[pkg-nagios-changes] [Git][nagios-team/pkg-nagios-plugins-contrib][master] 3 commits: check_ssl_cert: Update to 1.142.0
Jan Wagner
gitlab at salsa.debian.org
Thu Mar 11 14:44:55 GMT 2021
Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / pkg-nagios-plugins-contrib
Commits:
41971bc3 by Jan Wagner at 2021-03-11T09:20:05+01:00
check_ssl_cert: Update to 1.142.0
Improved the TLS renegotiation check
Added --password to specify a password source for PCKS12 certificates
Do not check SCTs if the certificate is self signed
Fixed the processing of --inetproto
Supports local PCKS #12 and DER formatted certificates
- - - - -
059ebda7 by Jan Wagner at 2021-03-11T11:01:49+01:00
Auto update of debian/control
- - - - -
03de296d by Jan Wagner at 2021-03-11T11:03:11+01:00
Prepare release
- - - - -
30 changed files:
- − check_ssl_cert/check_ssl_cert_1.140.0/VERSION
- − check_ssl_cert/check_ssl_cert_1.140.0/test/cabundle.crt
- check_ssl_cert/check_ssl_cert_1.140.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.142.0/AUTHORS
- check_ssl_cert/check_ssl_cert_1.140.0/COPYING → check_ssl_cert/check_ssl_cert_1.142.0/COPYING
- check_ssl_cert/check_ssl_cert_1.140.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.142.0/COPYRIGHT
- check_ssl_cert/check_ssl_cert_1.140.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.142.0/ChangeLog
- check_ssl_cert/check_ssl_cert_1.140.0/INSTALL → check_ssl_cert/check_ssl_cert_1.142.0/INSTALL
- check_ssl_cert/check_ssl_cert_1.140.0/Makefile → check_ssl_cert/check_ssl_cert_1.142.0/Makefile
- check_ssl_cert/check_ssl_cert_1.140.0/NEWS → check_ssl_cert/check_ssl_cert_1.142.0/NEWS
- check_ssl_cert/check_ssl_cert_1.140.0/README.md → check_ssl_cert/check_ssl_cert_1.142.0/README.md
- check_ssl_cert/check_ssl_cert_1.140.0/TODO → check_ssl_cert/check_ssl_cert_1.142.0/TODO
- + check_ssl_cert/check_ssl_cert_1.142.0/VERSION
- check_ssl_cert/check_ssl_cert_1.140.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.142.0/check_ssl_cert
- check_ssl_cert/check_ssl_cert_1.140.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.142.0/check_ssl_cert.1
- check_ssl_cert/check_ssl_cert_1.140.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.142.0/check_ssl_cert.spec
- check_ssl_cert/check_ssl_cert_1.140.0/test/._cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.142.0/test/._cert_with_subject_without_cn.crt
- + check_ssl_cert/check_ssl_cert_1.142.0/test/._der.cer
- + check_ssl_cert/check_ssl_cert_1.142.0/test/cabundle.crt
- check_ssl_cert/check_ssl_cert_1.140.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.142.0/test/cacert.crt
- check_ssl_cert/check_ssl_cert_1.140.0/test/cert_with_empty_subject.crt → check_ssl_cert/check_ssl_cert_1.142.0/test/cert_with_empty_subject.crt
- check_ssl_cert/check_ssl_cert_1.140.0/test/cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.142.0/test/cert_with_subject_without_cn.crt
- + check_ssl_cert/check_ssl_cert_1.142.0/test/client.p12
- + check_ssl_cert/check_ssl_cert_1.142.0/test/der.cer
- + check_ssl_cert/check_ssl_cert_1.142.0/test/localhost.crt
- + check_ssl_cert/check_ssl_cert_1.142.0/test/no-sct.badssl.com.crt
- check_ssl_cert/check_ssl_cert_1.140.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.142.0/test/unit_tests.sh
- check_ssl_cert/control
- check_ssl_cert/src
- debian/changelog
- debian/control
Changes:
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/VERSION deleted
=====================================
@@ -1 +0,0 @@
-1.140.0
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/test/cabundle.crt deleted
=====================================
The diff for this file was not included because it is too large.
