[pkg-nagios-changes] [Git][nagios-team/pkg-nagios-plugins-contrib][master] check_ssl_cert: Update to 1.137.0
Jan Wagner
gitlab at salsa.debian.org
Tue Feb 23 18:53:16 GMT 2021
Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / pkg-nagios-plugins-contrib
Commits:
1d2c8026 by Jan Wagner at 2021-02-23T19:50:09+01:00
check_ssl_cert: Update to 1.137.0
- - - - -
22 changed files:
- − check_ssl_cert/check_ssl_cert_1.135.0/VERSION
- check_ssl_cert/check_ssl_cert_1.135.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.137.0/AUTHORS
- check_ssl_cert/check_ssl_cert_1.135.0/COPYING → check_ssl_cert/check_ssl_cert_1.137.0/COPYING
- check_ssl_cert/check_ssl_cert_1.135.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.137.0/COPYRIGHT
- check_ssl_cert/check_ssl_cert_1.135.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.137.0/ChangeLog
- check_ssl_cert/check_ssl_cert_1.135.0/INSTALL → check_ssl_cert/check_ssl_cert_1.137.0/INSTALL
- check_ssl_cert/check_ssl_cert_1.135.0/Makefile → check_ssl_cert/check_ssl_cert_1.137.0/Makefile
- check_ssl_cert/check_ssl_cert_1.135.0/NEWS → check_ssl_cert/check_ssl_cert_1.137.0/NEWS
- check_ssl_cert/check_ssl_cert_1.135.0/README.md → check_ssl_cert/check_ssl_cert_1.137.0/README.md
- check_ssl_cert/check_ssl_cert_1.135.0/TODO → check_ssl_cert/check_ssl_cert_1.137.0/TODO
- + check_ssl_cert/check_ssl_cert_1.137.0/VERSION
- check_ssl_cert/check_ssl_cert_1.135.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.137.0/check_ssl_cert
- check_ssl_cert/check_ssl_cert_1.135.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.137.0/check_ssl_cert.1
- check_ssl_cert/check_ssl_cert_1.135.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.137.0/check_ssl_cert.spec
- check_ssl_cert/check_ssl_cert_1.135.0/test/._cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.137.0/test/._cert_with_subject_without_cn.crt
- check_ssl_cert/check_ssl_cert_1.135.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.137.0/test/cabundle.crt
- check_ssl_cert/check_ssl_cert_1.135.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.137.0/test/cacert.crt
- check_ssl_cert/check_ssl_cert_1.135.0/test/cert_with_empty_subject.crt → check_ssl_cert/check_ssl_cert_1.137.0/test/cert_with_empty_subject.crt
- check_ssl_cert/check_ssl_cert_1.135.0/test/cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.137.0/test/cert_with_subject_without_cn.crt
- check_ssl_cert/check_ssl_cert_1.135.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.137.0/test/unit_tests.sh
- check_ssl_cert/control
- check_ssl_cert/src
Changes:
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/VERSION deleted
=====================================
@@ -1 +0,0 @@
-1.135.0
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.137.0/AUTHORS
=====================================
@@ -106,4 +106,5 @@ Thanks:
* Many thanks to Peter Newmann (https://github.com/peternewman) for the timeout
documentation patch and the issuers patch
* Many thanks to cbiedl (https://github.com/cbiedl) for the proxy patch
-* Many thanks to Robin Schneider (https://github.com/ypid-geberit) for the --long-output all patch
\ No newline at end of file
+* Many thanks to Robin Schneider (https://github.com/ypid-geberit) for the --long-output all patch
+* Many thanks to Robin Pronk (https://github.com/rfpronk) for the -u patch
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/COPYING → check_ssl_cert/check_ssl_cert_1.137.0/COPYING
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.137.0/COPYRIGHT
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.137.0/ChangeLog
=====================================
@@ -1,6 +1,14 @@
+2021-02-17 Robin Pronk <robin.pronk at nedap.com>
+
+ * check_ssl_cert: Make HTTP request url configurable (default stays /)
+
+2021-02-05 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): Adds a check for grep (to check if basic utilities are in the PATH)
+
2021-01-28 Matteo Corti <matteo at corti.li>
- * check_ssl_cert (check_attr): Checks for signed certificate timestamps (STCs)
+ * check_ssl_cert (check_attr): Checks for signed certificate timestamps (SCTs)
* check_ssl_cert (fetch_certificate): Better error catching for s_client errors
2021-01-26 Matteo Corti <matteo at corti.li>
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/INSTALL → check_ssl_cert/check_ssl_cert_1.137.0/INSTALL
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/Makefile → check_ssl_cert/check_ssl_cert_1.137.0/Makefile
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/NEWS → check_ssl_cert/check_ssl_cert_1.137.0/NEWS
=====================================
@@ -1,6 +1,8 @@
-2021-01-28 Version 1.135.0: checks for signed certificate timestamps (STCs)
-2021-01-27 Version 1.134.0: complete support for Alpine Linux and BusyBox
-2021-01-26 Version 1.133.0: added the --date option to specify the date binary
+2021-02-18 Version 1.137.0: Added the --url option to specify the URL for the HTTP request
+2021-02-16 Version 1.136.0: Fixed the signed certificate timestamps spelling (command line option)
+2021-01-28 Version 1.135.0: Checks for signed certificate timestamps (SCTs)
+2021-01-27 Version 1.134.0: Complete support for Alpine Linux and BusyBox
+2021-01-26 Version 1.133.0: Added the --date option to specify the date binary
support for BusyBox date
2021-01-18 Version 1.132.0: Timeouted subprocesses can now be interrupted
Revokation via CRL can be checked with the --crl option
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/README.md → check_ssl_cert/check_ssl_cert_1.137.0/README.md
=====================================
@@ -28,7 +28,7 @@ Options:
--clientpass phrase set passphrase for client certificate..
