[pkg-nagios-changes] [Git][nagios-team/pkg-nagios-plugins-contrib][master] 2 commits: check_ssl_cert: Update to 1.132.0
Jan Wagner
gitlab at salsa.debian.org
Wed Jan 20 07:32:24 GMT 2021
Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / pkg-nagios-plugins-contrib
Commits:
0504d3eb by Jan Wagner at 2021-01-19T16:46:54+01:00
check_ssl_cert: Update to 1.132.0
- - - - -
ad6c6e60 by Jan Wagner at 2021-01-19T16:49:51+01:00
Merge branch 'master' into development
- - - - -
22 changed files:
- − check_ssl_cert/check_ssl_cert_1.129.0/VERSION
- check_ssl_cert/check_ssl_cert_1.129.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.132.0/AUTHORS
- check_ssl_cert/check_ssl_cert_1.129.0/COPYING → check_ssl_cert/check_ssl_cert_1.132.0/COPYING
- check_ssl_cert/check_ssl_cert_1.129.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.132.0/COPYRIGHT
- check_ssl_cert/check_ssl_cert_1.129.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.132.0/ChangeLog
- check_ssl_cert/check_ssl_cert_1.129.0/INSTALL → check_ssl_cert/check_ssl_cert_1.132.0/INSTALL
- check_ssl_cert/check_ssl_cert_1.129.0/Makefile → check_ssl_cert/check_ssl_cert_1.132.0/Makefile
- check_ssl_cert/check_ssl_cert_1.129.0/NEWS → check_ssl_cert/check_ssl_cert_1.132.0/NEWS
- check_ssl_cert/check_ssl_cert_1.129.0/README.md → check_ssl_cert/check_ssl_cert_1.132.0/README.md
- check_ssl_cert/check_ssl_cert_1.129.0/TODO → check_ssl_cert/check_ssl_cert_1.132.0/TODO
- + check_ssl_cert/check_ssl_cert_1.132.0/VERSION
- check_ssl_cert/check_ssl_cert_1.129.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.132.0/check_ssl_cert
- check_ssl_cert/check_ssl_cert_1.129.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.132.0/check_ssl_cert.1
- check_ssl_cert/check_ssl_cert_1.129.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.132.0/check_ssl_cert.spec
- + check_ssl_cert/check_ssl_cert_1.132.0/test/._cert_with_subject_without_cn.crt
- check_ssl_cert/check_ssl_cert_1.129.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.132.0/test/cabundle.crt
- check_ssl_cert/check_ssl_cert_1.129.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.132.0/test/cacert.crt
- + check_ssl_cert/check_ssl_cert_1.132.0/test/cert_with_empty_subject.crt
- + check_ssl_cert/check_ssl_cert_1.132.0/test/cert_with_subject_without_cn.crt
- check_ssl_cert/check_ssl_cert_1.129.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.132.0/test/unit_tests.sh
- check_ssl_cert/control
- check_ssl_cert/src
Changes:
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/VERSION deleted
=====================================
@@ -1 +0,0 @@
-1.129.0
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.132.0/AUTHORS
=====================================
@@ -105,4 +105,5 @@ Thanks:
* Many thanks to Marcel Burkhalter (https://github.com/explorer69) the custom HTTP header patch.
* Many thanks to Peter Newmann (https://github.com/peternewman) for the timeout
documentation patch and the issuers patch
-* Many thanks to cbiedl (https://github.com/cbiedl) for the proxy patch
\ No newline at end of file
+* Many thanks to cbiedl (https://github.com/cbiedl) for the proxy patch
+* Many thanks to Robin Schneider (https://github.com/ypid-geberit) for the --long-output all patch
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/COPYING → check_ssl_cert/check_ssl_cert_1.132.0/COPYING
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.132.0/COPYRIGHT
=====================================
@@ -1,6 +1,6 @@
Copyright (c) 2007-2013 ETH Zurich
- Copyright (c) 2007-2020 Matteo Corti
+ Copyright (c) 2007-2021 Matteo Corti
with the following individuals added to the list of Contributing Authors
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.132.0/ChangeLog
=====================================
@@ -1,3 +1,17 @@
+2021-01-18 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (exec_with_timeout): Execute timeout in the background so that it can handle signals
+ * check_ssl_cert (fetch_certificate): Better error message for DH with a too small key and handshake failure
+ * check_ssl_cert (check_crl): Checks revokation via CRL
+
+2021-01-15 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (check_ocsp): OCSP check on all the chain elements
+
+2021-01-14 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (check_attr): retries when SSL Labs is running at full capacity
+
2020-12-23 Matteo Corti <matteo at corti.li>
* check_ssl_cert (main): - instead of _ to separate words in the command line options
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/INSTALL → check_ssl_cert/check_ssl_cert_1.132.0/INSTALL
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/Makefile → check_ssl_cert/check_ssl_cert_1.132.0/Makefile
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/NEWS → check_ssl_cert/check_ssl_cert_1.132.0/NEWS
=====================================
@@ -1,3 +1,8 @@
+2021-01-18 Version 1.132.0: Timeouted subprocesses can now be interrupted
+ Revokation via CRL can be checked with the --crl option
+ Better error messages for DH with small keys and handshake failures
+2021-01-15 Version 1.131.0: OCSP check on all the chain elements
+2021-01-14 Version 1.130.0: Retries when SSL Labs has no available slot
2020-12-24 Version 1.129.0: Bug fix in the proxy parameters handling
2020-12-22 Version 1.128.0: Added --no-proxy to ignore proxy settings
2020-12-21 Version 1.127.0: Better handling of certificates without CN in the subject
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/README.md → check_ssl_cert/check_ssl_cert_1.132.0/README.md
=====================================
@@ -1,7 +1,7 @@
(c) Matteo Corti, ETH Zurich, 2007-2012
- (c) Matteo Corti, 2007-2020
+ (c) Matteo Corti, 2007-2021
see AUTHORS for the complete list of contributors
# check_ssl_cert
@@ -28,6 +28,7 @@ Options:
--clientpass phrase set passphrase for client certificate..