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.142.0/AUTHORS
=====================================
@@ -107,4 +107,5 @@ Thanks:
documentation patch and the issuers patch
* Many thanks to cbiedl (https://github.com/cbiedl) for the proxy patch
* Many thanks to Robin Schneider (https://github.com/ypid-geberit) for the --long-output all patch
-* Many thanks to Robin Pronk (https://github.com/rfpronk) for the -u patch
\ No newline at end of file
+* Many thanks to Robin Pronk (https://github.com/rfpronk) for the -u patch
+* Many thanks to tunnelpr0 (https://github.com/tunnelpr0) fot --inetproto patch
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/COPYING → check_ssl_cert/check_ssl_cert_1.142.0/COPYING
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.142.0/COPYRIGHT
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.142.0/ChangeLog
=====================================
@@ -1,3 +1,20 @@
+2021-03-10 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): Improved renegotiation testing
+ * check_ssl_cert (fetch_certificate): Added --password to specify a password source for PCKS12 certificates
+
+2021-03-09 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): Added missing processing of the --inetproto option
+ * check_ssl_cert (main): Added a sanity check for the protocol support of s_client
+ * check_ssl_cert (check_ocsp): skipping empty certificates
+ * check_ssl_cert (fetch_certificate): supporting local files in PKCS #12 and DER formats
+ * check_ssl_cert (main): Using grep -F when possible
+
+2021-02-28 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (check_attr): Do not check SCTs if the certificate is self signed
+
2021-02-25 Matteo Corti <matteo at corti.li>
* check_ssl_cert (check_attr): fixed the SCT check
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/INSTALL → check_ssl_cert/check_ssl_cert_1.142.0/INSTALL
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/Makefile → check_ssl_cert/check_ssl_cert_1.142.0/Makefile
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/NEWS → check_ssl_cert/check_ssl_cert_1.142.0/NEWS
=====================================
@@ -1,3 +1,8 @@
+2021-03-10 Version 1.142.0: Improved the TLS renegotiation check
+ Added --password to specify a password source for PCKS12 certificates
+2021-03-09 Version 1.141.0: Do not check SCTs if the certificate is self signed
+ Fixed the processing of --inetproto
+ Supports local PCKS #12 and DER formatted certificates
2021-02-25 Version 1.140.0: Fixed a bug in the SCT check
2021-02-24 Version 1.139.0: Fixed a bug in the TLS renegotiation check
2021-02-24 Version 1.138.0: Checks for TLS renegotiation
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/README.md → check_ssl_cert/check_ssl_cert_1.142.0/README.md
=====================================
@@ -68,7 +68,7 @@ Options:
--ignore-sct do not check for signed certificate timestamps (SCT)
--ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)
--ignore-tls-renegotiation Ignores the TLS renegotiation check
- --Inetproto protocol Force IP version 4 or 6
+ --inetproto protocol Force IP version 4 or 6
-i,--issuer issuer pattern to match the issuer of the certificate
--issuer-cert-cache dir directory where to store issuer certificates cache
-K,--clientkey path use client certificate key to authenticate
@@ -101,6 +101,8 @@ Options:
issue a warning status
-o,--org org pattern to match the organization of the certificate
--openssl path path of the openssl binary to be used
+ --password source password source for a local certificate, see the PASS PHRASE ARGUMENTS section
+ openssl(1)
-p,--port port TCP port
-P,--protocol protocol use the specific protocol
{ftp|ftps|http|https|h2|imap|imaps|irc|ircs|ldap|ldaps|pop3|pop3s|
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/TODO → check_ssl_cert/check_ssl_cert_1.142.0/TODO
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.142.0/VERSION
=====================================
@@ -0,0 +1 @@
+1.142.0
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.142.0/check_ssl_cert
=====================================
@@ -19,7 +19,7 @@
################################################################################
# Constants
-VERSION=1.140.0
+VERSION=1.142.0
SHORTNAME="SSL_CERT"
VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -144,6 +144,8 @@ usage() {