-c,--critical days minimum number of days a certificate has to
be valid to issue a critical status. Default: 15
- --crl checks revokation via CRL (requires --rootcert-file)
+ --crl checks revokation via CRL (requires --rootcert-file)
--curl-bin path path of the curl binary to be used
--curl-user-agent string user agent that curl shall use to obtain the
issuer cert
@@ -65,7 +65,7 @@ Options:
--ignore-ocsp-timeout ignore OCSP result when timeout occurs while checking
--ignore-sig-alg do not check if the certificate was signed with SHA1
or MD5
- --ignore-stc do not check for signed certificate timestamps
+ --ignore-sct do not check for signed certificate timestamps (SCT)
--ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)
--inetproto protocol Force IP version 4 or 6
-i,--issuer issuer pattern to match the issuer of the certificate
@@ -135,6 +135,7 @@ Options:
--tls1_1 force TLS version 1.1
--tls1_2 force TLS version 1.2
--tls1_3 force TLS version 1.3
+ -u,--url URL HTTP request URL
-v,--verbose verbose output
-V,--version version
-w,--warning days minimum number of days a certificate has to be valid
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/TODO → check_ssl_cert/check_ssl_cert_1.137.0/TODO
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/VERSION
=====================================
@@ -0,0 +1 @@
+1.137.0
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.137.0/check_ssl_cert
=====================================
@@ -19,7 +19,7 @@
################################################################################
# Constants
-VERSION=1.135.0
+VERSION=1.137.0
SHORTNAME="SSL_CERT"
VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -107,7 +107,7 @@ usage() {
echo " --ignore-ocsp-timeout ignore OCSP result when timeout occurs while checking"
echo " --ignore-sig-alg do not check if the certificate was signed with SHA1"
echo " or MD5"
- echo " --ignore-stc do not check for signed certificate timestamps"
+ echo " --ignore-sct do not check for signed certificate timestamps (SCT)"
echo " --ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)"
echo " --inetproto protocol Force IP version 4 or 6"
echo " -i,--issuer issuer pattern to match the issuer of the certificate"
@@ -179,6 +179,7 @@ usage() {
echo " --tls1_1 force TLS version 1.1"
echo " --tls1_2 force TLS version 1.2"
echo " --tls1_3 force TLS version 1.3"
+ echo " -u,--url URL HTTP request URL"
echo " -v,--verbose verbose output"
echo " -V,--version version"
echo " -w,--warning days minimum number of days a certificate has to be valid"
@@ -207,7 +208,7 @@ usage() {
# $1: string
debuglog() {
if [ -n "${DEBUG}" ] ; then
- echo "${1}" | sed 's/^/[DBG] /' >&2
+ echo "${1}" | sed 's/^/[DBG] /' >&2
fi
}
@@ -256,7 +257,7 @@ cleanup() {
create_temporary_file() {
- # create a temporary file
+ # create a temporary file
TEMPFILE="$( mktemp "${TMPDIR}/XXXXXX" 2> /dev/null )"
if [ -z "${TEMPFILE}" ] || [ ! -w "${TEMPFILE}" ] ; then
unknown 'temporary file creation failure.'
@@ -280,18 +281,17 @@ hours_until() {
debuglog "Date computations: ${DATETYPE}"
debuglog "Computing number of hours until '${DATE}'"
-
+
case "${DATETYPE}" in
"BSD")
HOURS_UNTIL=$(( ( $(${DATEBIN} -jf "%b %d %T %Y %Z" "${DATE}" +%s) - $(${DATEBIN} +%s) ) / 3600 ))
;;
- 'BUSYBOX')
-
- BUSYBOX_DATE=$( echo "${DATE}" | sed 's/[ ][^ ]*$//' )
- debuglog "Computing number of hours until '${BUSYBOX_DATE}' (BusyBox compatible format)"
- verboselog "Warning: BusyBox date does not support time zones. Using ${BUSYBOX_DATE} in the current zone instead of ${DATE}"
+ "BUSYBOX")
+ BUSYBOX_DATE=$( echo "${DATE}" | sed 's/[ ][^ ]*$//' )
+ debuglog "Computing number of hours until '${BUSYBOX_DATE}' (BusyBox compatible format)"
+ verboselog "Warning: BusyBox date does not support time zones. Using ${BUSYBOX_DATE} in the current zone instead of ${DATE}"
HOURS_UNTIL=$(( ( $(${DATEBIN} -d "${BUSYBOX_DATE}" +%s) - $(${DATEBIN} +%s) ) / 3600 ))
- ;;
+ ;;
"GNU")
HOURS_UNTIL=$(( ( $(${DATEBIN} -d "${DATE}" +%s) - $(${DATEBIN} +%s) ) / 3600 ))
;;
@@ -484,7 +484,7 @@ unknown() {
require_s_client_option() {
debuglog "Checking if s_client supports the $1 option"
if ! "${OPENSSL}" s_client -help 2>&1 | grep -q -- "$1" ; then
- unknown "s_client does not support the $1 option"
+ unknown "s_client does not support the $1 option"
fi
}
@@ -520,17 +520,17 @@ exec_with_timeout() {
debuglog "$(printf "%s %s %s\n" "${TIMEOUT_BIN}" "${time}" "${command}")"
- # We execute timeout in the backgroud so that it can be relay a signal to 'timeout'
- # https://unix.stackexchange.com/questions/57667/why-cant-i-kill-a-timeout-called-from-a-bash-script-with-a-keystroke/57692#57692
+ # We execute timeout in the backgroud so that it can be relay a signal to 'timeout'
+ # https://unix.stackexchange.com/questions/57667/why-cant-i-kill-a-timeout-called-from-a-bash-script-with-a-keystroke/57692#57692
eval "${TIMEOUT_BIN} ${time} ${command} &" > /dev/null 2>&1
- TIMEOUT_PID=$!
- wait "${TIMEOUT_PID}" > /dev/null 2>&1
+ TIMEOUT_PID=$!
+ wait "${TIMEOUT_PID}" > /dev/null 2>&1
RET=$?
# return codes
# https://www.gnu.org/software/coreutils/manual/coreutils.html#timeout-invocation
- # because of the execution in the backgroud we get a 137 for a timeout
+ # because of the execution in the backgroud we get a 137 for a timeout
if [ "${RET}" -eq 137 ] || [ "${RET}" -eq 124 ] ; then
prepend_critical_message "Timeout after ${time} seconds"
elif [ "${RET}" -eq 125 ] ; then
@@ -633,26 +633,25 @@ check_crl() {
create_temporary_file; CERT_ELEMENT=${TEMPFILE}
debuglog "Storing the chain element in ${CERT_ELEMENT}"
echo "${1}" > "${CERT_ELEMENT}"
-
+
# We check all the elements of the chain (but the root) for revocation
# If any element is revoked, the certificate should not be trusted
# https://security.stackexchange.com/questions/5253/what-happens-when-an-intermediate-ca-is-revoked
-
+
debuglog "Checking CRL status of element ${el_number}"
# See https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html
CRL_URI=$( "${OPENSSL}" x509 -noout -text -in "${CERT_ELEMENT}" |
- grep -A 4 'X509v3 CRL Distribution Points' |
- grep URI |
- sed 's/^.*URI://'
- )
-
+ grep -A 4 'X509v3 CRL Distribution Points' |
+ grep URI |
+ sed 's/^.*URI://'
+ )
if [ -n "${CRL_URI}" ] ; then
- debuglog "Certificate revokation list available (${CRL_URI})"
+ debuglog "Certificate revokation list available (${CRL_URI})"
