[pkg-nagios-changes] [Git][nagios-team/pkg-nagios-plugins-contrib][master] 5 commits: Prepare release
Jan Wagner
gitlab at salsa.debian.org
Thu Feb 25 20:03:35 GMT 2021
Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / pkg-nagios-plugins-contrib
Commits:
8265bdc0 by Jan Wagner at 2021-02-23T19:55:43+01:00
Prepare release
- - - - -
d90c9ca3 by Jan Wagner at 2021-02-25T19:44:33+01:00
check_ssl_cert: Update to 1.140.0
- - - - -
2e3f6520 by Jan Wagner at 2021-02-25T19:45:48+01:00
Auto update of debian/control
- - - - -
49124193 by Jan Wagner at 2021-02-25T19:46:57+01:00
Prepare release
- - - - -
09f9e69a by Jan Wagner at 2021-02-25T21:02:24+01:00
New changelog
- - - - -
24 changed files:
- − check_ssl_cert/check_ssl_cert_1.137.0/VERSION
- check_ssl_cert/check_ssl_cert_1.137.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.140.0/AUTHORS
- check_ssl_cert/check_ssl_cert_1.137.0/COPYING → check_ssl_cert/check_ssl_cert_1.140.0/COPYING
- check_ssl_cert/check_ssl_cert_1.137.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.140.0/COPYRIGHT
- check_ssl_cert/check_ssl_cert_1.137.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.140.0/ChangeLog
- check_ssl_cert/check_ssl_cert_1.137.0/INSTALL → check_ssl_cert/check_ssl_cert_1.140.0/INSTALL
- check_ssl_cert/check_ssl_cert_1.137.0/Makefile → check_ssl_cert/check_ssl_cert_1.140.0/Makefile
- check_ssl_cert/check_ssl_cert_1.137.0/NEWS → check_ssl_cert/check_ssl_cert_1.140.0/NEWS
- check_ssl_cert/check_ssl_cert_1.137.0/README.md → check_ssl_cert/check_ssl_cert_1.140.0/README.md
- check_ssl_cert/check_ssl_cert_1.137.0/TODO → check_ssl_cert/check_ssl_cert_1.140.0/TODO
- + check_ssl_cert/check_ssl_cert_1.140.0/VERSION
- check_ssl_cert/check_ssl_cert_1.137.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.140.0/check_ssl_cert
- check_ssl_cert/check_ssl_cert_1.137.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.140.0/check_ssl_cert.1
- check_ssl_cert/check_ssl_cert_1.137.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.140.0/check_ssl_cert.spec
- check_ssl_cert/check_ssl_cert_1.137.0/test/._cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.140.0/test/._cert_with_subject_without_cn.crt
- check_ssl_cert/check_ssl_cert_1.137.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.140.0/test/cabundle.crt
- check_ssl_cert/check_ssl_cert_1.137.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.140.0/test/cacert.crt
- check_ssl_cert/check_ssl_cert_1.137.0/test/cert_with_empty_subject.crt → check_ssl_cert/check_ssl_cert_1.140.0/test/cert_with_empty_subject.crt
- check_ssl_cert/check_ssl_cert_1.137.0/test/cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.140.0/test/cert_with_subject_without_cn.crt
- check_ssl_cert/check_ssl_cert_1.137.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.140.0/test/unit_tests.sh
- check_ssl_cert/control
- check_ssl_cert/src
- debian/changelog
- debian/control
Changes:
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/VERSION deleted
=====================================
@@ -1 +0,0 @@
-1.137.0
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.140.0/AUTHORS
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/COPYING → check_ssl_cert/check_ssl_cert_1.140.0/COPYING
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.140.0/COPYRIGHT
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.140.0/ChangeLog
=====================================
@@ -1,3 +1,16 @@
+2021-02-25 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (check_attr): fixed the SCT check
+
+2021-02-24 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): Check for TLS renegotiation
+
+2021-02-19 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): Do not reset $OPENSSL so that a different
+ OpenSSL version can be specified with the environment variable
+
2021-02-17 Robin Pronk <robin.pronk at nedap.com>
* check_ssl_cert: Make HTTP request url configurable (default stays /)