echo " issue a warning status"
echo " -o,--org org pattern to match the organization of the certificate"
echo " --openssl path path of the openssl binary to be used"
+ echo " --password source password source for a local certificate, see the PASS PHRASE ARGUMENTS section"
+ echo " openssl(1)"
echo " -p,--port port TCP port"
echo " -P,--protocol protocol use the specific protocol"
echo " {ftp|ftps|http|https|h2|imap|imaps|irc|ircs|ldap|ldaps|mysql|pop3|pop3s|"
@@ -644,8 +646,8 @@ check_crl() {
# See https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html
CRL_URI=$( "${OPENSSL}" x509 -noout -text -in "${CERT_ELEMENT}" |
- grep -A 4 'X509v3 CRL Distribution Points' |
- grep URI |
+ grep -F -A 4 'X509v3 CRL Distribution Points' |
+ grep -F URI |
sed 's/^.*URI://'
)
if [ -n "${CRL_URI}" ] ; then
@@ -671,7 +673,7 @@ check_crl() {
debuglog "${OPENSSL} verify -crl_check -CRLfile ${CRL_TMP_PEM} ${CERT_ELEMENT}"
CRL_RESULT=$( "${OPENSSL}" verify -crl_check -CAfile "${CRL_TMP_CHAIN}" -CRLfile "${CRL_TMP_PEM}" "${CERT_ELEMENT}" 2>&1 |
- grep ':' |
+ grep -F ':' |
head -n 1 |
sed 's/^.*:\ //'
)
@@ -746,7 +748,7 @@ check_ocsp() {
# TODO check SC2016
# shellcheck disable=SC2086,SC2016
- ELEMENT_ISSUER_URI="$( ${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -text -noout -in ${CERT_ELEMENT} | grep "CA Issuers" | grep -i "http" | head -n 1 | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;$(){}<>`&')"
+ ELEMENT_ISSUER_URI="$( ${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -text -noout -in ${CERT_ELEMENT} | grep -F "CA Issuers" | grep -F -i "http" | head -n 1 | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;$(){}<>`&')"
debuglog "Chain element issuer URI: ${ELEMENT_ISSUER_URI}"
@@ -758,7 +760,7 @@ check_ocsp() {
elif [ "${ELEMENT_ISSUER_URI}" != "$(echo "${ELEMENT_ISSUER_URI}" | tr -d '[[:space:]]')" ]; then
verboselog "unable to fetch the CA issuer certificate (spaces in URI): disabling OCSP checks on element ${el_number}"
return
- elif ! echo "${ELEMENT_ISSUER_URI}" | grep -qi '^http' ; then
+ elif ! echo "${ELEMENT_ISSUER_URI}" | grep -q -i '^http' ; then
verboselog "unable to fetch the CA issuer certificate (unsupported protocol): disabling OCSP checks on element ${el_number}"
return
fi
@@ -776,7 +778,7 @@ check_ocsp() {
debuglog "OCSP: issuer certificate type (1): $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
- if echo "${ELEMENT_ISSUER_URI}" | grep -q 'p7c' ; then
+ if echo "${ELEMENT_ISSUER_URI}" | grep -F -q 'p7c' ; then
debuglog "OCSP: converting issuer certificate from PKCS #7 to PEM"
cp "${ISSUER_CERT_TMP}" "${ISSUER_CERT_TMP2}"
@@ -798,6 +800,12 @@ check_ocsp() {
${OPENSSL} x509 -inform DER -outform PEM -in "${ISSUER_CERT_TMP2}" -out "${ISSUER_CERT_TMP}"
+ elif "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -E -q 'empty' ; then
+
+ # empty certs are allowed
+ debuglog "OCSP empty certificate detected: skipping"
+ return
+
else
debuglog "OCSP: complete issuer certificate type $( ${FILE_BIN} "${ISSUER_CERT_TMP}" )"
@@ -863,7 +871,7 @@ check_ocsp() {
# the -header option was first accepting key and value separated by space. The newer versions are using key=value
KEYVALUE=""
- if ${OPENSSL} ocsp -help 2>&1 | grep header | grep -q 'key=value' ; then
+ if ${OPENSSL} ocsp -help 2>&1 | grep -F header | grep -F -q 'key=value' ; then
debuglog "${OPENSSL} ocsp -header requires 'key=value'"
KEYVALUE=1
else
@@ -901,17 +909,17 @@ check_ocsp() {
debuglog "$(echo "${OCSP_RESP}" | sed 's/^/OCSP: response = /')"
- if [ -n "${OCSP_IGNORE_TIMEOUT}" ] && echo "${OCSP_RESP}" | grep -qi "timeout on connect" ; then
+ if [ -n "${OCSP_IGNORE_TIMEOUT}" ] && echo "${OCSP_RESP}" | grep -F -q -i "timeout on connect" ; then
debuglog 'OCSP: Timeout on connect'
- elif echo "${OCSP_RESP}" | grep -qi "revoked" ; then
+ elif echo "${OCSP_RESP}" | grep -F -q -i "revoked" ; then
debuglog 'OCSP: revoked'
prepend_critical_message "certificate element ${el_number} is revoked (OCSP)"
- elif ! echo "${OCSP_RESP}" | grep -qi "good" ; then
+ elif ! echo "${OCSP_RESP}" | grep -F -q -i "good" ; then
debuglog "OCSP: not good. HTTP_PROXY = ${HTTP_PROXY}"
@@ -1207,8 +1215,44 @@ fetch_certificate() {
elif [ -n "${FILE}" ] ; then
if [ "${HOST}" = "localhost" ] ; then
- exec_with_timeout "${TIMEOUT}" "/bin/cat '${FILE}' 2> ${ERROR} 1> ${CERT}"
- RET=$?