- debuglog "CRL: fetching CRL ${CRL_URI} to ${CRL_TMP_DER}"
+ debuglog "CRL: fetching CRL ${CRL_URI} to ${CRL_TMP_DER}"
if [ -n "${CURL_USER_AGENT}" ] ; then
exec_with_timeout "${TIMEOUT}" "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --user-agent '${CURL_USER_AGENT}' --location \\\"${CRL_URI}\\\" > ${CRL_TMP_DER}"
@@ -660,34 +659,34 @@ check_crl() {
exec_with_timeout "${TIMEOUT}" "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --location \\\"${CRL_URI}\\\" > ${CRL_TMP_DER}"
fi
- # convert DER to
- debuglog "Converting ${CRL_TMP_DER} (DER) to ${CRL_TMP_PEM} (PEM)"
- "${OPENSSL}" crl -inform DER -in "${CRL_TMP_DER}" -outform PEM -out "${CRL_TMP_PEM}"
+ # convert DER to
+ debuglog "Converting ${CRL_TMP_DER} (DER) to ${CRL_TMP_PEM} (PEM)"
+ "${OPENSSL}" crl -inform DER -in "${CRL_TMP_DER}" -outform PEM -out "${CRL_TMP_PEM}"
+
+ # combine the certificate and the CRL
+ debuglog "Combining the certificate, the CRL and the root cert"
+ debuglog "cat ${CRL_TMP_PEM} ${CERT} ${ROOT_CA_FILE} > ${CRL_TMP_CHAIN}"
+ cat "${CRL_TMP_PEM}" "${CERT}" "${ROOT_CA_FILE}" > "${CRL_TMP_CHAIN}"
- # combine the certificate and the CRL
- debuglog "Combining the certificate, the CRL and the root cert"
- debuglog "cat ${CRL_TMP_PEM} ${CERT} ${ROOT_CA_FILE} > ${CRL_TMP_CHAIN}"
- cat "${CRL_TMP_PEM}" "${CERT}" "${ROOT_CA_FILE}" > "${CRL_TMP_CHAIN}"
+ debuglog "${OPENSSL} verify -crl_check -CRLfile ${CRL_TMP_PEM} ${CERT_ELEMENT}"
+ CRL_RESULT=$( "${OPENSSL}" verify -crl_check -CAfile "${CRL_TMP_CHAIN}" -CRLfile "${CRL_TMP_PEM}" "${CERT_ELEMENT}" 2>&1 |
+ grep ':' |
+ head -n 1 |
+ sed 's/^.*:\ //'
+ )
- debuglog "${OPENSSL} verify -crl_check -CRLfile ${CRL_TMP_PEM} ${CERT_ELEMENT}"
- CRL_RESULT=$( "${OPENSSL}" verify -crl_check -CAfile "${CRL_TMP_CHAIN}" -CRLfile "${CRL_TMP_PEM}" "${CERT_ELEMENT}" 2>&1 |
- grep ':' |
- head -n 1 |
- sed 's/^.*:\ //'
- )
+ debuglog " result: ${CRL_RESULT}"
- debuglog " result: ${CRL_RESULT}"
+ if ! [ "${CRL_RESULT}" = 'OK' ] ; then
+ prepend_critical_message "certificate element ${el_number} is revoked (CRL)"
+ fi
- if ! [ "${CRL_RESULT}" = 'OK' ] ; then
- prepend_critical_message "certificate element ${el_number} is revoked (CRL)"
- fi
-
else
- debuglog "Certificate revokation list not available"
+ debuglog "Certificate revokation list not available"
fi
-
+
}
################################################################################
@@ -704,7 +703,7 @@ check_ocsp() {
# We check all the elements of the chain (but the root) for revocation
# If any element is revoked, the certificate should not be trusted
# https://security.stackexchange.com/questions/5253/what-happens-when-an-intermediate-ca-is-revoked
-
+
debuglog "Checking OCSP status of element ${el_number}"
create_temporary_file; CERT_ELEMENT=${TEMPFILE}
@@ -718,13 +717,13 @@ check_ocsp() {
debuglog "Checking revokation via OCSP"
ISSUER_HASH="$(${OPENSSL} x509 -in "${CERT_ELEMENT}" -noout -issuer_hash)"
- debuglog "Issuer hash: ${ISSUER_HASH}"
+ debuglog "Issuer hash: ${ISSUER_HASH}"
if [ -z "${ISSUER_HASH}" ] ; then
unknown 'unable to find issuer certificate hash.'
fi
- ISSUER_CERT=
+ ISSUER_CERT=
if [ -n "${ISSUER_CERT_CACHE}" ] ; then
if [ -r "${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt" ]; then
@@ -741,27 +740,27 @@ check_ocsp() {
fi
fi
-
- # we just consider the first HTTP(S) URI
- # TODO check SC2016
- # shellcheck disable=SC2086,SC2016
- ELEMENT_ISSUER_URI="$( ${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -text -noout -in ${CERT_ELEMENT} | grep "CA Issuers" | grep -i "http" | head -n 1 | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;$(){}<>`&')"
+ # we just consider the first HTTP(S) URI
+ # TODO check SC2016
+ # shellcheck disable=SC2086,SC2016
+
+ ELEMENT_ISSUER_URI="$( ${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -text -noout -in ${CERT_ELEMENT} | grep "CA Issuers" | grep -i "http" | head -n 1 | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;$(){}<>`&')"
- debuglog "Chain element issuer URI: ${ELEMENT_ISSUER_URI}"
+ debuglog "Chain element issuer URI: ${ELEMENT_ISSUER_URI}"
- # TODO: should be checked
- # shellcheck disable=SC2021
- if [ -z "${ELEMENT_ISSUER_URI}" ] ; then
+ # TODO: should be checked
+ # shellcheck disable=SC2021
+ if [ -z "${ELEMENT_ISSUER_URI}" ] ; then
verboselog "cannot find the CA Issuers in the certificate: disabling OCSP checks on element ${el_number}"
return
- elif [ "${ELEMENT_ISSUER_URI}" != "$(echo "${ELEMENT_ISSUER_URI}" | tr -d '[[:space:]]')" ]; then
+ elif [ "${ELEMENT_ISSUER_URI}" != "$(echo "${ELEMENT_ISSUER_URI}" | tr -d '[[:space:]]')" ]; then
verboselog "unable to fetch the CA issuer certificate (spaces in URI): disabling OCSP checks on element ${el_number}"
- return
- elif ! echo "${ELEMENT_ISSUER_URI}" | grep -qi '^http' ; then
+ return
+ elif ! echo "${ELEMENT_ISSUER_URI}" | grep -qi '^http' ; then
verboselog "unable to fetch the CA issuer certificate (unsupported protocol): disabling OCSP checks on element ${el_number}"
return
- fi
+ fi
if [ -z "${ISSUER_CERT}" ] ; then
@@ -776,20 +775,20 @@ check_ocsp() {
debuglog "OCSP: issuer certificate type (1): $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
- if echo "${ELEMENT_ISSUER_URI}" | grep -q 'p7c' ; then
- debuglog "OCSP: converting issuer certificate from PKCS #7 to PEM"
+ if echo "${ELEMENT_ISSUER_URI}" | grep -q 'p7c' ; then
+ debuglog "OCSP: converting issuer certificate from PKCS #7 to PEM"
cp "${ISSUER_CERT_TMP}" "${ISSUER_CERT_TMP2}"
${OPENSSL} pkcs7 -print_certs -inform DER -outform PEM -in "${ISSUER_CERT_TMP2}" -out "${ISSUER_CERT_TMP}"
- fi
+ fi
- debuglog "OCSP: issuer certificate type (2): $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
+ debuglog "OCSP: issuer certificate type (2): $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
# check the result
if ! "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -E -q ': (ASCII|PEM)' ; then
-
+
if "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -E -q '(data|Certificate)' ; then
debuglog "OCSP: converting issuer certificate from DER to PEM"
@@ -800,7 +799,7 @@ check_ocsp() {
else
- debuglog "OCSP: complete issuer certificate type $( ${FILE_BIN} "${ISSUER_CERT_TMP}" )"
+ debuglog "OCSP: complete issuer certificate type $( ${FILE_BIN} "${ISSUER_CERT_TMP}" )"
unknown "Unable to fetch a valid certificate issuer certificate."
