[pkg-nagios-changes] [Git][nagios-team/pkg-nagios-plugins-contrib][master] 3 commits: Update check_ssl_cert to 1.118.0
Jan Wagner
gitlab at salsa.debian.org
Fri Sep 25 13:53:31 BST 2020
Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / pkg-nagios-plugins-contrib
Commits:
1b75778e by Jan Wagner at 2020-06-22T18:01:34+02:00
Update check_ssl_cert to 1.118.0
- - - - -
7474d54a by Jan Wagner at 2020-07-06T09:58:58+02:00
Update check_ssl_cert to 1.120.0
- - - - -
2569d5b7 by Jan Wagner at 2020-09-25T14:46:15+02:00
check_ssl_cert: Update to 1.122.0
- - - - -
20 changed files:
- − check_ssl_cert/check_ssl_cert_1.113.0/VERSION
- − check_ssl_cert/check_ssl_cert_1.113.0/test/._unit_tests.sh
- check_ssl_cert/check_ssl_cert_1.113.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.122.0/AUTHORS
- check_ssl_cert/check_ssl_cert_1.113.0/COPYING → check_ssl_cert/check_ssl_cert_1.122.0/COPYING
- check_ssl_cert/check_ssl_cert_1.113.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.122.0/COPYRIGHT
- check_ssl_cert/check_ssl_cert_1.113.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.122.0/ChangeLog
- check_ssl_cert/check_ssl_cert_1.113.0/INSTALL → check_ssl_cert/check_ssl_cert_1.122.0/INSTALL
- check_ssl_cert/check_ssl_cert_1.113.0/Makefile → check_ssl_cert/check_ssl_cert_1.122.0/Makefile
- check_ssl_cert/check_ssl_cert_1.113.0/NEWS → check_ssl_cert/check_ssl_cert_1.122.0/NEWS
- check_ssl_cert/check_ssl_cert_1.113.0/README.md → check_ssl_cert/check_ssl_cert_1.122.0/README.md
- check_ssl_cert/check_ssl_cert_1.113.0/TODO → check_ssl_cert/check_ssl_cert_1.122.0/TODO
- + check_ssl_cert/check_ssl_cert_1.122.0/VERSION
- check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.122.0/check_ssl_cert
- check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.122.0/check_ssl_cert.1
- check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.122.0/check_ssl_cert.spec
- check_ssl_cert/check_ssl_cert_1.113.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.122.0/test/cabundle.crt
- check_ssl_cert/check_ssl_cert_1.113.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.122.0/test/cacert.crt
- check_ssl_cert/check_ssl_cert_1.113.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.122.0/test/unit_tests.sh
- check_ssl_cert/control
- check_ssl_cert/src
Changes:
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/VERSION deleted
=====================================
@@ -1 +0,0 @@
-1.113.0
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/test/._unit_tests.sh deleted
=====================================
Binary files a/check_ssl_cert/check_ssl_cert_1.113.0/test/._unit_tests.sh and /dev/null differ
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.122.0/AUTHORS
=====================================
@@ -93,4 +93,13 @@ Thanks:
* Many thanks to dupondje (https://github.com/dupondje) for the check_prog fix
* Many thanks to Jörg Thalheim (https://github.com/Mic92) for the xmpp-server patch
* Many thanks to Arkadiusz Miśkiewicz (https://github.com/arekm) for the OCSP timeout patch
-* Many thanks to Thomas Weißschuh (https://github.com/t-8ch) for the PostgreSQL patch
\ No newline at end of file
+* Many thanks to Thomas Weißschuh (https://github.com/t-8ch) for the PostgreSQL patch
+* Many thanks to Jonathan Besanceney (https://github.com/jonathan-besanceney) for the proxy patch
+* Many thanks to grizzlydev-sarl (https://github.com/grizzlydev-sarl) for the
+ processing of all the certificate in the chain
+* Many thanks to Claudio Kuenzler (https://github.com/Napsty) for the chain expiration output fix
+* Many thanks to jf-vf (https://github.com/jf-vf) for the MySQL support patch
+* Many thanks to skanx (https://github.com/skanx) for the --not-issued-by output patch
+* Many thanks to Zadkiel (https://github.com/aslafy-z) for the --version, the
+ --skip-element patches
+* Many thanks to Marcel Burkhalter (https://github.com/explorer69) the custom HTTP header patch.