+
+ debuglog "check if we have to convert the file ${FILE} to PEM"
+ debuglog "certificate type (1): $(${FILE_BIN} "${FILE}" | sed 's/.*://' )"
+
+ if echo "${FILE}" | grep -q -E '[.](p12|pfx)$' ; then
+
+ debuglog 'converting PKCS #12 to PEM'
+
+ create_temporary_file; PKCS12_ERROR=${TEMPFILE}
+
+ if [ -n "${PASSWORD_SOURCE}" ] ; then
+ debuglog "executing ${OPENSSL} pkcs12 -in ${FILE} -out ${CERT} -nokeys -passin ${PASSWORD_SOURCE}"
+ "${OPENSSL}" pkcs12 -in "${FILE}" -out "${CERT}" -nokeys -passin "${PASSWORD_SOURCE}" 2> "${PKCS12_ERROR}"
+ else
+ debuglog "executing ${OPENSSL} pkcs12 -in ${FILE} -out ${CERT} -nokeys"
+ "${OPENSSL}" pkcs12 -in "${FILE}" -out "${CERT}" -nokeys 2> "${PKCS12_ERROR}"
+ fi
+
+ if [ $? -eq 1 ] ; then
+ unknown "Error converting ${FILE}: $( head -n 1 "${PKCS12_ERROR}" ) "
+ fi
+
+ elif "${FILE_BIN}" "${FILE}" | grep -q -E '(data|Certificate)' ; then
+
+ debuglog 'converting DER to PEM'
+ "${OPENSSL}" x509 -inform der -in "${FILE}" -out "${CERT}"
+
+ else
+
+ debuglog "Copying the certificate to ${CERT}"
+ /bin/cat "${FILE}" > "${CERT}"
+ RET=$?
+
+ fi
+
+ debuglog "storing the certificate to ${CERT}"
+ debuglog "certificate type (2): $(${FILE_BIN} "${CERT}" | sed 's/.*://' )"
+
else
unknown "Error: option 'file' works with -H localhost only"
fi
@@ -1625,6 +1669,11 @@ main() {
DIG_BIN="$2"
shift 2
;;
+ --inetproto)
+ check_option_argument '--inetproto' "$2"
+ INETPROTO="-$2"
+ shift 2
+ ;;
--nmap-bin)
check_option_argument '--nmap-bin' "$2"
NMAP_BIN="$2"
@@ -1738,6 +1787,11 @@ main() {
OPENSSL="$2"
shift 2
;;
+ --password)
+ check_option_argument '--password' "$2"
+ PASSWORD_SOURCE="$2"
+ shift 2
+ ;;
-p|--port)
check_option_argument '-p|--port' "$2"
PORT="$2"
@@ -2121,7 +2175,7 @@ main() {
SSL_AU="-sigalgs 'ECDSA+SHA1:ECDSA+SHA224:ECDSA+SHA384:ECDSA+SHA256:ECDSA+SHA512'"
fi
if [ -n "${RSA}" ] ; then
- if echo "${SSL_VERSION_DISABLED}" | grep -q -- '-no_tls1_3' ||
+ if echo "${SSL_VERSION_DISABLED}" | grep -F -q -- '-no_tls1_3' ||
[ "${SSL_VERSION}" = '-tls1' ] ||
[ "${SSL_VERSION}" = '-tls1_1' ] ||
[ "${SSL_VERSION}" = '-tls1_2' ] ; then
@@ -2261,9 +2315,9 @@ main() {
debuglog 'checking date version'
- if "${DATEBIN}" --version 2>&1 | grep -q GNU ; then
+ if "${DATEBIN}" --version 2>&1 | grep -F -q GNU ; then
DATETYPE='GNU'
- elif "${DATEBIN}" --version 2>&1 | grep -q BusyBox ; then
+ elif "${DATEBIN}" --version 2>&1 | grep -F -q BusyBox ; then
DATETYPE='BUSYBOX'
else
DATETYPE='BSD'