-c,--critical days minimum number of days a certificate has to
be valid to issue a critical status. Default: 15
+ --crl checks revokation via CRL (requires --rootcert-file)
--curl-bin path path of the curl binary to be used
--curl-user-agent string user agent that curl shall use to obtain the
issuer cert
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/TODO → check_ssl_cert/check_ssl_cert_1.132.0/TODO
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.132.0/VERSION
=====================================
@@ -0,0 +1 @@
+1.132.0
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.132.0/check_ssl_cert
=====================================
@@ -10,7 +10,7 @@
# See the INSTALL file for installation instructions
#
# Copyright (c) 2007-2012 ETH Zurich.
-# Copyright (c) 2007-2020 Matteo Corti <matteo at corti.li>
+# Copyright (c) 2007-2021 Matteo Corti <matteo at corti.li>
#
# This module is free software; you can redistribute it and/or modify it
# under the terms of GNU general public license (gpl) version 3.
@@ -19,10 +19,10 @@
################################################################################
# Constants
-VERSION=1.129.0
+VERSION=1.132.0
SHORTNAME="SSL_CERT"
-VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,serial,modulus,serial,hash,email,ocsp_uri,fingerprint,"
+VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"
SIGNALS="HUP INT QUIT TERM ABRT"
@@ -70,6 +70,7 @@ usage() {
echo " --clientpass phrase set passphrase for client certificate."
echo " -c,--critical days minimum number of days a certificate has to"
echo " be valid to issue a critical status. Default: ${CRITICAL_DAYS}"
+ echo " --crl checks revokation via CRL (requires --rootcert-file)"
echo " --curl-bin path path of the curl binary to be used"
echo " --curl-user-agent string user agent that curl shall use to obtain the"
echo " issuer cert"
@@ -512,7 +513,11 @@ exec_with_timeout() {
debuglog "$(printf "%s %s %s\n" "${TIMEOUT_BIN}" "${time}" "${command}")"
- eval "${TIMEOUT_BIN} ${time} ${command}" > /dev/null 2>&1
+ # We execute timeout in the backgroud so that it can be relay a signal to 'timeout'
+ # https://unix.stackexchange.com/questions/57667/why-cant-i-kill-a-timeout-called-from-a-bash-script-with-a-keystroke/57692#57692
+ eval "${TIMEOUT_BIN} ${time} ${command} &" > /dev/null 2>&1
+ TIMEOUT_PID=$!
+ wait "${TIMEOUT_PID}"
RET=$?
# return codes
@@ -578,6 +583,8 @@ EOT
else
+ debuglog "$(printf "%s\n" eval "${command}")"
+
eval "${command}"
return $?
@@ -604,6 +611,348 @@ check_required_prog() {
}
+
+################################################################################
+# Checks cert revokation via CRL
+# Params
+# $1 cert
+# $2 element number
+check_crl() {
+ el_number=1
+ if [ -n "$2" ]; then
+ el_number=$2
+ fi
+
+ create_temporary_file; CERT_ELEMENT=${TEMPFILE}
+ debuglog "Storing the chain element in ${CERT_ELEMENT}"
+ echo "${1}" > "${CERT_ELEMENT}"
+
+ # We check all the elements of the chain (but the root) for revocation
+ # If any element is revoked, the certificate should not be trusted
+ # https://security.stackexchange.com/questions/5253/what-happens-when-an-intermediate-ca-is-revoked
+
+ debuglog "Checking CRL status of element ${el_number}"
+
+ # See https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html
+
+ CRL_URI=$( "${OPENSSL}" x509 -noout -text -in "${CERT_ELEMENT}" |
+ grep -A 4 'X509v3 CRL Distribution Points' |
+ grep URI |
+ sed 's/^.*URI://'
+ )
+
+ if [ -n "${CRL_URI}" ] ; then
+
+ debuglog "Certificate revokation list available (${CRL_URI})"
+
+ debuglog "CRL: fetching CRL ${CRL_URI} to ${CRL_TMP_DER}"
+
+ if [ -n "${CURL_USER_AGENT}" ] ; then
+ exec_with_timeout "${TIMEOUT}" "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --user-agent '${CURL_USER_AGENT}' --location \\\"${CRL_URI}\\\" > ${CRL_TMP_DER}"
+ else
+ exec_with_timeout "${TIMEOUT}" "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --location \\\"${CRL_URI}\\\" > ${CRL_TMP_DER}"
+ fi
+
+ # convert DER to
+ debuglog "Converting ${CRL_TMP_DER} (DER) to ${CRL_TMP_PEM} (PEM)"
+ "${OPENSSL}" crl -inform DER -in "${CRL_TMP_DER}" -outform PEM -out "${CRL_TMP_PEM}"
+
+ # combine the certificate and the CRL
+ debuglog "Combining the certificate, the CRL and the root cert"
+ debuglog "cat ${CRL_TMP_PEM} ${CERT} ${ROOT_CA_FILE} > ${CRL_TMP_CHAIN}"
+ cat "${CRL_TMP_PEM}" "${CERT}" "${ROOT_CA_FILE}" > "${CRL_TMP_CHAIN}"
+
+ debuglog "${OPENSSL} verify -crl_check -CRLfile ${CRL_TMP_PEM} ${CERT_ELEMENT}"
+ CRL_RESULT=$( "${OPENSSL}" verify -crl_check -CAfile "${CRL_TMP_CHAIN}" -CRLfile "${CRL_TMP_PEM}" "${CERT_ELEMENT}" 2>&1 |
+ grep ':' |
+ head -n 1 |
+ sed 's/^.*:\ //'
+ )
+
+ debuglog " result: ${CRL_RESULT}"
+
+ if ! [ "${CRL_RESULT}" = 'OK' ] ; then
+ prepend_critical_message "certificate element ${el_number} is revoked (CRL)"
+ fi
+
+ else
+
+ debuglog "Certificate revokation list not available"
+
+ fi
+
+}
+
+################################################################################
+# Checks cert revokation via OCSP
+# Params
+# $1 cert
+# $2 element number
+check_ocsp() {
+ el_number=1
+ if [ -n "$2" ]; then
+ el_number=$2
+ fi
+
+ # We check all the elements of the chain (but the root) for revocation
+ # If any element is revoked, the certificate should not be trusted
+ # https://security.stackexchange.com/questions/5253/what-happens-when-an-intermediate-ca-is-revoked
+
+ debuglog "Checking OCSP status of element ${el_number}"
+
+ create_temporary_file; CERT_ELEMENT=${TEMPFILE}
+ debuglog "Storing the chain element in ${CERT_ELEMENT}"
+ echo "${1}" > "${CERT_ELEMENT}"
+
+ ################################################################################
+ # Check revocation via OCSP
+ if [ -n "${OCSP}" ]; then
+
+ debuglog "Checking revokation via OCSP"
+
+ ISSUER_HASH="$(${OPENSSL} x509 -in "${CERT_ELEMENT}" -noout -issuer_hash)"
+ debuglog "Issuer hash: ${ISSUER_HASH}"
+
+ if [ -z "${ISSUER_HASH}" ] ; then
+ unknown 'unable to find issuer certificate hash.'
