLEcc256() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H ecc256.badssl.com --host-cn
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ ${SCRIPT} -H ecc256.badssl.com --host-cn
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- echo "Skipping ECC 256 with badssl.com on Travis CI"
+ echo "Skipping ECC 256 with badssl.com on Travis CI"
fi
}
testBadSSLEcc384() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H ecc384.badssl.com --host-cn
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ ${SCRIPT} -H ecc384.badssl.com --host-cn
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- echo "Skipping ECC 384 with badssl.com on Travis CI"
+ echo "Skipping ECC 384 with badssl.com on Travis CI"
fi
}
testBadSSLRSA8192() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H rsa8192.badssl.com --host-cn
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ ${SCRIPT} -H rsa8192.badssl.com --host-cn
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- echo "Skipping RSA8192 with badssl.com on Travis CI"
+ echo "Skipping RSA8192 with badssl.com on Travis CI"
fi
}
testBadSSLLongSubdomainWithDashes() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com --host-cn
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ ${SCRIPT} -H long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com --host-cn
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- echo "Skipping long subdomain with dashes with badssl.com on Travis CI"
+ echo "Skipping long subdomain with dashes with badssl.com on Travis CI"
fi
}
testBadSSLLongSubdomain() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com --host-cn
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ ${SCRIPT} -H longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com --host-cn
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- echo "Skipping long subdomain with badssl.com on Travis CI"
+ echo "Skipping long subdomain with badssl.com on Travis CI"
fi
}
@@ -428,29 +428,29 @@ testRequireOCSP() {
# tests for -4 and -6
testIPv4() {
if openssl s_client -help 2>&1 | grep -q -- -4 ; then
- ${SCRIPT} -H www.google.com --rootcert cabundle.crt -4
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ ${SCRIPT} -H www.google.com --rootcert cabundle.crt -4
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- echo "Skipping forcing IPv4: no OpenSSL support"
+ echo "Skipping forcing IPv4: no OpenSSL support"
fi
}
testIPv6() {
if openssl s_client -help 2>&1 | grep -q -- -6 ; then
- if ifconfig -a | grep -q inet6 ; then
+ if ifconfig -a | grep -q inet6 ; then
- ${SCRIPT} -H www.google.com --rootcert cabundle.crt -6
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ ${SCRIPT} -H www.google.com --rootcert cabundle.crt -6
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
- else
- echo "Skipping forcing IPv6: not IPv6 configured locally"
- fi
+ else
+ echo "Skipping forcing IPv6: not IPv6 configured locally"
+ fi
else
- echo "Skipping forcing IPv6: no OpenSSL support"
+ echo "Skipping forcing IPv6: no OpenSSL support"
fi
}
@@ -481,63 +481,44 @@ testMoreErrors2() {
# dane
-testDANE() {
- ${SCRIPT} --dane -H mail.aegee.org
- EXIT_CODE=$?
- if [ -n "${DANE}" ] ; then
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
- else
- assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
- fi
-}
-
testDANE211() {
${SCRIPT} --dane 211 --port 25 -P smtp -H hummus.csx.cam.ac.uk
EXIT_CODE=$?
if [ -n "${DANE}" ] ; then
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
- else
- assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
- fi
-}
-
-testDANE311SMTP() {
- ${SCRIPT} --dane 311 --port 25 -P smtp -H mail.ietf.org
- EXIT_CODE=$?
- if [ -n "${DANE}" ] ; then
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
fi
}
-testDANE311() {
- ${SCRIPT} --dane 311 -H www.ietf.org
- EXIT_CODE=$?
- if [ -n "${DANE}" ] ; then
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
- else
- assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
- fi
-}
+# does not work anymore
+#testDANE311SMTP() {
+# ${SCRIPT} --dane 311 --port 25 -P smtp -H mail.ietf.org
+# EXIT_CODE=$?
+# if [ -n "${DANE}" ] ; then
+# assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+# else
+# assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
+# fi
+#}
+#
+#testDANE311() {
+# ${SCRIPT} --dane 311 -H www.ietf.org
+# EXIT_CODE=$?
+# if [ -n "${DANE}" ] ; then
+# assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+# else
+# assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
+# fi
+#}
testDANE301ECDSA() {
${SCRIPT} --dane 301 --ecdsa -H mail.aegee.org
EXIT_CODE=$?
if [ -n "${DANE}" ] ; then
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
- else
- assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
- fi
-}
-
-testDANE302ECDSA() {
- ${SCRIPT} --dane 302 --ecdsa -H mail.aegee.org
- EXIT_CODE=$?
- if [ -n "${DANE}" ] ; then
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
+ assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
fi
}
@@ -555,21 +536,21 @@ testRequiredProgramPermissions() {
testSieveRSA() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -P sieve -p 4190 -H mail.aegee.org --rsa
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ ${SCRIPT} -P sieve -p 4190 -H mail.aegee.org --rsa
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- echo "Skipping sieve tests on Travis CI"
+ echo "Skipping sieve tests on Travis CI"
fi
}
testSieveECDSA() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -P sieve -p 4190 -H mail.aegee.org --ecdsa
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ ${SCRIPT} -P sieve -p 4190 -H mail.aegee.org --ecdsa
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- echo "Skipping sieve tests on Travis CI"
+ echo "Skipping sieve tests on Travis CI"
fi
}
@@ -579,11 +560,23 @@ testHTTP2() {
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
+testForceHTTP2() {
+ ${SCRIPT} -H www.ethz.ch --protocol h2
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+}
+
+testNotLongerValidThan() {
+ ${SCRIPT} -H www.ethz.ch --not-valid-longer-than 2
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+}
+
# SSL Labs (last one as it usually takes a lot of time
testETHZWithSSLLabs() {
- # we assume www.ethz.ch gets at least a C
- ${SCRIPT} -H ethz.ch --cn ethz.ch --check-ssl-labs A --rootcert cabundle.crt
+ # we assume www.ethz.ch gets at least a B
+ ${SCRIPT} -H ethz.ch --cn ethz.ch --check-ssl-labs B --rootcert cabundle.crt
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
=====================================
check_ssl_cert/control
=====================================
@@ -1,7 +1,7 @@
Uploaders: Jan Wagner <waja at cyconet.org>
Recommends: curl, file, openssl
Suggests: expect
-Version: 1.109.0
+Version: 1.113.0
Homepage: https://github.com/matteocorti/check_ssl_cert
Watch: https://github.com/matteocorti/check_ssl_cert/releases check_ssl_cert-([0-9.]+)\.tar\.gz
Description: plugin to check the CA and validity of an
=====================================
check_ssl_cert/src
=====================================
@@ -1 +1 @@
-check_ssl_cert_1.109.0/
\ No newline at end of file
+check_ssl_cert_1.113.0
\ No newline at end of file
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/commit/8c8a7701c1cebff6b4c095990a19a73d6c4c9596
--
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/commit/8c8a7701c1cebff6b4c095990a19a73d6c4c9596
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20200526/74ec45e2/attachment-0001.html>
More information about the pkg-nagios-changes
mailing list