@@ -2307,7 +2361,7 @@ main() {
# on standard error for these intermediate versions.
#
SERVERNAME=
- if ${OPENSSL} s_client -help 2>&1 | grep -q -- -servername || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -q -- -servername; then
+ if ${OPENSSL} s_client -help 2>&1 | grep -F -q -- -servername || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -F -q -- -servername; then
if [ -n "${SNI}" ]; then
SERVERNAME="-servername ${SNI}"
@@ -2323,6 +2377,14 @@ main() {
fi
+ ################################################################################
+ # Check if openssl s_client supports the specified protocol
+ if [ -n "${PROTOCOL}" ] && [ "${PROTOCOL}" = 'sieve' ] ; then
+ if ${OPENSSL} s_client -starttls sieve 2>&1 | grep -F -q 'Value must be one of:' || ${OPENSSL} s_client -starttls sieve 2>&1 | grep -F -q 'error: usage:' ; then
+ unknown "OpenSSL does not support the protocol sieve"
+ fi
+ fi
+
if [ -n "${PROXY}" ] && [ -n "${NO_PROXY}" ] ; then
unknown "Only one of --proxy or --no_proxy can be specfied"
fi
@@ -2366,13 +2428,13 @@ main() {
HTTPS_PROXY="${HTTP_PROXY}"
fi
- if ${CURL_BIN} --manual | grep -q -- --proxy ; then
+ if ${CURL_BIN} --manual | grep -F -q -- --proxy ; then
debuglog "Adding --proxy ${HTTP_PROXY} to the cURL options"
CURL_PROXY="--proxy"
CURL_PROXY_ARGUMENT="${HTTP_PROXY}"
fi
- if ${OPENSSL} s_client -help 2>&1 | grep -q -- -proxy || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -q -- -proxy; then
+ if ${OPENSSL} s_client -help 2>&1 | grep -F -q -- -proxy || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -F -q -- -proxy; then
SCLIENT_PROXY="-proxy"
SCLIENT_PROXY_ARGUMENT="$( echo "${HTTP_PROXY}" | sed 's/.*:\/\///' | sed 's/\/$//' )"
@@ -2398,7 +2460,7 @@ main() {
# Check if openssl s_client supports the -name option
#
S_CLIENT_NAME=
- if ${OPENSSL} s_client -help 2>&1 | grep -q -- -name || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -q -- -name; then
+ if ${OPENSSL} s_client -help 2>&1 | grep -F -q -- -name || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -F -q -- -name; then
CURRENT_HOSTNAME=$( hostname )
S_CLIENT_NAME="-name ${CURRENT_HOSTNAME}"
@@ -2414,7 +2476,7 @@ main() {
################################################################################
# Check if openssl s_client supports the -xmpphost option
#
- if ${OPENSSL} s_client -help 2>&1 | grep -q -- -xmpphost ; then
+ if ${OPENSSL} s_client -help 2>&1 | grep -F -q -- -xmpphost ; then
XMPPHOST="-xmpphost ${XMPPHOST:-${HOST}}"
debuglog "'${OPENSSL} s_client' supports '-xmpphost': using ${XMPPHOST}"
else
@@ -2451,14 +2513,14 @@ main() {
# Check if cURL is needed and if it supports the -4 and -6 options
if [ -z "${CURL_BIN}" ] ; then
if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] || [ -n "${OCSP}" ] ; then
- if ! "${CURL_BIN}" --manual | grep -q -- -6 && [ -n "${INETPROTO}" ] ; then
+ if ! "${CURL_BIN}" --manual | grep -F -q -- -6 && [ -n "${INETPROTO}" ] ; then
unknown "cURL does not support the ${INETPROTO} option"
fi
fi
fi
# check if IPv6 is available locally
- if [ -n "${INETPROTO}" ] && [ "${INETPROTO}" -eq "-6" ] && ! ifconfig -a | grep -q inet6 ; then
+ if [ -n "${INETPROTO}" ] && [ "${INETPROTO}" -eq "-6" ] && ! ifconfig -a | grep -F -q inet6 ; then
unknown "cannot connect using IPv6 as no local interface has IPv6 configured"
fi
@@ -2497,7 +2559,7 @@ main() {
if [ -n "${DISALLOWED_PROTOCOLS}" ] ; then
# check if the host has an IPv6 address only (as nmap is not able to resolve without the -6 switch
- if ${NMAP_BIN} "${HOST}" 2>&1 | grep -q 'Failed to resolve' ; then
+ if ${NMAP_BIN} "${HOST}" 2>&1 | grep -F -q 'Failed to resolve' ; then
debuglog 'nmap is not able to resolve the host name. Trying with -6 to force IPv6 for an IPv6-only host'
NMAP_INETPROTO='-6'
@@ -2512,7 +2574,7 @@ main() {
for protocol in ${DISALLOWED_PROTOCOLS} ; do
debuglog "Checking if '${protocol}' is offered"
- if echo "${OFFERED_PROTOCOLS}" | grep -v 'No supported ciphers found' | grep -q "${protocol}" ; then
+ if echo "${OFFERED_PROTOCOLS}" | grep -F -v 'No supported ciphers found' | grep -q "${protocol}" ; then
debuglog "'${protocol}' is offered"
prepend_critical_message "${protocol} is offered"
fi
@@ -2531,7 +2593,7 @@ main() {
check_required_prog "${DIG_BIN}"
DIG_BIN=${PROG}
# check if OpenSSL supports -dane_tlsa_rrdata
- if ${OPENSSL} s_client -help 2>&1 | grep -q -- -dane_tlsa_rrdata || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -q -- -dane_tlsa_rrdata; then