+ fi
+
+ ISSUER_CERT=
+ if [ -n "${ISSUER_CERT_CACHE}" ] ; then
+
+ if [ -r "${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt" ]; then
+
+ debuglog "Found cached Issuer Certificate: ${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt"
+
+ ISSUER_CERT="${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt"
+
+ else
+
+ debuglog "Not found cached Issuer Certificate: ${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt"
+
+
+ fi
+
+ fi
+
+ # we just consider the first HTTP(S) URI
+ # TODO check SC2016
+ # shellcheck disable=SC2086,SC2016
+
+ ELEMENT_ISSUER_URI="$( ${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -text -noout -in ${CERT_ELEMENT} | grep "CA Issuers" | grep -i "http" | head -n 1 | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;$(){}<>`&')"
+
+ debuglog "Chain element issuer URI: ${ELEMENT_ISSUER_URI}"
+
+ # TODO: should be checked
+ # shellcheck disable=SC2021
+ if [ -z "${ELEMENT_ISSUER_URI}" ] ; then
+ verboselog "cannot find the CA Issuers in the certificate: disabling OCSP checks on element ${el_number}"
+ return
+ elif [ "${ELEMENT_ISSUER_URI}" != "$(echo "${ELEMENT_ISSUER_URI}" | tr -d '[[:space:]]')" ]; then
+ verboselog "unable to fetch the CA issuer certificate (spaces in URI): disabling OCSP checks on element ${el_number}"
+ return
+ elif ! echo "${ELEMENT_ISSUER_URI}" | grep -qi '^http' ; then
+ verboselog "unable to fetch the CA issuer certificate (unsupported protocol): disabling OCSP checks on element ${el_number}"
+ return
+ fi
+
+
+ if [ -z "${ISSUER_CERT}" ] ; then
+
+ debuglog "OCSP: fetching issuer certificate ${ELEMENT_ISSUER_URI} to ${ISSUER_CERT_TMP}"
+
+ if [ -n "${CURL_USER_AGENT}" ] ; then
+ exec_with_timeout "${TIMEOUT}" "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --user-agent '${CURL_USER_AGENT}' --location \\\"${ELEMENT_ISSUER_URI}\\\" > ${ISSUER_CERT_TMP}"
+ else
+ exec_with_timeout "${TIMEOUT}" "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --location \\\"${ELEMENT_ISSUER_URI}\\\" > ${ISSUER_CERT_TMP}"
+ fi
+
+ debuglog "OCSP: issuer certificate type (1): $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
+
+ if echo "${ELEMENT_ISSUER_URI}" | grep -q 'p7c' ; then
+ debuglog "OCSP: converting issuer certificate from PKCS #7 to PEM"
+
+ cp "${ISSUER_CERT_TMP}" "${ISSUER_CERT_TMP2}"
+
+ ${OPENSSL} pkcs7 -print_certs -inform DER -outform PEM -in "${ISSUER_CERT_TMP2}" -out "${ISSUER_CERT_TMP}"
+
+ fi
+
+ debuglog "OCSP: issuer certificate type (2): $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
+
+ # check the result
+ if ! "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -E -q ': (ASCII|PEM)' ; then
+
+ if "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -E -q '(data|Certificate)' ; then
+
+ debuglog "OCSP: converting issuer certificate from DER to PEM"
+
+ cp "${ISSUER_CERT_TMP}" "${ISSUER_CERT_TMP2}"
+
+ ${OPENSSL} x509 -inform DER -outform PEM -in "${ISSUER_CERT_TMP2}" -out "${ISSUER_CERT_TMP}"
+
+ else
+
+ debuglog "OCSP: complete issuer certificate type $( ${FILE_BIN} "${ISSUER_CERT_TMP}" )"
+
+ unknown "Unable to fetch a valid certificate issuer certificate."
+
+ fi
+
+ fi
+
+ debuglog "OCSP: issuer certificate type (3): $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
+
+ if [ -n "${DEBUG}" ] ; then
+
+ # remove trailing /
+ FILE_NAME=${ELEMENT_ISSUER_URI%/}
+
+ # remove everything up to the last slash
+ FILE_NAME="${TMPDIR}/${FILE_NAME##*/}"
+
+ debuglog "OCSP: storing a copy of the retrieved issuer certificate to ${FILE_NAME}"
+
+ cp "${ISSUER_CERT_TMP}" "${FILE_NAME}"
+ fi
+
+ if [ -n "${ISSUER_CERT_CACHE}" ] ; then
+ if [ ! -w "${ISSUER_CERT_CACHE}" ]; then
+
+ unknown "Issuer certificates cache ${ISSUER_CERT_CACHE} is not writeable!"
+
+ fi
+
+ debuglog "Storing Issuer Certificate to cache: ${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt"
+
+ cp "${ISSUER_CERT_TMP}" "${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt"
+
+ fi
+
+ ISSUER_CERT=${ISSUER_CERT_TMP}
+
+ fi
+
+
+ # TO DO: we just take the first result: a loop over all the hosts should
+ # shellcheck disable=SC2086
+ OCSP_URI="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT_ELEMENT}" -ocsp_uri -noout | head -n 1)"
+ debuglog "OSCP: URI = ${OCSP_URI}"
+
+ OCSP_HOST="$(echo "${OCSP_URI}" | sed -e "s at .*//\\([^/]\\+\\)\\(/.*\\)\\?\$@\\1 at g" | sed 's/^http:\/\///' | sed 's/\/.*//' )"
+
+ debuglog "OCSP: host = ${OCSP_HOST}"
+
+ if [ -n "${OCSP_HOST}" ] ; then
+
+ # check if -header is supported
+ OCSP_HEADER=""
+
+ # ocsp -header is supported in OpenSSL versions from 1.0.0, but not documented until 1.1.0
+ # so we check if the major version is greater than 0
+ if "${OPENSSL}" version | grep -q '^LibreSSL' || [ "$( ${OPENSSL} version | sed -e 's/OpenSSL \([0-9]\).*/\1/g' )" -gt 0 ] ; then
+
+ debuglog "openssl ocsp supports the -header option"
+
+ # the -header option was first accepting key and value separated by space. The newer versions are using key=value
+ KEYVALUE=""
+ if ${OPENSSL} ocsp -help 2>&1 | grep header | grep -q 'key=value' ; then
+ debuglog "${OPENSSL} ocsp -header requires 'key=value'"
+ KEYVALUE=1
+ else
+ debuglog "${OPENSSL} ocsp -header requires 'key value'"
+ fi
+
+ # http_proxy is sometimes lower- and sometimes uppercase. Programs usually check both
+ # shellcheck disable=SC2154
+ if [ -n "${http_proxy}" ] ; then