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/COPYING → check_ssl_cert/check_ssl_cert_1.122.0/COPYING
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.122.0/COPYRIGHT
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.122.0/ChangeLog
=====================================
@@ -1,3 +1,37 @@
+2020-08-07 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: Fixed a bug with the output of --version
+
+2020-07-24 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (check_attr): Fixed a bug in the output with --not-issued-by
+
+2020-07-02 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (fetch_certificate): MySQL support
+
+2020-07-01 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: Adding support for better file(1) certificate parsing
+
+2020-06-12 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): Fixed a problem on BSD in the processing of the issuers
+ * check_ssl_cert (debuglog): [DBG] prefix for all the lines
+
+2020-06-09 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: fixed a bug in the output (expiration date of chain elements)
+
+2020-06-05 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (fetch_certificate): support for s_client -proxy option
+
+2020-06-04 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: Processes all the certificates in the chain
+ * check_ssl_cert: New option to check that the issuer does not match a given pattern
+
2020-05-18 Matteo Corti <matteo at corti.li>
* check_ssl_cert: Propagates the -6 switch to nmap
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/INSTALL → check_ssl_cert/check_ssl_cert_1.122.0/INSTALL
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/Makefile → check_ssl_cert/check_ssl_cert_1.122.0/Makefile
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/NEWS → check_ssl_cert/check_ssl_cert_1.122.0/NEWS
=====================================
@@ -1,3 +1,13 @@
+2020-08-07 Version 1.122.0: Bug fix, --skip-element and --custom-header
+2020-07-24 Version 1.121.0: Bug fix release
+2020-07-02 Version 1.120.0: MySQL support
+2020-07-01 Version 1.119.0: Bug fix release
+2020-06-12 Version 1.118.0: Bug fix release
+2020-06-09 Version 1.117.0: Fixed a bug in the output (expiration date of chain elements)
+2020-06-05 Version 1.116.0: Supports s_client -proxy option
+2020-06-04 Version 1.115.0: Checks all the certificates in the chain
+ New option to check that the issuer does not match a given pattern
+2020-05-27 Version 1.114.0: Added an option to specify a proxy
2020-05-19 Version 1.113.0: Fixed a bug with nmap and hosts with IPv6 addresses only
2020-04-07 Version 1.112.0: Timeout for OCSP queries and option to ignore timeout errors and PostgreSQL support
2020-03-09 Version 1.111.0: New option (--not-valid-longer-than) to check if a certificate is valid longer than the
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/README.md → check_ssl_cert/check_ssl_cert_1.122.0/README.md
=====================================
@@ -14,6 +14,7 @@ A shell script (that can be used as a Nagios plugin) to check an X.509 certifica
## Usage
```
+
Usage: check_ssl_cert -H host [OPTIONS]
Arguments:
@@ -26,10 +27,12 @@ Options:
-C,--clientcert path use client certificate to authenticate
--clientpass phrase set passphrase for client certificate..
-c,--critical days minimum number of days a certificate has to
- be valid to issue a critical status
+ be valid to issue a critical status. Default: 15
--curl-bin path path of the curl binary to be used
--curl-user-agent string user agent that curl shall use to obtain the
issuer cert
+ --custom-http-header string custom HTTP header sent when getting the cert
+ example: 'X-Check-Ssl-Cert: Foobar=1'
--dane verify that valid DANE records exist (since OpenSSL 1.1.0)
--dane 211 verify that a valid DANE-TA(2) SPKI(1) SHA2-256(1) TLSA record exists
--dane 301 verify that a valid DANE-EE(3) Cert(0) SHA2-256(1) TLSA record exists
@@ -47,6 +50,7 @@ Options:
period
--file-bin path path of the file binary to be used
--fingerprint SHA1 pattern to match the SHA1-Fingerprint
+ --first-element-only verify just the first cert element, not the whole chain
--force-perl-date force the usage of Perl for date computations
--format FORMAT format output template on success, for example
"%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'"
@@ -55,6 +59,7 @@ Options:
related checks
--ignore-exp ignore expiration date
--ignore-ocsp do not check revocation with OCSP