+ if ${OPENSSL} s_client -help 2>&1 | grep -F -q -- -dane_tlsa_rrdata || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -F -q -- -dane_tlsa_rrdata; then
DIG_RESULT=$( "${DIG_BIN}" +short TLSA "_${PORT}._tcp.${HOST}" |while read -r L; do echo " -dane_tlsa_rrdata '${L}' "; done )
debuglog "Checking DANE (${DANE})"
debuglog "$(printf '%s\n' "${DIG_BIN} +short TLSA _${PORT}._tcp.${HOST} =")"
@@ -2542,16 +2604,16 @@ main() {
DANE=$( echo "${DIG_RESULT}" | tr -d '\n')
;;
211)
- DANE=$( echo "${DIG_RESULT}" | grep '2 1 1' | tr -d '\n')
+ DANE=$( echo "${DIG_RESULT}" | grep -F '2 1 1' | tr -d '\n')
;;
301)
- DANE=$( echo "${DIG_RESULT}" | grep '3 0 1' | tr -d '\n')
+ DANE=$( echo "${DIG_RESULT}" | grep -F '3 0 1' | tr -d '\n')
;;
311)
- DANE=$( echo "${DIG_RESULT}" | grep '3 1 1' | tr -d '\n')
+ DANE=$( echo "${DIG_RESULT}" | grep -F '3 1 1' | tr -d '\n')
;;
302)
- DANE=$( echo "${DIG_RESULT}" | grep '3 0 2' | tr -d '\n')
+ DANE=$( echo "${DIG_RESULT}" | grep -F '3 0 2' | tr -d '\n')
;;
*)
unknown "Internal error: unknown DANE check type ${DANE}"
@@ -2637,13 +2699,19 @@ main() {
verboselog "Checking TLS renegotiation"
- # we just check the insecure renegotiation if the connection was not using TLS 1.3
- # we could connect again with -no_tls1_3 and check
+ # see https://www.mcafee.com/blogs/enterprise/tips-securing-ssl-renegotiation/
- if ascii_grep '^Secure\ Renegotiation\ IS\ NOT' "${CERT}" && ! ascii_grep 'TLSv1.3' "${CERT}" ; then
- prepend_critical_message 'TLS secure renegotiation is supported'
+ exec_with_timeout "${TIMEOUT}" "printf 'R\\n' | openssl s_client -connect ${HOST}:${PORT} 2>&1 | grep -F -q err"
+ RET=$?
+
+ if [ "${RET}" -eq 1 ] ; then
+
+ if ascii_grep '^Secure\ Renegotiation\ IS\ NOT' "${CERT}" && ! ascii_grep 'TLSv1.3' "${CERT}" ; then
+ prepend_critical_message 'TLS renegotiation is supported but not secure'
+ fi
+
fi
-
+
fi
if ascii_grep "BEGIN X509 CRL" "${CERT}" ; then
@@ -2658,7 +2726,7 @@ main() {
if [ -r "${FILE}" ] ; then
- if "${OPENSSL}" crl -in "${CERT}" -inform DER | grep -q "BEGIN X509 CRL" ; then
+ if "${OPENSSL}" crl -in "${CERT}" -inform DER | grep -F -q "BEGIN X509 CRL" ; then
debuglog "File is DER encoded CRL"
OPENSSL_COMMAND="crl"
@@ -2717,7 +2785,7 @@ main() {
else
# we need to remove everything before 'CN = ', to remove an eventual email supplied with / and additional elements (after ', ')
# shellcheck disable=SC2086
- if ${OPENSSL} x509 -in "${CERT}" -subject -noout ${OPENSSL_PARAMS} | grep -q 'CN' ; then
+ if ${OPENSSL} x509 -in "${CERT}" -subject -noout ${OPENSSL_PARAMS} | grep -F -q 'CN' ; then
CN="$(${OPENSSL} x509 -in "${CERT}" -subject -noout ${OPENSSL_PARAMS} |
sed -e "s/^.*[[:space:]]*CN[[:space:]]=[[:space:]]//" -e "s/\\/[[:alpha:]][[:alpha:]]*=.*\$//" -e "s/,.*//" )"
else
@@ -2740,7 +2808,7 @@ main() {
OCSP_URI="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -ocsp_uri -noout | head -n 1)"
# count the certificates in the chain
- NUM_CERTIFICATES=$(grep -c -- "-BEGIN CERTIFICATE-" "${CERT}")
+ NUM_CERTIFICATES=$(grep -F -c -- "-BEGIN CERTIFICATE-" "${CERT}")
# start with first certificate
debuglog "Skipping ${SKIP_ELEMENT} element of the chain"
@@ -2779,14 +2847,14 @@ main() {
# TODO check SC2016
# shellcheck disable=SC2086,SC2016
- ISSUER_URI="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -text -noout | grep "CA Issuers" | grep -i "http" | head -n 1 | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;$(){}<>`&')"
+ ISSUER_URI="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -text -noout | grep -F "CA Issuers" | grep -F -i "http" | head -n 1 | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;$(){}<>`&')"
# Check OCSP stapling
if [ -n "${REQUIRE_OCSP_STAPLING}" ] ; then
verboselog "checking OCSP stapling"
- grep -A 17 'OCSP response:' "${CERT}" > "${OCSP_RESPONSE_TMP}"
+ grep -F -A 17 'OCSP response:' "${CERT}" > "${OCSP_RESPONSE_TMP}"
debuglog "${OCSP_RESPONSE_TMP}"
@@ -2810,7 +2878,7 @@ main() {
fi
# shellcheck disable=SC2086
- SIGNATURE_ALGORITHM="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -text -noout | grep 'Signature Algorithm' | head -n 1)"
+ SIGNATURE_ALGORITHM="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -text -noout | grep -m 1 -F 'Signature Algorithm')"
if [ -n "${DEBUG}" ] ; then
debuglog "${SUBJECT}"