+ HTTP_PROXY="${http_proxy}"
+ fi
+
+ if [ -n "${HTTP_PROXY:-}" ] ; then
+ OCSP_PROXY_ARGUMENT="$( echo "${HTTP_PROXY}" | sed 's/.*:\/\///' | sed 's/\/$//' )"
+
+ if [ -n "${KEYVALUE}" ] ; then
+ debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT_ELEMENT} -host \"${OCSP_PROXY_ARGUMENT}\" -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT_ELEMENT}" -host "${OCSP_PROXY_ARGUMENT}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
+ else
+ debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT_ELEMENT} -host \"${OCSP_PROXY_ARGUMENT}\" -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT_ELEMENT}" -host "${OCSP_PROXY_ARGUMENT}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+ fi
+
+ else
+
+ if [ -n "${KEYVALUE}" ] ; then
+ debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT_ELEMENT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT_ELEMENT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
+ else
+ debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT_ELEMENT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT_ELEMENT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+ fi
+
+ fi
+
+ debuglog "$(echo "${OCSP_RESP}" | sed 's/^/OCSP: response = /')"
+
+ if [ -n "${OCSP_IGNORE_TIMEOUT}" ] && echo "${OCSP_RESP}" | grep -qi "timeout on connect" ; then
+
+ debuglog 'OCSP: Timeout on connect'
+
+ elif echo "${OCSP_RESP}" | grep -qi "revoked" ; then
+
+ debuglog 'OCSP: revoked'
+
+ prepend_critical_message "certificate element ${el_number} is revoked (OCSP)"
+
+ elif ! echo "${OCSP_RESP}" | grep -qi "good" ; then
+
+ debuglog "OCSP: not good. HTTP_PROXY = ${HTTP_PROXY}"
+
+ if [ -n "${HTTP_PROXY:-}" ] ; then
+
+ debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT_ELEMENT}]\" -host \"${HTTP_PROXY#*://}\" -path \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
+
+ if [ -n "${OCSP_HEADER}" ] ; then
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT_ELEMENT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+ else
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT_ELEMENT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" 2>&1 )"
+ fi
+
+ else
+
+ debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT_ELEMENT}\" -url \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
+
+ if [ -n "${OCSP_HEADER}" ] ; then
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT_ELEMENT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+ else
+ OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT_ELEMENT}" -url "${OCSP_URI}" 2>&1 )"
+ fi
+
+ fi
+
+ verboselog "OCSP Error: ${OCSP_RESP}"
+
+ prepend_critical_message "OCSP error (-v for details)"
+
+ fi
+
+ else
+
+ verboselog "openssl ocsp does not support the -header option: disabling OCSP checks"
+
+ fi
+
+ else
+
+ verboselog "no OCSP host found: disabling OCSP checks"
+
+ fi
+
+ fi
+
+}
+
+
################################################################################
# Checks cert end date validity
# Params
@@ -618,7 +967,7 @@ check_cert_end_date() {
debuglog "Checking expiration date of element ${el_number}"
- # shellcheck disable=SC2086
+ # shellcheck disable=SC2086
ELEM_END_DATE=$(echo "${1}" | "${OPENSSL}" "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -noout "${OPENSSL_ENDDATE_OPTION}" | sed -e "s/.*=//")
debuglog "Validity date on cert element ${el_number} is ${ELEM_END_DATE}"
@@ -633,8 +982,8 @@ check_cert_end_date() {
if [ "${OPENSSL_COMMAND}" = "x509" ]; then
# x509 certificates (default)
# We always check expired certificates
+ debuglog "executing: ${OPENSSL} x509 -noout -checkend 0 on cert element ${el_number}"
if ! echo "${1}" | ${OPENSSL} x509 -noout -checkend 0 > /dev/null ; then
- debuglog "executing: ${OPENSSL} x509 -noout -checkend 0 on cert element ${el_number}"
prepend_critical_message "${OPENSSL_COMMAND} certificate element ${el_number} is expired (was valid until ${ELEM_END_DATE})"
return 2
fi
@@ -904,6 +1253,14 @@ fetch_certificate() {
prepend_critical_message "${ERROR}"
critical "${SHORTNAME} CRITICAL: ${ERROR}"
+ elif ascii_grep 'dh\ key\ too\ small' "${ERROR}" ; then
+
+ prepend_critical_message 'DH with a key too small'
+
+ elif ascii_grep 'alert\ handshake\ failure' "${ERROR}" ; then
+
+ prepend_critical_message 'Handshake failure'
+
else
# Try to clean up the error message
@@ -1017,6 +1374,7 @@ main() {
SKIP_ELEMENT=0
NO_PROXY=""
PROXY=""
+ CRL=""
# after 2020-09-01 we could set the default to 398 days because of Apple
# https://support.apple.com/en-us/HT211025
@@ -1049,6 +1407,10 @@ main() {
ALTNAMES=1
shift
;;
+ --crl)
+ CRL=1
+ shift
+ ;;
-d|--debug)
DEBUG=1
VERBOSE=1
@@ -1609,11 +1971,14 @@ main() {
unknown "Cannot read root certificate ${ROOT_CA_FILE}"
fi
- ROOT_CA_FILE="-CAfile ${ROOT_CA_FILE}"
fi
if [ -n "${ROOT_CA_DIR}" ] || [ -n "${ROOT_CA_FILE}" ]; then
- ROOT_CA="${ROOT_CA_DIR} ${ROOT_CA_FILE}"
+ if [ -n "${ROOT_CA_FILE}" ] ; then
+ ROOT_CA="${ROOT_CA_DIR} -CAfile ${ROOT_CA_FILE}"
+ else
+ ROOT_CA="${ROOT_CA_DIR}"
+ fi
fi
if [ -n "${CLIENT_CERT}" ] ; then
@@ -1674,6 +2039,12 @@ main() {
fi
+ if [ -n "${CRL}" ] && [ -z "${ROOT_CA_FILE}" ] ; then
+
+ unknown "To be able to check CRL we need the Root Cert. Please specify it with the --rootcert-file option"
+
+ fi
+
if [ -n "${TMPDIR}" ] ; then
if [ ! -d "${TMPDIR}" ] ; then
@@ -1752,9 +2123,9 @@ main() {
# cURL
if [ -z "${CURL_BIN}" ] ; then