+ --ignore-ocsp-timeout ignore OCSP result when timeout occurs while checking
--ignore-sig-alg do not check if the certificate was signed with SHA1
or MD5
--ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)
@@ -64,7 +69,7 @@ Options:
-K,--clientkey path use client certificate key to authenticate
-L,--check-ssl-labs grade SSL Labs assessment
(please check https://www.ssllabs.com/about/terms.html)
- --check-ssl-labs-warn-grade SSL-Labs grade on which to warn
+ --check-ssl-labs-warn grade SSL-Labs grade on which to warn
--long-output list append the specified comma separated (no spaces) list
of attributes to the plugin output on additional lines
Valid attributes are:
@@ -80,6 +85,10 @@ Options:
--no_tls1_1 disable TLS version 1.1
--no_tls1_2 disable TLS version 1.2
--no_tls1_3 disable TLS version 1.3
+ --not-issued-by issuer check that the issuer of the certificate does not match
+ the given pattern
+ --not-valid-longer-than days critical if the certificate validity is longer than
+ the specified period
-N,--host-cn match CN with the host name
--ocsp-critical hours minimum number of hours an OCSP response has to be valid to
issue a critical status
@@ -90,10 +99,12 @@ Options:
-p,--port port TCP port
-P,--protocol protocol use the specific protocol
{ftp|ftps|http|https|h2|imap|imaps|irc|ircs|ldap|ldaps|pop3|pop3s|
- postgres|sieve|smtp|smtps|xmpp|xmpp-server}
+ postgres|sieve|smtp|smtps|xmpp|xmpp-server}
https: default
- h2: forces HTTP/2
- ftp,imap,irc,ldap,pop3,postgres,sieve,smtp: switch to TLS using StartTLS
+ h2: forces HTTP/2
+ ftp,imap,irc,ldap,pop3,postgres,sieve,smtp: switch to
+ TLS using StartTLS
+ --proxy proxy sets http_proxy and the s_client -proxy option
--require-no-ssl2 critical if SSL version 2 is offered
--require-no-ssl3 critical if SSL version 3 is offered
--require-no-tls1 critical if TLS 1 is offered
@@ -123,7 +134,7 @@ Options:
-v,--verbose verbose output
-V,--version version
-w,--warning days minimum number of days a certificate has to be valid
- to issue a warning status
+ to issue a warning status. Default: 20
--xmpphost name specifies the host for the 'to' attribute of the stream element
-4 force IPv4
-6 force IPv6
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/TODO → check_ssl_cert/check_ssl_cert_1.122.0/TODO
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.122.0/VERSION
=====================================
@@ -0,0 +1 @@
+1.122.0
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.122.0/check_ssl_cert
=====================================
The diff for this file was not included because it is too large.
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.122.0/check_ssl_cert.1
=====================================
@@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii check_ssl_cert.1
.\"
-.TH "check_ssl_cert" 1 "May, 2020" "1.113.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "July, 2020" "1.122.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
@@ -36,9 +36,12 @@ minimum number of days a certificate has to be valid to issue a critical status
.BR " --curl-bin" " path"
path of the curl binary to be used
.TP
-.BR " --curl-user-agent" "string"
+.BR " --curl-user-agent" " string"
user agent that curl shall use to obtain the issuer cert
.TP
+.BR " --custom-http-header" " string"
+custom HTTP header sent when getting the cert
+.TP
.BR " --dane"
verifies there are valid TLSA records for the returned certificate, requires OpenSSL 1.1.0 or later
.TP
@@ -142,6 +145,9 @@ disable TLS version 1.3
.BR " --no_tls1_2"
disable TLS version 1.2
.TP
+.BR " --not-issued-by" " issuer"
+check that the issuer of the certificate does not match the given pattern
+.TP
.BR " --not-valid-longer-than" " days"
critical if the certificate validity is longer than the specified period
.TP
@@ -164,9 +170,12 @@ path of the openssl binary to be used
TCP port
.TP
.BR "-P,--protocol" " protocol"
-use the specific protocol: ftp, ftps, http, https (default), h2 (http/2), imap, imaps, irc, ircs, ldap, ldaps, pop3, pop3s, postgres, sieve, smtp, smtps, xmpp, xmpp-server.
+use the specific protocol: ftp, ftps, http, https (default), h2 (http/2), imap, imaps, irc, ircs, ldap, ldaps, mysql, pop3, pop3s, postgres, sieve, smtp, smtps, xmpp, xmpp-server.
.br
-These protocols switch to TLS using StartTLS: ftp, imap, irc, ldap, pop3, smtp.
+These protocols switch to TLS using StartTLS: ftp, imap, irc, ldap, mysql, pop3, smtp.