@@ -2826,7 +2894,7 @@ main() {
debuglog "${SIGNATURE_ALGORITHM}"
fi
- if echo "${SIGNATURE_ALGORITHM}" | grep -q "sha1" ; then
+ if echo "${SIGNATURE_ALGORITHM}" | grep -F -q "sha1" ; then
if [ -n "${NOSIGALG}" ] ; then
@@ -2840,7 +2908,7 @@ main() {
fi
- if echo "${SIGNATURE_ALGORITHM}" | grep -qi "md5" ; then
+ if echo "${SIGNATURE_ALGORITHM}" | grep -F -qi "md5" ; then
if [ -n "${NOSIGALG}" ] ; then
@@ -2890,7 +2958,7 @@ main() {
# shellcheck disable=SC2086
SUBJECT_ALTERNATIVE_NAME=$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -text |
- grep -A 1 "509v3 Subject Alternative Name:" |
+ grep -F -A 1 "509v3 Subject Alternative Name:" |
tail -n 1 |
sed -e "s/DNS://g" |
sed -e "s/,//g" |
@@ -3101,7 +3169,7 @@ main() {
check_cert_end_date "$(cat "${CERT}")"
else
# count the certificates in the chain
- NUM_CERTIFICATES=$(grep -c -- "-BEGIN CERTIFICATE-" "${CERT}")
+ NUM_CERTIFICATES=$(grep -F -c -- "-BEGIN CERTIFICATE-" "${CERT}")
debuglog "Number of certificates in CA chain: $((NUM_CERTIFICATES))"
debuglog "Skipping ${SKIP_ELEMENT} element of the chain"
@@ -3169,7 +3237,7 @@ main() {
# We clear the cache only on the first run
IGNORE_SSL_LABS_CACHE=""
- if echo "${JSON}" | grep -q 'Running\ at\ full\ capacity.\ Please\ try\ again\ later' ; then
+ if echo "${JSON}" | grep -F -q 'Running\ at\ full\ capacity.\ Please\ try\ again\ later' ; then
verboselog 'SSL Labs running at full capacity'
else
@@ -3185,7 +3253,7 @@ main() {
prepend_critical_message "Error checking SSL Labs: ${SSL_LABS_STATUS_MESSAGE}"
;;
'READY')
- if ! echo "${JSON}" | grep -q "grade" ; then
+ if ! echo "${JSON}" | grep -F -q "grade" ; then
# Something went wrong
SSL_LABS_STATUS_MESSAGE=$(echo "${JSON}" \
@@ -3322,9 +3390,20 @@ main() {
##############################################################################
# Check for Signed Certificate Timestamps (SCT)
- debuglog 'Checking Signed Certificate Timestamps (SCTs)'
- if [ -n "${SCT}" ] && ! "${OPENSSL}" x509 -in "${CERT}" -text -noout | grep -q 'SCTs' ; then
- prepend_critical_message "Cannot find Signed Certificate Timestamps (SCT)"
+ if [ -z "${SELFSIGNED}" ] ; then
+
+ debuglog 'Checking Signed Certificate Timestamps (SCTs)'
+
+ # check if OpenSSL supoort SCTs
+ if man verify | grep -F -q SCT ; then
+
+ if [ -n "${SCT}" ] && ! "${OPENSSL}" x509 -in "${CERT}" -text -noout | grep -F -q 'SCTs' ; then
+ prepend_critical_message "Cannot find Signed Certificate Timestamps (SCT)"
+ fi
+
+ else
+ verboselog 'Skipping SCTs check as not supported by OpenSSL'
+ fi
fi
# if errors exist at this point return
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.142.0/check_ssl_cert.1
=====================================
@@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii check_ssl_cert.1
.\"
-.TH "check_ssl_cert" 1 "February, 2021" "1.140.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "March, 2021" "1.142.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
@@ -184,6 +184,9 @@ pattern to match the organization of the certificate
.BR " --openssl" " path"
path of the openssl binary to be used
.TP
+.BR " --password" " source"
+password source for a local certificate, see the PASS PHRASE ARGUMENTS section openssl(1)
+.TP
.BR "-p,--port" " port"
TCP port
.TP
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.142.0/check_ssl_cert.spec
=====================================
@@ -1,4 +1,4 @@
-%define version 1.140.0
+%define version 1.142.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
@@ -45,6 +45,12 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/%{sourcename}.1*
%changelog
+* Thu Mar 10 2021 Matteo Corti <matteo at corti.li> - 1.142.0-0
+- Updated to 1.142.0
+
+* Thu Mar 9 2021 Matteo Corti <matteo at corti.li> - 1.141.0-0
+- Updated to 1.141.0
+
* Thu Feb 25 2021 Matteo Corti <matteo at corti.li> - 1.140.0-0
- Updated to 1.140.0
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/test/._cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.142.0/test/._cert_with_subject_without_cn.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.142.0/test/._der.cer
=====================================
Binary files /dev/null and b/check_ssl_cert/check_ssl_cert_1.142.0/test/._der.cer differ
=====================================
check_ssl_cert/check_ssl_cert_1.142.0/test/cabundle.crt
=====================================
The diff for this file was not included because it is too large.