@@ -808,7 +807,7 @@ check_ocsp() {
fi
- debuglog "OCSP: issuer certificate type (3): $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
+ debuglog "OCSP: issuer certificate type (3): $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
if [ -n "${DEBUG}" ] ; then
@@ -841,11 +840,11 @@ check_ocsp() {
fi
- # TO DO: we just take the first result: a loop over all the hosts should
+ # TO DO: we just take the first result: a loop over all the hosts should
# shellcheck disable=SC2086
OCSP_URI="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT_ELEMENT}" -ocsp_uri -noout | head -n 1)"
- debuglog "OSCP: URI = ${OCSP_URI}"
-
+ debuglog "OSCP: URI = ${OCSP_URI}"
+
OCSP_HOST="$(echo "${OCSP_URI}" | sed -e "s at .*//\\([^/]\\+\\)\\(/.*\\)\\?\$@\\1 at g" | sed 's/^http:\/\///' | sed 's/\/.*//' )"
debuglog "OCSP: host = ${OCSP_HOST}"
@@ -974,7 +973,7 @@ check_cert_end_date() {
debuglog "Checking expiration date of element ${el_number}"
- # shellcheck disable=SC2086
+ # shellcheck disable=SC2086
ELEM_END_DATE=$(echo "${1}" | "${OPENSSL}" "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -noout "${OPENSSL_ENDDATE_OPTION}" | sed -e "s/.*=//")
debuglog "Validity date on cert element ${el_number} is ${ELEM_END_DATE}"
@@ -1008,7 +1007,7 @@ check_cert_end_date() {
if [ -n "${WARNING_DAYS}" ] ; then
- debuglog "executing: ${OPENSSL} x509 -noout -checkend $(( WARNING_DAYS * 86400 )) on cert element ${el_number}"
+ debuglog "executing: ${OPENSSL} x509 -noout -checkend $(( WARNING_DAYS * 86400 )) on cert element ${el_number}"
if ! echo "$1" | ${OPENSSL} x509 -noout -checkend $(( WARNING_DAYS * 86400 )) > /dev/null ; then
append_warning_message "${OPENSSL_COMMAND} certificate element ${el_number} will expire in ${ELEM_DAYS_VALID} day(s) on ${ELEM_END_DATE}"
@@ -1195,7 +1194,7 @@ fetch_certificate() {
exec_with_timeout "${TIMEOUT}" "echo 'Q' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST}:${XMPPPORT} ${XMPPHOST} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
- mysql)
+ mysql)
exec_with_timeout "${TIMEOUT}" "echo | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
@@ -1248,7 +1247,7 @@ fetch_certificate() {
verboselog "The server requires a client certificate"
elif ascii_grep 'nodename\ nor\ servname\ provided,\ or\ not\ known' "${ERROR}" ||
- ascii_grep 'connect\ argument\ or\ target\ parameter\ malformed\ or\ ambiguous' "${ERROR}" ; then
+ ascii_grep 'connect\ argument\ or\ target\ parameter\ malformed\ or\ ambiguous' "${ERROR}" ; then
ERROR="${HOST} is not a valid hostname"
prepend_critical_message "${ERROR}"
@@ -1261,13 +1260,13 @@ fetch_certificate() {
prepend_critical_message "${ERROR}"
critical "${SHORTNAME} CRITICAL: ${ERROR}"
- elif ascii_grep 'dh\ key\ too\ small' "${ERROR}" ; then
+ elif ascii_grep 'dh\ key\ too\ small' "${ERROR}" ; then
- prepend_critical_message 'DH with a key too small'
+ prepend_critical_message 'DH with a key too small'
- elif ascii_grep 'alert\ handshake\ failure' "${ERROR}" ; then
+ elif ascii_grep 'alert\ handshake\ failure' "${ERROR}" ; then
- prepend_critical_message 'Handshake failure'
+ prepend_critical_message 'Handshake failure'
else
@@ -1383,7 +1382,8 @@ main() {
NO_PROXY=""
PROXY=""
CRL=""
- STC="1" # enabled by default
+ SCT="1" # enabled by default
+ HTTP_REQUEST_URL="/"
# after 2020-09-01 we could set the default to 398 days because of Apple
# https://support.apple.com/en-us/HT211025
@@ -1416,10 +1416,10 @@ main() {
ALTNAMES=1
shift
;;
- --crl)
- CRL=1
- shift
- ;;
+ --crl)
+ CRL=1
+ shift
+ ;;
-d|--debug)
DEBUG=1
VERBOSE=1
@@ -1448,18 +1448,18 @@ main() {
NOSIGALG=1
shift
;;
- --ignore-stc)
- STC=
- shift
- ;;
+ --ignore-sct)
+ SCT=
+ shift
+ ;;
--ignore-ssl-labs-cache)
IGNORE_SSL_LABS_CACHE="&startNew=on"
shift
;;
- --no-proxy)
- NO_PROXY=1
- shift
- ;;
+ --no-proxy)
+ NO_PROXY=1
+ shift
+ ;;
--no-ssl2|--no_ssl2) # we keep the old variant for compatibility
SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_ssl2"
shift
@@ -1628,7 +1628,7 @@ main() {
-e|--email)
check_option_argument 'e|--email' "$2"
ADDR="$2"
- shift 2
+ shift 2
;;
-f|--file)
check_option_argument ' -f|--file' "$2"
@@ -1747,7 +1747,7 @@ main() {
;;
--proxy)
check_option_argument '--proxy' "$2"
- PROXY="$2"
+ PROXY="$2"
export http_proxy="$2"
shift 2
;;
@@ -1808,6 +1808,11 @@ main() {
TMPDIR="$2"
shift 2
;;
+ -u|--url)
+ check_option_argument '-u|--url' "$2"
+ HTTP_REQUEST_URL="$2"
+ shift 2
+ ;;
-w|--warning)
check_option_argument '-w|--warning' "$2"
WARNING_DAYS="$2"
@@ -1919,9 +1924,9 @@ main() {
https|h2)
PORT=443
;;
- mysql)
- PORT=3306
- ;;
+ mysql)
+ PORT=3306
+ ;;
*)
unknown "Error: unsupported protocol ${PROTOCOL}"
;;
@@ -1992,11 +1997,11 @@ main() {
fi
if [ -n "${ROOT_CA_DIR}" ] || [ -n "${ROOT_CA_FILE}" ]; then
- if [ -n "${ROOT_CA_FILE}" ] ; then
+ if [ -n "${ROOT_CA_FILE}" ] ; then
ROOT_CA="${ROOT_CA_DIR} -CAfile ${ROOT_CA_FILE}"
- else
+ else
ROOT_CA="${ROOT_CA_DIR}"
- fi
+ fi
fi
if [ -n "${CLIENT_CERT}" ] ; then
@@ -2016,17 +2021,22 @@ main() {
fi
if [ -n "${FILE}" ] ; then
- if [ ! -r "${FILE}" ] ; then
- unknown "Cannot read file ${FILE}"
- fi
+ if [ ! -r "${FILE}" ] ; then
+ unknown "Cannot read file ${FILE}"
+ fi
fi
-
+
+ # check if grep is in the path (see #244)
+ if ! echo 0 | grep 0 > /dev/null 2>&1 ; then
+ unknown "cannot execute grep: please check the PATH variable (${PATH})"
+ fi
+
if [ -n "${CRITICAL_DAYS}" ] ; then