- if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] || [ -n "${OCSP}" ] ; then
+ if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] || [ -n "${OCSP}" ] || [ -n "${CRL}" ] ; then
if [ -n "${DEBUG}" ] ; then
- debuglog "cURL binary needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}"
+ debuglog "cURL binary needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}, CURL = ${CRL}"
debuglog "cURL binary not specified"
fi
@@ -2163,6 +2534,10 @@ main() {
create_temporary_file; CERT=${TEMPFILE}
create_temporary_file; ERROR=${TEMPFILE}
+ create_temporary_file; CRL_TMP_DER=${TEMPFILE}
+ create_temporary_file; CRL_TMP_PEM=${TEMPFILE}
+ create_temporary_file; CRL_TMP_CHAIN=${TEMPFILE}
+
if [ -n "${OCSP}" ] ; then
create_temporary_file; ISSUER_CERT_TMP=${TEMPFILE}
@@ -2316,6 +2691,7 @@ main() {
# start with first certificate
debuglog "Skipping ${SKIP_ELEMENT} element of the chain"
CERT_IN_CHAIN=$(( SKIP_ELEMENT + 1 ))
+
# shellcheck disable=SC2086
while [ "${CERT_IN_CHAIN}" -le "${NUM_CERTIFICATES}" ]; do
if [ -n "${ISSUERS}" ]; then
@@ -2351,19 +2727,6 @@ main() {
ISSUER_URI="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -text -noout | grep "CA Issuers" | grep -i "http" | head -n 1 | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;$(){}<>`&')"
- # TODO: should be checked
- # shellcheck disable=SC2021
- if [ -z "${ISSUER_URI}" ] ; then
- verboselog "cannot find the CA Issuers in the certificate: disabling OCSP checks"
- OCSP=""
- elif [ "${ISSUER_URI}" != "$(echo "${ISSUER_URI}" | tr -d '[[:space:]]')" ]; then
- verboselog "unable to fetch the CA issuer certificate (spaces in URI)"
- OCSP=""
- elif ! echo "${ISSUER_URI}" | grep -qi '^http' ; then
- verboselog "unable to fetch the CA issuer certificate (unsupported protocol)"
- OCSP=""
- fi
-
# Check OCSP stapling
if [ -n "${REQUIRE_OCSP_STAPLING}" ] ; then
@@ -2683,15 +3046,26 @@ main() {
else
# count the certificates in the chain
NUM_CERTIFICATES=$(grep -c -- "-BEGIN CERTIFICATE-" "${CERT}")
- debuglog "Nb certificates in CA chain: $((NUM_CERTIFICATES))"
+ debuglog "Number of certificates in CA chain: $((NUM_CERTIFICATES))"
debuglog "Skipping ${SKIP_ELEMENT} element of the chain"
+
CERT_IN_CHAIN=$(( SKIP_ELEMENT + 1 ))
while [ "${CERT_IN_CHAIN}" -le "${NUM_CERTIFICATES}" ]; do
elem_number=$((CERT_IN_CHAIN))
chain_element=$(sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' "${CERT}" | \
- awk -v n="${CERT_IN_CHAIN}" '/-BEGIN CERTIFICATE-/{l++} (l==n) {print}')
+ awk -v n="${CERT_IN_CHAIN}" '/-BEGIN CERTIFICATE-/{l++} (l==n) {print}')
+ debuglog '------------------------------------------------------------------------------'
check_cert_end_date "${chain_element}" "${elem_number}"
+
+ debuglog '------------------------------------------------------------------------------'
+ check_ocsp "${chain_element}" "${elem_number}"
+
+ if [ -n "${CRL}" ] ; then
+ debuglog '------------------------------------------------------------------------------'
+ check_crl "${chain_element}" "${elem_number}"
+ fi
+
CERT_IN_CHAIN=$(( CERT_IN_CHAIN + 1 ))
if ! [ "${ELEMENT}" -eq 0 ] && [ $(( CERT_IN_CHAIN - ELEMENT )) -lt 0 ]; then
break
@@ -2701,6 +3075,8 @@ main() {
fi
+ debuglog '------------------------------------------------------------------------------'
+
################################################################################
# Check SSL Labs
if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] ; then
@@ -2737,73 +3113,79 @@ main() {
# We clear the cache only on the first run
IGNORE_SSL_LABS_CACHE=""
- SSL_LABS_HOST_STATUS=$(echo "${JSON}" \
- | sed 's/.*"status":[ ]*"\([^"]*\)".*/\1/')
+ if echo "${JSON}" | grep -q 'Running\ at\ full\ capacity.\ Please\ try\ again\ later' ; then
+ verboselog 'SSL Labs running at full capacity'
+ else
- debuglog "SSL Labs status: ${SSL_LABS_HOST_STATUS}"
+ SSL_LABS_HOST_STATUS=$(echo "${JSON}" \
+ | sed 's/.*"status":[ ]*"\([^"]*\)".*/\1/')
- case "${SSL_LABS_HOST_STATUS}" in
- 'ERROR')
- SSL_LABS_STATUS_MESSAGE=$(echo "${JSON}" \
- | sed 's/.*"statusMessage":[ ]*"\([^"]*\)".*/\1/')
- prepend_critical_message "Error checking SSL Labs: ${SSL_LABS_STATUS_MESSAGE}"
- ;;
- 'READY')
- if ! echo "${JSON}" | grep -q "grade" ; then
+ debuglog "SSL Labs status: ${SSL_LABS_HOST_STATUS}"
- # Something went wrong
- SSL_LABS_STATUS_MESSAGE=$(echo "${JSON}" \
- | sed 's/.*"statusMessage":[ ]*"\([^"]*\)".*/\1/')
- prepend_critical_message "SSL Labs error: ${SSL_LABS_STATUS_MESSAGE}"
+ case "${SSL_LABS_HOST_STATUS}" in
+ 'ERROR')
+ SSL_LABS_STATUS_MESSAGE=$(echo "${JSON}" \
+ | sed 's/.*"statusMessage":[ ]*"\([^"]*\)".*/\1/')
+ prepend_critical_message "Error checking SSL Labs: ${SSL_LABS_STATUS_MESSAGE}"
+ ;;
+ 'READY')
+ if ! echo "${JSON}" | grep -q "grade" ; then
- else
+ # Something went wrong
+ SSL_LABS_STATUS_MESSAGE=$(echo "${JSON}" \
+ | sed 's/.*"statusMessage":[ ]*"\([^"]*\)".*/\1/')
+ prepend_critical_message "SSL Labs error: ${SSL_LABS_STATUS_MESSAGE}"
+
+ else
- SSL_LABS_HOST_GRADE=$(echo "${JSON}" \
- | sed 's/.*"grade":[ ]*"\([^"]*\)".*/\1/')
+ SSL_LABS_HOST_GRADE=$(echo "${JSON}" \
+ | sed 's/.*"grade":[ ]*"\([^"]*\)".*/\1/')
- debuglog "SSL Labs grade: ${SSL_LABS_HOST_GRADE}"
+ debuglog "SSL Labs grade: ${SSL_LABS_HOST_GRADE}"
- verboselog "SSL Labs grade: ${SSL_LABS_HOST_GRADE}"
+ verboselog "SSL Labs grade: ${SSL_LABS_HOST_GRADE}"
- convert_ssl_lab_grade "${SSL_LABS_HOST_GRADE}"