+.TP
+.BR " --proxy" " proxy"
+sets http_proxy
.TP
.BR " --require-no-ssl2"
critical if SSL version 2 is offered
@@ -186,6 +195,9 @@ allows self-signed certificates
.BR " --serial serialnum"
pattern to match the serial number
.TP
+.BR "--skip-element" " number"
+skip checks on N cert element from the begining of the chain
+.TP
.BR " --sni name"
sets the TLS SNI (Server Name Indication) extension in the ClientHello message to 'name'
.TP
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.122.0/check_ssl_cert.spec
=====================================
@@ -1,4 +1,4 @@
-%define version 1.113.0
+%define version 1.122.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
@@ -45,6 +45,30 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/%{sourcename}.1*
%changelog
+* Fri Aug 7 2020 Matteo Corti <matteo at corti.li> - 1.122.0-0
+- Updated to 1.122.0
+
+* Fri Jul 24 2020 Matteo Corti <matteo at corti.li> - 1.121.0-0
+- Updated to 1.121.0
+
+* Thu Jul 2 2020 Matteo Corti <matteo at corti.li> - 1.120.0-0
+- Updated to 1.120.0
+
+* Wed Jul 1 2020 Matteo Corti <matteo at corti.li> - 1.119.0-0
+- Updated to 1.119.0
+
+* Fri Jun 12 2020 Matteo Corti <matteo at corti.li> - 1.118.0-0
+- Updated to 1.118.0
+
+* Sat Jun 6 2020 Matteo Corti <matteo at corti.li> - 1.117.0-0
+- Updated to 1.117.0
+
+* Thu Jun 4 2020 Matteo Corti <matteo at corti.li> - 1.115.0-0
+- Updated to 1.115.0
+
+* Wed May 27 2020 Matteo Corti <matteo at corti.li> - 1.114.0-0
+- Updated to 1.114.0
+
* Tue May 19 2020 Matteo Corti <matteo at corti.li> - 1.113.0-0
- Updated to 1.113.0
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.122.0/test/cabundle.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.122.0/test/cacert.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.113.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.122.0/test/unit_tests.sh
=====================================
@@ -226,7 +226,8 @@ testTimeOut() {
testIMAP() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} --rootcert cabundle.crt -H imap.gmx.com --port 143 --timeout 30 --protocol imap
+ # minimal critical and warning as they renew pretty late
+ ${SCRIPT} --rootcert cabundle.crt -H imap.gmx.com --port 143 --timeout 30 --protocol imap --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
@@ -420,7 +421,7 @@ testMultipleOCSPHosts() {
}
testRequireOCSP() {
- ${SCRIPT} -H videolan.org --rootcert cabundle.crt --require-ocsp-stapling
+ ${SCRIPT} -H videolan.org --rootcert cabundle.crt --require-ocsp-stapling --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
@@ -462,8 +463,7 @@ testFormatShort() {
}
testMoreErrors() {
- VALUE=1000
- OUTPUT=$( ${SCRIPT} -H www.ethz.ch --email doesnotexist --critical "${VALUE}" --rootcert cabundle.crt | wc -l | sed 's/\ //g' )
+ OUTPUT=$( ${SCRIPT} -H www.ethz.ch --email doesnotexist --critical 1000 --warning 1001 --rootcert cabundle.crt --verbose | wc -l | sed 's/\ //g' )
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
# we should get three lines: the plugin output and two errors
@@ -471,8 +471,7 @@ testMoreErrors() {
}
testMoreErrors2() {
- VALUE=1000
- OUTPUT=$( ${SCRIPT} -H www.ethz.ch --email doesnotexist --warning "${VALUE}" --rootcert cabundle.crt | wc -l | sed 's/\ //g' )
+ OUTPUT=$( ${SCRIPT} -H www.ethz.ch --email doesnotexist --warning 1000 --warning 1001 --rootcert cabundle.crt --verbose | wc -l | sed 's/\ //g' )
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
# we should get three lines: the plugin output and two errors
=====================================
check_ssl_cert/control
=====================================
@@ -1,7 +1,7 @@
Uploaders: Jan Wagner <waja at cyconet.org>
Recommends: curl, file, openssl
Suggests: expect
-Version: 1.113.0
+Version: 1.122.0
Homepage: https://github.com/matteocorti/check_ssl_cert
Watch: https://github.com/matteocorti/check_ssl_cert/releases check_ssl_cert-([0-9.]+)\.tar\.gz
Description: plugin to check the CA and validity of an
=====================================
check_ssl_cert/src
=====================================
@@ -1 +1 @@
-check_ssl_cert_1.113.0
\ No newline at end of file
+check_ssl_cert_1.122.0
\ No newline at end of file
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/compare/f268738fe3b447fd735a3df9df328a1bc1e803f4...2569d5b77b4a47bd42436ddc5b3aeb7578710f06
--
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/compare/f268738fe3b447fd735a3df9df328a1bc1e803f4...2569d5b77b4a47bd42436ddc5b3aeb7578710f06
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20200925/32a5ff7c/attachment-0001.html>
More information about the pkg-nagios-changes
mailing list