debuglog "-c specified: ${CRITICAL_DAYS}"
if ! echo "${CRITICAL_DAYS}" | grep -q '^[0-9][0-9]*$' ; then
- unknown "invalid number of days ${CRITICAL_DAYS}"
+ unknown "invalid number of days '${CRITICAL_DAYS}'"
fi
fi
@@ -2034,7 +2044,7 @@ main() {
if [ -n "${WARNING_DAYS}" ] ; then
if ! echo "${WARNING_DAYS}" | grep -q '^[0-9][0-9]*$' ; then
- unknown "invalid number of days ${WARNING_DAYS}"
+ unknown "invalid number of days '${WARNING_DAYS}'"
fi
fi
@@ -2052,14 +2062,14 @@ main() {
debuglog "--not-valid-longer-than specified: ${NOT_VALID_LONGER_THAN}"
if ! echo "${NOT_VALID_LONGER_THAN}" | grep -q '^[0-9][0-9]*$' ; then
- unknown "invalid number of days ${NOT_VALID_LONGER_THAN}"
+ unknown "invalid number of days '${NOT_VALID_LONGER_THAN}'"
fi
fi
if [ -n "${CRL}" ] && [ -z "${ROOT_CA_FILE}" ] ; then
-
- unknown "To be able to check CRL we need the Root Cert. Please specify it with the --rootcert-file option"
+
+ unknown "To be able to check CRL we need the Root Cert. Please specify it with the --rootcert-file option"
fi
@@ -2139,10 +2149,10 @@ main() {
# date
if [ -z "${DATEBIN}" ] ; then
- check_required_prog 'date'
- DATEBIN=${PROG}
+ check_required_prog 'date'
+ DATEBIN=${PROG}
fi
-
+
debuglog "file version: $( "${FILE_BIN}" --version 2>&1 )"
# cURL
@@ -2157,7 +2167,7 @@ main() {
CURL_BIN=${PROG}
debuglog "cURL available: ${CURL_BIN}"
- debuglog "$( ${CURL_BIN} --version )"
+ debuglog "$( ${CURL_BIN} --version )"
else
debuglog "cURL binary not needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}"
@@ -2221,7 +2231,7 @@ main() {
if ! "${DATEBIN}" +%s >/dev/null 2>&1 ; then
- debuglog "no date binary available"
+ debuglog "no date binary available"
# Perl with Date::Parse (optional)
test -x "${PERL}" || PERL=""
@@ -2245,17 +2255,17 @@ main() {
else
- debuglog 'checking date version'
+ debuglog 'checking date version'
if "${DATEBIN}" --version 2>&1 | grep -q GNU ; then
DATETYPE='GNU'
- elif "${DATEBIN}" --version 2>&1 | grep -q BusyBox ; then
- DATETYPE='BUSYBOX'
+ elif "${DATEBIN}" --version 2>&1 | grep -q BusyBox ; then
+ DATETYPE='BUSYBOX'
else
DATETYPE='BSD'
fi
- verboselog "found ${DATETYPE} date with timestamp support: enabling date computations"
+ verboselog "found ${DATETYPE} date with timestamp support: enabling date computations"
fi
@@ -2310,19 +2320,19 @@ main() {
fi
if [ -n "${PROXY}" ] && [ -n "${NO_PROXY}" ] ; then
- unknown "Only one of --proxy or --no_proxy can be specfied"
+ unknown "Only one of --proxy or --no_proxy can be specfied"
fi
################################################################################
# If --no-proxy was specified unset the http_proxy variables
if [ -n "${NO_PROXY}" ] ; then
- debuglog "Disabling the proxy"
- unset http_proxy
- unset https_proxy
- unset HTTP_PROXY
- unset HTTPS_PROXY
+ debuglog "Disabling the proxy"
+ unset http_proxy
+ unset https_proxy
+ unset HTTP_PROXY
+ unset HTTPS_PROXY
fi
-
+
################################################################################
# Check if openssl s_client supports the -proxy option
#
@@ -2332,54 +2342,54 @@ main() {
CURL_PROXY_ARGUMENT=
if [ -n "${http_proxy}" ] || [ -n "${HTTP_PROXY}" ] ; then
- debuglog "Proxy settings (before):"
- debuglog " http_proxy = ${http_proxy}"
- debuglog " https_proxy = ${https_proxy}"
- debuglog " HTTP_PROXY = ${HTTP_PROXY}"
- debuglog " HTTPS_PROXY = ${HTTPS_PROXY}"
+ debuglog "Proxy settings (before):"
+ debuglog " http_proxy = ${http_proxy}"
+ debuglog " https_proxy = ${https_proxy}"
+ debuglog " HTTP_PROXY = ${HTTP_PROXY}"
+ debuglog " HTTPS_PROXY = ${HTTPS_PROXY}"
- if [ -n "${http_proxy}" ] ; then
+ if [ -n "${http_proxy}" ] ; then
HTTP_PROXY="${http_proxy}"
fi
- if [ -z "${https_proxy}" ] ; then
- # try to set https_proxy
- https_proxy="${http_proxy}"
- fi
-
- if [ -z "${HTTPS_PROXY}" ] ; then
- # try to set HTTPS_proxy
- HTTPS_PROXY="${HTTP_PROXY}"
- fi
-
- if ${CURL_BIN} --manual | grep -q -- --proxy ; then
- debuglog "Adding --proxy ${HTTP_PROXY} to the cURL options"
- CURL_PROXY="--proxy"
- CURL_PROXY_ARGUMENT="${HTTP_PROXY}"
- fi
-
- if ${OPENSSL} s_client -help 2>&1 | grep -q -- -proxy || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -q -- -proxy; then
- SCLIENT_PROXY="-proxy"
- SCLIENT_PROXY_ARGUMENT="$( echo "${HTTP_PROXY}" | sed 's/.*:\/\///' | sed 's/\/$//' )"
-
- debuglog "Adding -proxy ${SCLIENT_PROXY_ARGUMENT} to the s_client options"
-
- else
-
- verboselog "'${OPENSSL} s_client' does not support '-proxy': HTTP_PROXY could be ignored"
-
- fi
-
- debuglog "Proxy settings (after):"
- debuglog " http_proxy = ${http_proxy}"
- debuglog " https_proxy = ${https_proxy}"
- debuglog " HTTP_PROXY = ${HTTP_PROXY}"
- debuglog " HTTPS_PROXY = ${HTTPS_PROXY}"
- debuglog " s_client = ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT}"
- debuglog " cURL = ${CURL_PROXY} ${CURL_PROXY_ARGUMENT}"
-
- fi
-
+ if [ -z "${https_proxy}" ] ; then
+ # try to set https_proxy
+ https_proxy="${http_proxy}"
+ fi
+
+ if [ -z "${HTTPS_PROXY}" ] ; then
+ # try to set HTTPS_proxy
+ HTTPS_PROXY="${HTTP_PROXY}"
+ fi
+
+ if ${CURL_BIN} --manual | grep -q -- --proxy ; then
+ debuglog "Adding --proxy ${HTTP_PROXY} to the cURL options"
+ CURL_PROXY="--proxy"
+ CURL_PROXY_ARGUMENT="${HTTP_PROXY}"
+ fi
+
+ if ${OPENSSL} s_client -help 2>&1 | grep -q -- -proxy || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -q -- -proxy; then
+ SCLIENT_PROXY="-proxy"