- SSL_LABS_HOST_GRADE_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
+ convert_ssl_lab_grade "${SSL_LABS_HOST_GRADE}"
+ SSL_LABS_HOST_GRADE_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
- add_performance_data "ssllabs=${SSL_LABS_HOST_GRADE_NUMERIC}%;;${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}"
+ add_performance_data "ssllabs=${SSL_LABS_HOST_GRADE_NUMERIC}%;;${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}"
- # Check the grade
- if [ "${SSL_LABS_HOST_GRADE_NUMERIC}" -lt "${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}" ] ; then
- prepend_critical_message "SSL Labs grade is ${SSL_LABS_HOST_GRADE} (instead of ${SSL_LAB_CRIT_ASSESSMENT})"
- elif [ -n "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" ]; then
- if [ "${SSL_LABS_HOST_GRADE_NUMERIC}" -lt "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" ] ; then
- append_warning_message "SSL Labs grade is ${SSL_LABS_HOST_GRADE} (instead of ${SSL_LAB_WARN_ASSESTMENT})"
+ # Check the grade
+ if [ "${SSL_LABS_HOST_GRADE_NUMERIC}" -lt "${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}" ] ; then
+ prepend_critical_message "SSL Labs grade is ${SSL_LABS_HOST_GRADE} (instead of ${SSL_LAB_CRIT_ASSESSMENT})"
+ elif [ -n "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" ]; then
+ if [ "${SSL_LABS_HOST_GRADE_NUMERIC}" -lt "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" ] ; then
+ append_warning_message "SSL Labs grade is ${SSL_LABS_HOST_GRADE} (instead of ${SSL_LAB_WARN_ASSESTMENT})"
+ fi
fi
- fi
- debuglog "SSL Labs grade (converted): ${SSL_LABS_HOST_GRADE_NUMERIC}"
+ debuglog "SSL Labs grade (converted): ${SSL_LABS_HOST_GRADE_NUMERIC}"
- # We have a result: exit
- break
+ # We have a result: exit
+ break
- fi
- ;;
- 'IN_PROGRESS')
- # Data not yet available: warn and continue
- verboselog "Warning: no cached data by SSL Labs, check initiated"
- ;;
- 'DNS')
- verboselog "SSL Labs cannot resolve the domain name"
- ;;
- *)
- # Try to extract a message
- SSL_LABS_ERROR_MESSAGE=$(echo "${JSON}" \
- | sed 's/.*"message":[ ]*"\([^"]*\)".*/\1/')
-
- if [ -z "${SSL_LABS_ERROR_MESSAGE}" ] ; then
- SSL_LABS_ERROR_MESSAGE="${JSON}"
- fi
+ fi
+ ;;
+ 'IN_PROGRESS')
+ # Data not yet available: warn and continue
+ verboselog "Warning: no cached data by SSL Labs, check initiated"
+ ;;
+ 'DNS')
+ verboselog "SSL Labs cannot resolve the domain name"
+ ;;
+ *)
+ # Try to extract a message
+ SSL_LABS_ERROR_MESSAGE=$(echo "${JSON}" \
+ | sed 's/.*"message":[ ]*"\([^"]*\)".*/\1/')
- prepend_critical_message "Cannot check status on SSL Labs: ${SSL_LABS_ERROR_MESSAGE}"
- esac
+ if [ -z "${SSL_LABS_ERROR_MESSAGE}" ] ; then
+ SSL_LABS_ERROR_MESSAGE="${JSON}"
+ fi
+
+ prepend_critical_message "Cannot check status on SSL Labs: ${SSL_LABS_ERROR_MESSAGE}"
+ esac
+
+ fi
WAIT_TIME=60
verboselog "Waiting ${WAIT_TIME} seconds"
@@ -2814,208 +3196,6 @@ main() {
fi
- ################################################################################
- # Check revocation via OCSP
- if [ -n "${OCSP}" ]; then
-
- debuglog "Checking revokation via OCSP"
-
- ISSUER_HASH="$(${OPENSSL} x509 -in "${CERT}" -noout -issuer_hash)"
-
- if [ -z "${ISSUER_HASH}" ] ; then
- unknown 'unable to find issuer certificate hash.'
- fi
-
- if [ -n "${ISSUER_CERT_CACHE}" ] ; then
-
- if [ -r "${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt" ]; then
-
- debuglog "Found cached Issuer Certificate: ${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt"
-
- ISSUER_CERT="${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt"
-
- else
-
- debuglog "Not found cached Issuer Certificate: ${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt"
-
-
- fi
-
- fi
-
- if [ -z "${ISSUER_CERT}" ] ; then
-
- debuglog "OCSP: fetching issuer certificate ${ISSUER_URI} to ${ISSUER_CERT_TMP}"
-
- if [ -n "${CURL_USER_AGENT}" ] ; then
- exec_with_timeout "${TIMEOUT}" "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --user-agent '${CURL_USER_AGENT}' --location \\\"${ISSUER_URI}\\\" > ${ISSUER_CERT_TMP}"
- else
- exec_with_timeout "${TIMEOUT}" "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --location \\\"${ISSUER_URI}\\\" > ${ISSUER_CERT_TMP}"
- fi
-
- debuglog "OCSP: issuer certificate type: $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
-
- # check the result
- if ! "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -E -q ': (ASCII|PEM)' ; then
-
- if "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -E -q '(data|Certificate)' ; then
-
- debuglog "OCSP: converting issuer certificate from DER to PEM"
-
- cp "${ISSUER_CERT_TMP}" "${ISSUER_CERT_TMP2}"
-
- ${OPENSSL} x509 -inform DER -outform PEM -in "${ISSUER_CERT_TMP2}" -out "${ISSUER_CERT_TMP}"
-
- else
-
- debuglog "OCSP: complete issuer certificare type $( ${FILE_BIN} "${ISSUER_CERT_TMP}" )"
-
- unknown "Unable to fetch a valid certificate issuer certificate."
-
- fi
-
- fi
-
- if [ -n "${DEBUG}" ] ; then
-
- # remove trailing /
- FILE_NAME=${ISSUER_URI%/}
-
- # remove everything up to the last slash
- FILE_NAME="${TMPDIR}/${FILE_NAME##*/}"
-
- debuglog "OCSP: storing a copy of the retrieved issuer certificate to ${FILE_NAME}"
-
- cp "${ISSUER_CERT_TMP}" "${FILE_NAME}"
- fi
-
- if [ -n "${ISSUER_CERT_CACHE}" ] ; then
- if [ ! -w "${ISSUER_CERT_CACHE}" ]; then
-
- unknown "Issuer certificates cache ${ISSUER_CERT_CACHE} is not writeable!"