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/INSTALL → check_ssl_cert/check_ssl_cert_1.140.0/INSTALL
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/Makefile → check_ssl_cert/check_ssl_cert_1.140.0/Makefile
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/NEWS → check_ssl_cert/check_ssl_cert_1.140.0/NEWS
=====================================
@@ -1,3 +1,6 @@
+2021-02-25 Version 1.140.0: Fixed a bug in the SCT check
+2021-02-24 Version 1.139.0: Fixed a bug in the TLS renegotiation check
+2021-02-24 Version 1.138.0: Checks for TLS renegotiation
2021-02-18 Version 1.137.0: Added the --url option to specify the URL for the HTTP request
2021-02-16 Version 1.136.0: Fixed the signed certificate timestamps spelling (command line option)
2021-01-28 Version 1.135.0: Checks for signed certificate timestamps (SCTs)
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/README.md → check_ssl_cert/check_ssl_cert_1.140.0/README.md
=====================================
@@ -67,7 +67,8 @@ Options:
or MD5
--ignore-sct do not check for signed certificate timestamps (SCT)
--ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)
- --inetproto protocol Force IP version 4 or 6
+ --ignore-tls-renegotiation Ignores the TLS renegotiation check
+ --Inetproto protocol Force IP version 4 or 6
-i,--issuer issuer pattern to match the issuer of the certificate
--issuer-cert-cache dir directory where to store issuer certificates cache
-K,--clientkey path use client certificate key to authenticate
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/TODO → check_ssl_cert/check_ssl_cert_1.140.0/TODO
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/VERSION
=====================================
@@ -0,0 +1 @@
+1.140.0
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.140.0/check_ssl_cert
=====================================
@@ -19,7 +19,7 @@
################################################################################
# Constants
-VERSION=1.137.0
+VERSION=1.140.0
SHORTNAME="SSL_CERT"
VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -109,6 +109,7 @@ usage() {
echo " or MD5"
echo " --ignore-sct do not check for signed certificate timestamps (SCT)"
echo " --ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)"
+ echo " --ignore-tls-renegotiation Ignores the TLS renegotiation check"
echo " --inetproto protocol Force IP version 4 or 6"
echo " -i,--issuer issuer pattern to match the issuer of the certificate"
echo " --issuer-cert-cache dir directory where to store issuer certificates cache"
@@ -1349,7 +1350,6 @@ main() {
# Default values
DEBUG=""
- OPENSSL=""
FILE_BIN=""
CURL_BIN=""
CURL_PROXY=""
@@ -1456,6 +1456,10 @@ main() {
IGNORE_SSL_LABS_CACHE="&startNew=on"
shift
;;
+ --ignore-tls-renegotiation)
+ IGNORE_TLS_RENEGOTIATION='1'
+ shift
+ ;;
--no-proxy)
NO_PROXY=1
shift
@@ -2608,13 +2612,11 @@ main() {
trap_with_arg cleanup ${SIGNALS}
fetch_certificate
-
+
if ascii_grep 'sslv3\ alert\ unexpected\ message' "${ERROR}" ; then
if [ -n "${SERVERNAME}" ] ; then
- # Some OpenSSL versions have problems with the -servername option
- # We try without
verboselog "'${OPENSSL} s_client' returned an error: trying without '-servername'"
SERVERNAME=""
@@ -2624,12 +2626,26 @@ main() {
if ascii_grep 'sslv3\ alert\ unexpected\ message' "${ERROR}" ; then
- prepend_critical_message "cannot fetch certificate: OpenSSL got an unexpected message"
+ prepend_critical_message 'cannot fetch certificate: OpenSSL got an unexpected message'
fi
fi
+ # check for TLS renegotiation
+ if [ -z "${IGNORE_TLS_RENEGOTIATION}" ] ; then
+
+ verboselog "Checking TLS renegotiation"
+
+ # we just check the insecure renegotiation if the connection was not using TLS 1.3
+ # we could connect again with -no_tls1_3 and check
+
+ if ascii_grep '^Secure\ Renegotiation\ IS\ NOT' "${CERT}" && ! ascii_grep 'TLSv1.3' "${CERT}" ; then
+ prepend_critical_message 'TLS secure renegotiation is supported'
+ fi
+
+ fi
+