+ SCLIENT_PROXY_ARGUMENT="$( echo "${HTTP_PROXY}" | sed 's/.*:\/\///' | sed 's/\/$//' )"
+
+ debuglog "Adding -proxy ${SCLIENT_PROXY_ARGUMENT} to the s_client options"
+
+ else
+
+ verboselog "'${OPENSSL} s_client' does not support '-proxy': HTTP_PROXY could be ignored"
+
+ fi
+
+ debuglog "Proxy settings (after):"
+ debuglog " http_proxy = ${http_proxy}"
+ debuglog " https_proxy = ${https_proxy}"
+ debuglog " HTTP_PROXY = ${HTTP_PROXY}"
+ debuglog " HTTPS_PROXY = ${HTTPS_PROXY}"
+ debuglog " s_client = ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT}"
+ debuglog " cURL = ${CURL_PROXY} ${CURL_PROXY_ARGUMENT}"
+
+ fi
+
################################################################################
# Check if openssl s_client supports the -name option
#
@@ -2460,7 +2470,7 @@ main() {
################################################################################
# Check if s_client supports the no_ssl options
for S_CLIENT_OPTION in ${SSL_VERSION_DISABLED} ; do
- require_s_client_option "${S_CLIENT_OPTION}"
+ require_s_client_option "${S_CLIENT_OPTION}"
done
################################################################################
@@ -2476,7 +2486,7 @@ main() {
CUSTOM_HTTP_HEADER="${CUSTOM_HTTP_HEADER}\\n"
fi
- HTTP_REQUEST="${HTTP_METHOD} / HTTP/1.1\\nHost: ${HOST_HEADER}\\nUser-Agent: check_ssl_cert/${VERSION}\\n${CUSTOM_HTTP_HEADER}Connection: close\\n\\n"
+ HTTP_REQUEST="${HTTP_METHOD} ${HTTP_REQUEST_URL} HTTP/1.1\\nHost: ${HOST_HEADER}\\nUser-Agent: check_ssl_cert/${VERSION}\\n${CUSTOM_HTTP_HEADER}Connection: close\\n\\n"
##############################################################################
# Check for disallowed protocols
@@ -2565,7 +2575,7 @@ main() {
create_temporary_file; CRL_TMP_DER=${TEMPFILE}
create_temporary_file; CRL_TMP_PEM=${TEMPFILE}
create_temporary_file; CRL_TMP_CHAIN=${TEMPFILE}
-
+
if [ -n "${OCSP}" ] ; then
create_temporary_file; ISSUER_CERT_TMP=${TEMPFILE}
@@ -2691,16 +2701,16 @@ main() {
else
# we need to remove everything before 'CN = ', to remove an eventual email supplied with / and additional elements (after ', ')
# shellcheck disable=SC2086
- if ${OPENSSL} x509 -in "${CERT}" -subject -noout ${OPENSSL_PARAMS} | grep -q 'CN' ; then
+ if ${OPENSSL} x509 -in "${CERT}" -subject -noout ${OPENSSL_PARAMS} | grep -q 'CN' ; then
CN="$(${OPENSSL} x509 -in "${CERT}" -subject -noout ${OPENSSL_PARAMS} |
sed -e "s/^.*[[:space:]]*CN[[:space:]]=[[:space:]]//" -e "s/\\/[[:alpha:]][[:alpha:]]*=.*\$//" -e "s/,.*//" )"
- else
- CN='CN unavailable'
- if [ -z "${ALTNAMES}" ] ; then
- verboselog "Certificate without common name (CN), enabling altername names"
- ALTNAMES=1
- fi
- fi
+ else
+ CN='CN unavailable'
+ if [ -z "${ALTNAMES}" ] ; then
+ verboselog "Certificate without common name (CN), enabling altername names"
+ ALTNAMES=1
+ fi
+ fi
# shellcheck disable=SC2086
SUBJECT="$(${OPENSSL} x509 -in "${CERT}" -subject -noout ${OPENSSL_PARAMS})"
@@ -2719,7 +2729,7 @@ main() {
# start with first certificate
debuglog "Skipping ${SKIP_ELEMENT} element of the chain"
CERT_IN_CHAIN=$(( SKIP_ELEMENT + 1 ))
-
+
# shellcheck disable=SC2086
while [ "${CERT_IN_CHAIN}" -le "${NUM_CERTIFICATES}" ]; do
if [ -n "${ISSUERS}" ]; then
@@ -2738,8 +2748,8 @@ main() {
fi
debuglog 'ISSUERS = '
- debuglog "${ISSUERS}"
-
+ debuglog "${ISSUERS}"
+
# Handle properly openssl x509 -issuer -noout output format differences:
# OpenSSL 1.1.0: issuer=C = XY, ST = Alpha, L = Bravo, O = Charlie, CN = Charlie SSL CA
# OpenSSL 1.0.2: issuer= /C=XY/ST=Alpha/L=Bravo/O=Charlie/CN=Charlie SSL CA 3
@@ -3014,8 +3024,8 @@ main() {
debuglog "check NOT_ISSUED_BY: ${NOT_ISSUED_BY}"
- debuglog " executing echo \"${ISSUERS}\" | sed -E -e \"s/^(O|CN) ?= ?//\" | grep -E \"^${NOT_ISSUED_BY}\$\" | head -n1"
-
+ debuglog " executing echo \"${ISSUERS}\" | sed -E -e \"s/^(O|CN) ?= ?//\" | grep -E \"^${NOT_ISSUED_BY}\$\" | head -n1"
+
ok=""
CA_ISSUER_MATCHED=$(echo "${ISSUERS}" | sed -E -e "s/^(O|CN) ?= ?//" | grep -E "^${NOT_ISSUED_BY}\$" | head -n1)
@@ -3026,7 +3036,7 @@ main() {
prepend_critical_message "invalid CA ('$(echo "${NOT_ISSUED_BY}" | sed "s/|/ PIPE /g")' matches '$(echo "${ISSUERS}" | sed -E -e "s/^(O|CN) ?= ?//" | tr '\n' '|' | sed "s/|\$//g" | sed "s/|/\\' or \\'/g")')"
else
ok="true"
- CA_ISSUER_MATCHED="$(echo "${ISSUERS}" | grep -E "^CN ?= ?" | sed -E -e "s/^CN ?= ?//" | head -n1)"
+ CA_ISSUER_MATCHED="$(echo "${ISSUERS}" | grep -E "^CN ?= ?" | sed -E -e "s/^CN ?= ?//" | head -n1)"
fi
else
@@ -3085,16 +3095,16 @@ main() {
chain_element=$(sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' "${CERT}" | \
awk -v n="${CERT_IN_CHAIN}" '/-BEGIN CERTIFICATE-/{l++} (l==n) {print}')
- debuglog '------------------------------------------------------------------------------'
+ debuglog '------------------------------------------------------------------------------'
check_cert_end_date "${chain_element}" "${elem_number}"
- debuglog '------------------------------------------------------------------------------'
- check_ocsp "${chain_element}" "${elem_number}"
-
- if [ -n "${CRL}" ] ; then
- debuglog '------------------------------------------------------------------------------'
- check_crl "${chain_element}" "${elem_number}"
- fi
+ debuglog '------------------------------------------------------------------------------'
+ check_ocsp "${chain_element}" "${elem_number}"
+
+ if [ -n "${CRL}" ] ; then