-
- fi
-
- debuglog "Storing Issuer Certificate to cache: ${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt"
-
- cp "${ISSUER_CERT_TMP}" "${ISSUER_CERT_CACHE}/${ISSUER_HASH}.crt"
-
- fi
-
- ISSUER_CERT=${ISSUER_CERT_TMP}
-
- fi
- OCSP_HOST="$(echo "${OCSP_URI}" | sed -e "s at .*//\\([^/]\\+\\)\\(/.*\\)\\?\$@\\1 at g" | sed 's/^http:\/\///' | sed 's/\/.*//' )"
-
- debuglog "OCSP: host = ${OCSP_HOST}"
-
- if [ -n "${OCSP_HOST}" ] ; then
-
- # check if -header is supported
- OCSP_HEADER=""
-
- # ocsp -header is supported in OpenSSL versions from 1.0.0, but not documented until 1.1.0
- # so we check if the major version is greater than 0
- if "${OPENSSL}" version | grep -q '^LibreSSL' || [ "$( ${OPENSSL} version | sed -e 's/OpenSSL \([0-9]\).*/\1/g' )" -gt 0 ] ; then
-
- debuglog "openssl ocsp supports the -header option"
-
- # the -header option was first accepting key and value separated by space. The newer versions are using key=value
- KEYVALUE=""
- if ${OPENSSL} ocsp -help 2>&1 | grep header | grep -q 'key=value' ; then
- debuglog "${OPENSSL} ocsp -header requires 'key=value'"
- KEYVALUE=1
- else
- debuglog "${OPENSSL} ocsp -header requires 'key value'"
- fi
-
- # http_proxy is sometimes lower- and sometimes uppercase. Programs usually check both
- # shellcheck disable=SC2154
- if [ -n "${http_proxy}" ] ; then
- HTTP_PROXY="${http_proxy}"
- fi
-
- if [ -n "${HTTP_PROXY:-}" ] ; then
- OCSP_PROXY_ARGUMENT="$( echo "${HTTP_PROXY}" | sed 's/.*:\/\///' | sed 's/\/$//' )"
-
- if [ -n "${KEYVALUE}" ] ; then
- debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host \"${OCSP_PROXY_ARGUMENT}\" -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
- OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${OCSP_PROXY_ARGUMENT}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
- else
- debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host \"${OCSP_PROXY_ARGUMENT}\" -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
- OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${OCSP_PROXY_ARGUMENT}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
- fi
-
- else
-
- if [ -n "${KEYVALUE}" ] ; then
- debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
- OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
- else
- debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
- OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
- fi
-
- fi
-
- debuglog "$(echo "${OCSP_RESP}" | sed 's/^/OCSP: response = /')"
-
- if [ -n "${OCSP_IGNORE_TIMEOUT}" ] && echo "${OCSP_RESP}" | grep -qi "timeout on connect" ; then
-
- debuglog 'OCSP: Timeout on connect'
-
- elif echo "${OCSP_RESP}" | grep -qi "revoked" ; then
-
- debuglog 'OCSP: revoked'
-
- prepend_critical_message "certificate is revoked"
-
- elif ! echo "${OCSP_RESP}" | grep -qi "good" ; then
-
- debuglog "OCSP: not good. HTTP_PROXY = ${HTTP_PROXY}"
-
- if [ -n "${HTTP_PROXY:-}" ] ; then
-
- debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}]\" -host \"${HTTP_PROXY#*://}\" -path \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
-
- if [ -n "${OCSP_HEADER}" ] ; then
- OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
- else
- OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" 2>&1 )"
- fi
-
- else
-
- debuglog "executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}\" -url \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
-
- if [ -n "${OCSP_HEADER}" ] ; then
- OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
- else
- OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" 2>&1 )"
- fi
-
- fi
-
- verboselog "OCSP Error: ${OCSP_RESP}"
-
- prepend_critical_message "OCSP error (-v for details)"
-
- fi
-
- else
-
- verboselog "openssl ocsp does not support the -header option: disabling OCSP checks"
-
- fi
-
- else
-
- verboselog "no OCSP host found: disabling OCSP checks"
-
- fi
-
- fi
-
################################################################################
# Check the organization
if [ -n "${ORGANIZATION}" ] ; then
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.132.0/check_ssl_cert.1
=====================================
@@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii check_ssl_cert.1
.\"
-.TH "check_ssl_cert" 1 "December, 2020" "1.129.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "January, 2021" "1.132.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
@@ -33,6 +33,9 @@ set passphrase for client certificate.
.BR "-c,--critical" " days"
minimum number of days a certificate has to be valid to issue a critical status
.TP
+.BR " --crl"
+checks revokation via CRL (requires --rootcert-file)
+.TP
.BR " --curl-bin" " path"
path of the curl binary to be used
.TP
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.132.0/check_ssl_cert.spec
=====================================
@@ -1,4 +1,4 @@
-%define version 1.129.0
+%define version 1.132.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
@@ -45,6 +45,15 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/%{sourcename}.1*
%changelog
+* Mon Jan 18 2021 Matteo Corti <matteo at corti.li> - 1.132.0-0
+- Updated to 1.132.0
+
+* Fri Jan 15 2021 Matteo Corti <matteo at corti.li> - 1.131.0-0
+- Updated to 1.131.0
+
+* Thu Jan 14 2021 Matteo Corti <matteo at corti.li> - 1.130.0-0
+- Updated to 1.130.0
+
* Thu Dec 24 2020 Matteo Corti <matteo at corti.li> - 1.129.0-0
- Updated to 1.129.0
=====================================
check_ssl_cert/check_ssl_cert_1.132.0/test/._cert_with_subject_without_cn.crt
=====================================
Binary files /dev/null and b/check_ssl_cert/check_ssl_cert_1.132.0/test/._cert_with_subject_without_cn.crt differ