if ascii_grep "BEGIN X509 CRL" "${CERT}" ; then
# we are dealing with a CRL file
OPENSSL_COMMAND="crl"
@@ -3240,6 +3256,8 @@ main() {
# Check the organization
if [ -n "${ORGANIZATION}" ] ; then
+ debuglog "Checking organization ${ORGANIZATION}"
+
ORG=$(${OPENSSL} x509 -in "${CERT}" -subject -noout | sed -e "s/.*\\/O=//" -e "s/\\/.*//")
if ! echo "${ORG}" | grep -q -E "^${ORGANIZATION}" ; then
@@ -3276,6 +3294,8 @@ main() {
# Check if the certificate was verified
if [ -z "${NOAUTH}" ] && ascii_grep '^verify\ error:' "${ERROR}" ; then
+ debuglog 'Checking if the certificate was self signed'
+
if ascii_grep '^verify\ error:num=[0-9][0-9]*:self\ signed\ certificate' "${ERROR}" ; then
if [ -z "${SELFSIGNED}" ] ; then
@@ -3302,7 +3322,8 @@ main() {
##############################################################################
# Check for Signed Certificate Timestamps (SCT)
- if [ -n "${SCT}" ] && ! "${OPENSSL}" x509 -in "${CERT}" -text | grep -q 'SCTs' ; then
+ debuglog 'Checking Signed Certificate Timestamps (SCTs)'
+ if [ -n "${SCT}" ] && ! "${OPENSSL}" x509 -in "${CERT}" -text -noout | grep -q 'SCTs' ; then
prepend_critical_message "Cannot find Signed Certificate Timestamps (SCT)"
fi
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.140.0/check_ssl_cert.1
=====================================
@@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii check_ssl_cert.1
.\"
-.TH "check_ssl_cert" 1 "February, 2021" "1.137.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "February, 2021" "1.140.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
@@ -117,6 +117,9 @@ do not check for signed certificate timestamps (SCT)
.BR " --ignore-ssl-labs-cache"
Forces a new check by SSL Labs (see -L)
.TP
+.BR " --ignore-tls-renegotiation"
+Ignores the TLS renegotiation check
+.TP
.BR " --issuer-cert-cache" " dir"
directory where to store issuer certificates cache
.TP
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.140.0/check_ssl_cert.spec
=====================================
@@ -1,4 +1,4 @@
-%define version 1.137.0
+%define version 1.140.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
@@ -45,6 +45,15 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/%{sourcename}.1*
%changelog
+* Thu Feb 25 2021 Matteo Corti <matteo at corti.li> - 1.140.0-0
+- Updated to 1.140.0
+
+* Wed Feb 24 2021 Matteo Corti <matteo at corti.li> - 1.139.0-0
+- Updated to 1.139.0
+
+* Wed Feb 24 2021 Matteo Corti <matteo at corti.li> - 1.138.0-0
+- Updated to 1.138.0
+
* Thu Feb 18 2021 Matteo Corti <matteo at corti.li> - 1.137.0-0
- Updated to 1.137.0
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/test/._cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.140.0/test/._cert_with_subject_without_cn.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.140.0/test/cabundle.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.140.0/test/cacert.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/test/cert_with_empty_subject.crt → check_ssl_cert/check_ssl_cert_1.140.0/test/cert_with_empty_subject.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/test/cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.140.0/test/cert_with_subject_without_cn.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.137.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.140.0/test/unit_tests.sh
=====================================
@@ -177,7 +177,8 @@ testWildcardAltNames2() {
--cn somehost.spapps.ethz.ch \
--cn otherhost.sPaPPs.ethz.ch \
--cn spapps.ethz.ch \
- --rootcert cabundle.crt --altnames
+ --rootcert cabundle.crt --altnames \
+
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
@@ -206,7 +207,7 @@ testXMPPHost() {
# $TRAVIS is set an environment variable
# shellcheck disable=SC2154
if [ -z "${TRAVIS+x}" ] ; then
- out=$(${SCRIPT} -H prosody.xmpp.is --port 5222 --protocol xmpp --xmpphost xmpp.is)
+ out=$(${SCRIPT} -H prosody.xmpp.is --port 5222 --protocol xmpp --xmpphost xmpp.is )
EXIT_CODE=$?