+ debuglog '------------------------------------------------------------------------------'
+ check_crl "${chain_element}" "${elem_number}"
+ fi
CERT_IN_CHAIN=$(( CERT_IN_CHAIN + 1 ))
if ! [ "${ELEMENT}" -eq 0 ] && [ $(( CERT_IN_CHAIN - ELEMENT )) -lt 0 ]; then
@@ -3115,8 +3125,8 @@ main() {
while true; do
- debuglog "http_proxy = ${http_proxy}"
- debuglog "HTTPS_PROXY = ${HTTPS_PROXY}"
+ debuglog "http_proxy = ${http_proxy}"
+ debuglog "HTTPS_PROXY = ${HTTPS_PROXY}"
debuglog "executing ${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent \"https://api.ssllabs.com/api/v2/analyze?host=${HOST}${IGNORE_SSL_LABS_CACHE}\""
if [ -n "${SNI}" ] ; then
@@ -3143,33 +3153,33 @@ main() {
# We clear the cache only on the first run
IGNORE_SSL_LABS_CACHE=""
- if echo "${JSON}" | grep -q 'Running\ at\ full\ capacity.\ Please\ try\ again\ later' ; then
- verboselog 'SSL Labs running at full capacity'
- else
+ if echo "${JSON}" | grep -q 'Running\ at\ full\ capacity.\ Please\ try\ again\ later' ; then
+ verboselog 'SSL Labs running at full capacity'
+ else
- SSL_LABS_HOST_STATUS=$(echo "${JSON}" \
- | sed 's/.*"status":[ ]*"\([^"]*\)".*/\1/')
+ SSL_LABS_HOST_STATUS=$(echo "${JSON}" \
+ | sed 's/.*"status":[ ]*"\([^"]*\)".*/\1/')
- debuglog "SSL Labs status: ${SSL_LABS_HOST_STATUS}"
+ debuglog "SSL Labs status: ${SSL_LABS_HOST_STATUS}"
- case "${SSL_LABS_HOST_STATUS}" in
+ case "${SSL_LABS_HOST_STATUS}" in
'ERROR')
- SSL_LABS_STATUS_MESSAGE=$(echo "${JSON}" \
- | sed 's/.*"statusMessage":[ ]*"\([^"]*\)".*/\1/')
- prepend_critical_message "Error checking SSL Labs: ${SSL_LABS_STATUS_MESSAGE}"
- ;;
+ SSL_LABS_STATUS_MESSAGE=$(echo "${JSON}" \
+ | sed 's/.*"statusMessage":[ ]*"\([^"]*\)".*/\1/')
+ prepend_critical_message "Error checking SSL Labs: ${SSL_LABS_STATUS_MESSAGE}"
+ ;;
'READY')
- if ! echo "${JSON}" | grep -q "grade" ; then
+ if ! echo "${JSON}" | grep -q "grade" ; then
# Something went wrong
SSL_LABS_STATUS_MESSAGE=$(echo "${JSON}" \
- | sed 's/.*"statusMessage":[ ]*"\([^"]*\)".*/\1/')
+ | sed 's/.*"statusMessage":[ ]*"\([^"]*\)".*/\1/')
prepend_critical_message "SSL Labs error: ${SSL_LABS_STATUS_MESSAGE}"
- else
+ else
SSL_LABS_HOST_GRADE=$(echo "${JSON}" \
- | sed 's/.*"grade":[ ]*"\([^"]*\)".*/\1/')
+ | sed 's/.*"grade":[ ]*"\([^"]*\)".*/\1/')
debuglog "SSL Labs grade: ${SSL_LABS_HOST_GRADE}"
@@ -3182,11 +3192,11 @@ main() {
# Check the grade
if [ "${SSL_LABS_HOST_GRADE_NUMERIC}" -lt "${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}" ] ; then
- prepend_critical_message "SSL Labs grade is ${SSL_LABS_HOST_GRADE} (instead of ${SSL_LAB_CRIT_ASSESSMENT})"
+ prepend_critical_message "SSL Labs grade is ${SSL_LABS_HOST_GRADE} (instead of ${SSL_LAB_CRIT_ASSESSMENT})"
elif [ -n "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" ]; then
- if [ "${SSL_LABS_HOST_GRADE_NUMERIC}" -lt "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" ] ; then
+ if [ "${SSL_LABS_HOST_GRADE_NUMERIC}" -lt "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" ] ; then
append_warning_message "SSL Labs grade is ${SSL_LABS_HOST_GRADE} (instead of ${SSL_LAB_WARN_ASSESTMENT})"
- fi
+ fi
fi
debuglog "SSL Labs grade (converted): ${SSL_LABS_HOST_GRADE_NUMERIC}"
@@ -3194,28 +3204,28 @@ main() {
# We have a result: exit
break
- fi
- ;;
+ fi
+ ;;
'IN_PROGRESS')
- # Data not yet available: warn and continue
- verboselog "Warning: no cached data by SSL Labs, check initiated"
- ;;
+ # Data not yet available: warn and continue
+ verboselog "Warning: no cached data by SSL Labs, check initiated"
+ ;;
'DNS')
- verboselog "SSL Labs cannot resolve the domain name"
- ;;
+ verboselog "SSL Labs cannot resolve the domain name"
+ ;;
*)
- # Try to extract a message
- SSL_LABS_ERROR_MESSAGE=$(echo "${JSON}" \
- | sed 's/.*"message":[ ]*"\([^"]*\)".*/\1/')
+ # Try to extract a message
+ SSL_LABS_ERROR_MESSAGE=$(echo "${JSON}" \
+ | sed 's/.*"message":[ ]*"\([^"]*\)".*/\1/')
- if [ -z "${SSL_LABS_ERROR_MESSAGE}" ] ; then
+ if [ -z "${SSL_LABS_ERROR_MESSAGE}" ] ; then
SSL_LABS_ERROR_MESSAGE="${JSON}"
- fi
+ fi
- prepend_critical_message "Cannot check status on SSL Labs: ${SSL_LABS_ERROR_MESSAGE}"
- esac
+ prepend_critical_message "Cannot check status on SSL Labs: ${SSL_LABS_ERROR_MESSAGE}"
+ esac
- fi
+ fi
WAIT_TIME=60
verboselog "Waiting ${WAIT_TIME} seconds"
@@ -3291,11 +3301,11 @@ main() {
fi
##############################################################################
- # Check for Signed Certificate Timestamps (STC)
- if [ -n "${STC}" ] && ! "${OPENSSL}" x509 -in "${CERT}" -text | grep -q 'SCTs' ; then
- prepend_critical_message "Cannot find Signed Certificate Timestamps"
+ # Check for Signed Certificate Timestamps (SCT)
+ if [ -n "${SCT}" ] && ! "${OPENSSL}" x509 -in "${CERT}" -text | grep -q 'SCTs' ; then
+ prepend_critical_message "Cannot find Signed Certificate Timestamps (SCT)"
fi
-
+
# if errors exist at this point return
if [ "${CRITICAL_MSG}" != "" ] ; then
critical "${CRITICAL_MSG}"
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.137.0/check_ssl_cert.1
=====================================
@@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii check_ssl_cert.1
.\"
-.TH "check_ssl_cert" 1 "January, 2021" "1.135.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "February, 2021" "1.137.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
@@ -111,8 +111,8 @@ ignore OCSP result when timeout occurs while checking