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.132.0/test/cabundle.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.132.0/test/cacert.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.132.0/test/cert_with_empty_subject.crt
=====================================
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMzCCAhugAwIBAgIJANtVCnAolv4dMA0GCSqGSIb3DQEBDQUAMH4xCzAJBgNV
+BAYTAkRFMRswGQYDVQQIDBJCYWRlbi1XdWVydHRlbWJlcmcxEjAQBgNVBAcMCVN0
+dXR0Z2FydDEcMBoGA1UECgwTLi4udW5kIHVlYmVyaGF1cHQhPzEPMA0GA1UECwwG
+dXVlIENBMQ8wDQYDVQQDDAZ1dWUgQ0EwHhcNMjAxMjIwMTYyNTM1WhcNMjExMjIw
+MTYyNTM1WjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnvlsqMXz
+GDKdN0bochMAPx2/XTKxP4q8dsHqLnGGZ+VoNYecvJ/rXhvvWC9eeOknKZwaXe/H
+tOyITCc/L/4lx0krlCGcLH7AkVijlrgZeWbE/Ia/OUPlHYiVcXV0Pw8Hzy/+JdU/
+BPkuCcxZhdwhB3k61HSdg8wAc/aJom9RveoI0dCweoeq7lHz5jv5Azjq5mK2rriB
+4vMVTzzbLVAAQ451KrAkBNKaH+1Bvyn1S5SpMA+K4HnleBIGsc5ZnY03N2EAZq5h
+NczSBpdwZRkCxDXHpv6F4FIF7RJwCqgCpPRPsVuSr/KXFRnsSxhQCDiB4i3dEAwn
+iXJVHfHEmTe0UwIDAQABozIwMDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDAWBgNV
+HREEDzANggt3d3cudXVlLm9yZzANBgkqhkiG9w0BAQ0FAAOCAQEAdv5Z9KMWcItp
+0ZsJlYEHmuHbw+lXvKzz11mY//D4HXSXthltc5dSW9wUJMWYiOJc8IoQnOOXo9Tx
+Ye8JvK6gOhOE8RELPr0e4jmIBCYq02bMh6v82EoN0gzI4ZgTfkLYZtVSGhUHYA8K
+0gsPUz88VmVLrcz/EhOhbLuxmgUJWjE3z48zD/QO6TQRjVtwql5Qc2iBq9ZnCNgZ
+pf8r+/m561xMN5r3Jvp0+0xDM0gM5LigdObguUBzAhWExuHXHubcC0ovppSA5Qey
+uoalFu8pQXRTSZ9tatP7mYERciMtW+fK/MDbMNNVMcDgQoOtPna1zDFgqyEygLXy
+xZGfiGQBgw==
+-----END CERTIFICATE-----
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_1.132.0/test/cert_with_subject_without_cn.crt
=====================================
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdDCCAlygAwIBAgIJAL5rKAz6XKBNMA0GCSqGSIb3DQEBBQUAMHIxCzAJBgNV
+BAYTAkRFMRswGQYDVQQIDBJCYWRlbi1XdWVydHRlbWJlcmcxEjAQBgNVBAcMCVN0
+dXR0Z2FydDEcMBoGA1UECgwTLi4udW5kIHVlYmVyaGF1cHQhPzEUMBIGA1UEAwwL
+dXVlIFJvb3QgQ0EwHhcNMjAxMjExMjAyNjI0WhcNMjExMjExMjAyNjI0WjBcMQsw
+CQYDVQQGEwJERTEbMBkGA1UECAwSQmFkZW4tV3VlcnR0ZW1iZXJnMRIwEAYDVQQH
+DAlTdHV0dGdhcnQxHDAaBgNVBAoMEy4uLnVuZCB1ZWJlcmhhdXB0IT8wggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDX7icpGipAoscdhSvgepldiBizkZXq
+aM4KKdArbeG2SThiMuOqZesegKLI3oTcIfQA9Z1ZT0qk5XdN/uybTtkstGZduIr+
+ZgvGZ605VVdOzbX9gQJ8yCj6/yUT+PLLhZXoHVqh0t2nkxr9Ed97iDeCbnnqPuKB
+tcdYrSIfxoPEonLiS0xVKb2qNBx2qfkseRkRBMYfh/1i9q29JoepkcUzqSH44Af/
+oGlVeAhVMgOF0MS8Qa7LM+jx6qF4RQPiaCIj/UaNvX7idewiNf4QmEgbAaEjGtuk
+s92mHhze7IVleNjNTqVoLCfazLH2NLe51djfD8w60TlKRpD2Qt2aTOP9AgMBAAGj
+IzAhMB8GA1UdEQQYMBaCB3V1ZS5vcmeCC3d3dy51dWUub3JnMA0GCSqGSIb3DQEB
+BQUAA4IBAQBKdrw0i3npNbo80XDO0mHUuvsyBMTToaBL1F4SFtSauvtWaY9DF2RH
+gazu79y7n85czl4Nr7g4/HtZm2/oCxD6YeZEt+pHbTCIH7FVyfl5NrAza+Zs4TMs
+tujwB+JVsj9KD8MXEgBbohVYLMsA9vjVEA00I3hvro3rB/suvt4GnQyHHAsXrbuu
+eenCXULd0B4onD4ki2cUDXy3hArkO8LIwQ8iu55wYIgDlIX00Q2oPZRP+ZYCKdUl
+w5sjV1qPVtrDYzoeA5h/Ls5P0llZapnWGzJzmD6U6wk+zQAs+GgqlYrmEmNq97kL
+iRuLlubcbMknF/JN5mLUvgYqf7M71nEe
+-----END CERTIFICATE-----
=====================================
check_ssl_cert/check_ssl_cert_1.129.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.132.0/test/unit_tests.sh
=====================================
@@ -330,6 +330,12 @@ testBadSSLRevoked() {
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
+testBadSSLRevokedCRL() {
+ ${SCRIPT} -H revoked.badssl.com --host-cn --crl --rootcert-file cabundle.crt --ignore-ocsp
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+}
+
testGRCRevoked() {
${SCRIPT} -H revoked.grc.com --host-cn
EXIT_CODE=$?
@@ -342,6 +348,42 @@ testBadSSLIncompleteChain() {
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
+testBadSSLDH480(){
+ ${SCRIPT} -H dh480.badssl.com --host-cn
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+}
+
+testBadSSLDH512(){
+ ${SCRIPT} -H dh512.badssl.com --host-cn
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+}
+
+testBadSSLRC4MD5(){
+ ${SCRIPT} -H rc4-md5.badssl.com --host-cn
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+}
+
+testBadSSLRC4(){
+ ${SCRIPT} -H rc4.badssl.com --host-cn
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+}
+
+testBadSSL3DES(){
+ ${SCRIPT} -H 3des.badssl.com --host-cn
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+}
+
+testBadSSLNULL(){
+ ${SCRIPT} -H null.badssl.com --host-cn
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+}
+
testBadSSLSHA256() {
if [ -z "${TRAVIS+x}" ] ; then
${SCRIPT} -H sha256.badssl.com --host-cn
=====================================
check_ssl_cert/control
=====================================
@@ -1,7 +1,7 @@
Uploaders: Jan Wagner <waja at cyconet.org>
Recommends: curl, file, openssl
Suggests: expect
-Version: 1.129.0
+Version: 1.132.0
Homepage: https://github.com/matteocorti/check_ssl_cert
Watch: https://github.com/matteocorti/check_ssl_cert/releases check_ssl_cert-([0-9.]+)\.tar\.gz
Description: plugin to check the CA and validity of an
=====================================
check_ssl_cert/src
=====================================
@@ -1 +1 @@
-check_ssl_cert_1.129.0/
\ No newline at end of file
+check_ssl_cert_1.132.0/
\ No newline at end of file
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/compare/f12ba2e198615bb6c077f6f78511d9338e93cde7...ad6c6e603949f438d0f00f4bd80d65d2e1024eea
--
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/compare/f12ba2e198615bb6c077f6f78511d9338e93cde7...ad6c6e603949f438d0f00f4bd80d65d2e1024eea
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20210120/888b1099/attachment-0001.html>
More information about the pkg-nagios-changes
mailing list