if echo "${out}" | grep -q "s_client' does not support '-xmpphost'" ; then
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
=====================================
check_ssl_cert/control
=====================================
@@ -1,7 +1,7 @@
Uploaders: Jan Wagner <waja at cyconet.org>
Recommends: curl, file, openssl
Suggests: expect
-Version: 1.137.0
+Version: 1.140.0
Homepage: https://github.com/matteocorti/check_ssl_cert
Watch: https://github.com/matteocorti/check_ssl_cert/releases check_ssl_cert-([0-9.]+)\.tar\.gz
Description: plugin to check the CA and validity of an
=====================================
check_ssl_cert/src
=====================================
@@ -1 +1 @@
-check_ssl_cert_1.137.0/
\ No newline at end of file
+check_ssl_cert_1.140.0/
\ No newline at end of file
=====================================
debian/changelog
=====================================
@@ -1,6 +1,23 @@
-nagios-plugins-contrib (29.20210205~1) UNRELEASED; urgency=medium
+nagios-plugins-contrib (31.20210225~1.gbp491241) UNRELEASED; urgency=medium
- * UNRELEASED
+ ** SNAPSHOT build @491241933e1079e581d980b7dca3a034326e54f6 **
+
+ * NOT RELEASED YET
+
+ -- Jan Wagner <waja at cyconet.org> Thu, 25 Feb 2021 21:02:03 +0100
+
+nagios-plugins-contrib (31.20210225) unstable; urgency=medium
+
+ * [d90c9ca] check_ssl_cert: Update to 1.140.0
+ * [2e3f652] Auto update of debian/control
+
+ -- Jan Wagner <waja at cyconet.org> Thu, 25 Feb 2021 19:45:55 +0100
+
+nagios-plugins-contrib (30.20210223) unstable; urgency=medium
+
+ * [e8ad4d9] Move transitional package nagios-plugins-contrib to
+ oldlibs/optional per policy 4.0.1.
+ * [1d2c802] check_ssl_cert: Update to 1.137.0
-- Jan Wagner <waja at cyconet.org> Thu, 04 Feb 2021 10:14:40 +0100
=====================================
debian/control
=====================================
@@ -173,7 +173,7 @@ Description: Plugins for nagios compatible monitoring systems
HOST-RESOURCES-MIB::hrSystemDate.0 used here returns 8 or 11 byte octets.
SNMP translation needs to be switched off and to be converted the
received SNMP data into readable strings.
- * check_ssl_cert (1.135.0): plugin to check the CA and validity of an
+ * check_ssl_cert (1.140.0): plugin to check the CA and validity of an
X.509 certificate
* check_uptime (0.521): check_uptime returns uptime of a system
in text (readable) format as well as in minutes for performance graphing.
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/compare/1d2c8026320dbccf5374c7bd4560c9217d42889e...09f9e69a1e6a1f7b7645067e3997cc664fefbe42
--
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/compare/1d2c8026320dbccf5374c7bd4560c9217d42889e...09f9e69a1e6a1f7b7645067e3997cc664fefbe42
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20210225/49814275/attachment-0001.htm>
More information about the pkg-nagios-changes
mailing list