.BR " --ignore-sig-alg"
do not check if the certificate was signed with SHA1 or MD5
.TP
-.BR " --ignore-stc"
-do not check for signed certificate timestamps
+.BR " --ignore-sct"
+do not check for signed certificate timestamps (SCT)
.TP
.BR " --ignore-ssl-labs-cache"
Forces a new check by SSL Labs (see -L)
@@ -263,6 +263,9 @@ force TLS version 1.2
.BR " --tls1_3"
force TLS version 1.3
.TP
+.BR "-u,--url" " URL"
+HTTP request URL
+.TP
.BR "-v,--verbose"
verbose output (also see --terse)
.TP
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.137.0/check_ssl_cert.spec
=====================================
@@ -1,4 +1,4 @@
-%define version 1.135.0
+%define version 1.137.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
@@ -45,9 +45,15 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/%{sourcename}.1*
%changelog
-* Thu Jan 28 2021 Matteo Corti <matteo at corti.li> - 1.135.0-0
+* Thu Feb 18 2021 Matteo Corti <matteo at corti.li> - 1.137.0-0
+- Updated to 1.137.0
+
+* Tue Feb 16 2021 Matteo Corti <matteo at corti.li> - 1.136.0-0
- Updated to 1.136.0
+* Thu Jan 28 2021 Matteo Corti <matteo at corti.li> - 1.135.0-0
+- Updated to 1.135.0
+
* Wed Jan 27 2021 Matteo Corti <matteo at corti.li> - 1.134.0-0
- Updated to 1.134.0
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/test/._cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.137.0/test/._cert_with_subject_without_cn.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.137.0/test/cabundle.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.137.0/test/cacert.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/test/cert_with_empty_subject.crt → check_ssl_cert/check_ssl_cert_1.137.0/test/cert_with_empty_subject.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/test/cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.137.0/test/cert_with_subject_without_cn.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.135.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.137.0/test/unit_tests.sh
=====================================
@@ -226,7 +226,7 @@ testTimeOut() {
testIMAP() {
if [ -z "${TRAVIS+x}" ] ; then
- # minimal critical and warning as they renew pretty late
+ # minimal critical and warning as they renew pretty late
${SCRIPT} --rootcert cabundle.crt -H imap.gmx.com --port 143 --timeout 30 --protocol imap --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
@@ -362,9 +362,9 @@ testBadSSLDH512(){
testBadSSLRC4MD5(){
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H rc4-md5.badssl.com --host-cn
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+ ${SCRIPT} -H rc4-md5.badssl.com --host-cn
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
else
echo "Skipping RC4 MD5 with badssl.com on Travis CI (OpenSSL too old)"
fi
@@ -372,9 +372,9 @@ testBadSSLRC4MD5(){
testBadSSLRC4(){
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H rc4.badssl.com --host-cn
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+ ${SCRIPT} -H rc4.badssl.com --host-cn
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
else
echo "Skipping RC4 with badssl.com on Travis CI (OpenSSL too old)"
fi
@@ -382,9 +382,9 @@ testBadSSLRC4(){
testBadSSL3DES(){
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H 3des.badssl.com --host-cn
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+ ${SCRIPT} -H 3des.badssl.com --host-cn
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
else
echo "Skipping 3DES with badssl.com on Travis CI (OpenSSL too old)"
fi
@@ -626,19 +626,19 @@ testNotLongerValidThan() {
}
testCertificsteWithoutCN() {
- ${SCRIPT} -H localhost -n www.uue.org -f ./cert_with_subject_without_cn.crt --force-perl-date --ignore-sig-alg --ignore-stc
+ ${SCRIPT} -H localhost -n www.uue.org -f ./cert_with_subject_without_cn.crt --force-perl-date --ignore-sig-alg --ignore-sct
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testCertificsteWithEmptySubject() {
- ${SCRIPT} -H localhost -n www.uue.org -f ./cert_with_empty_subject.crt --force-perl-date --ignore-sig-alg --ignore-stc
+ ${SCRIPT} -H localhost -n www.uue.org -f ./cert_with_empty_subject.crt --force-perl-date --ignore-sig-alg --ignore-sct
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
-testSTC() {
- ${SCRIPT} -H no-stc.badssl.com
+testSCT() {
+ ${SCRIPT} -H no-sct.badssl.com
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
=====================================
check_ssl_cert/control
=====================================
@@ -1,7 +1,7 @@
Uploaders: Jan Wagner <waja at cyconet.org>
Recommends: curl, file, openssl
Suggests: expect
-Version: 1.135.0
+Version: 1.137.0
Homepage: https://github.com/matteocorti/check_ssl_cert
Watch: https://github.com/matteocorti/check_ssl_cert/releases check_ssl_cert-([0-9.]+)\.tar\.gz
Description: plugin to check the CA and validity of an
=====================================
check_ssl_cert/src
=====================================
@@ -1 +1 @@
-check_ssl_cert_1.135.0/
\ No newline at end of file
+check_ssl_cert_1.137.0/
\ No newline at end of file
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/commit/1d2c8026320dbccf5374c7bd4560c9217d42889e
--
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/commit/1d2c8026320dbccf5374c7bd4560c9217d42889e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20210223/fbbffccd/attachment-0001.htm>
More information about the pkg-nagios-changes
mailing list