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.142.0/test/cacert.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/test/cert_with_empty_subject.crt → check_ssl_cert/check_ssl_cert_1.142.0/test/cert_with_empty_subject.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/test/cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.142.0/test/cert_with_subject_without_cn.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.142.0/test/client.p12
=====================================
Binary files /dev/null and b/check_ssl_cert/check_ssl_cert_1.142.0/test/client.p12 differ
=====================================
check_ssl_cert/check_ssl_cert_1.142.0/test/der.cer
=====================================
Binary files /dev/null and b/check_ssl_cert/check_ssl_cert_1.142.0/test/der.cer differ
=====================================
check_ssl_cert/check_ssl_cert_1.142.0/test/localhost.crt
=====================================
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFDCCAfygAwIBAgIEYD/mczANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJD
+MTELMAkGA1UECAwCU1QxCjAIBgNVBAcMAUwxCjAIBgNVBAoMAU8xCzAJBgNVBAsM
+Ak9VMQswCQYDVQQDDAJDTjAeFw0yMTAzMDMxOTQxMzlaFw0yMjAzMDMxOTQxMzla
+MEwxCzAJBgNVBAYTAkMxMQswCQYDVQQIDAJTVDEKMAgGA1UEBwwBTDEKMAgGA1UE
+CgwBTzELMAkGA1UECwwCT1UxCzAJBgNVBAMMAkNOMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuB8nSFExMRcuXwdvLpntl06JdQB0uHGT+CfaB/Cr2WtO
+DvJp1D+NGEFYo36gWceyYioGqowfzTFu70/QFfecFDzvpVEWjh3yb8qY3Sk6PTZy
+Z99TAiQhxcKQfBq8Jwt4eIstAF4F1RHYE/pLAyL3ZcneIWrnZ5ey2oW1eBRWmypk
+Yaa3G2QUv0ypPDpPHm67z58QQTunm1GZJkva6guqOXbjUSR0qvMA8jTOmWRRilG/
+GWydrcFQtzJAW1SBDJSZ1zYd+cAJ6aBw/dRroqxDUkZ0k2EowyUIWz6HnCJHv5Id
+u3QfIDWLJTpXf7OTRW1TmMi4WPTHR6SqOhVnMS40gwIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQBm4vVzWJi8CUE2+LmzDrootZ0uesfpwEPkE+UB6c4/tAmofh/2kLCS
+WaEH6aJGM/3pSExJX51JVWKHt8RkHV3yG4FLh5hIRlZPIe+6e/siF85O1zlxb+CF
+2ZZnsEU27EjHdJgAdKpr34xX0PlDgss017DSiixJ8ExTqfJMpH2e3/gwYNFuP70I
+KcqdONv6IHrpnuKMfN7jnEE5QVCyQrNs/ED7XJj+wf8RBE0gKulSo0kvkH0pjz+4
+E4lJDjuOVu6XWRmELFhPjnE5vPLGjbcw0Di9PSZqL1fL68z+kXsMiKtgDJu0Sj3A
+1qTUyRiKqcjKagPmFlzhSxOq930WZV76
+-----END CERTIFICATE-----
=====================================
check_ssl_cert/check_ssl_cert_1.142.0/test/no-sct.badssl.com.crt
=====================================
@@ -0,0 +1,126 @@
+CONNECTED(00000005)
+---
+Certificate chain
+ 0 s:C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = no-sct.badssl.com
+ i:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
+-----BEGIN CERTIFICATE-----
+MIIFOzCCBCOgAwIBAgIQAoZhndyNvawKHyLjYwxeUTANBgkqhkiG9w0BAQsFADBN
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
+aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkxMDA1MDAwMDAwWhcN
+MjExMDEzMTIwMDAwWjBzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
+YTEVMBMGA1UEBxMMV2FsbnV0IENyZWVrMRwwGgYDVQQKExNMdWNhcyBHYXJyb24g
+VG9ycmVzMRowGAYDVQQDExFuby1zY3QuYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6x
+Kyx2PmzAS2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULF
+RtMWhyefdOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG2
+3U3AxPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsK
+Eqveww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+
+a1SYQCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaOCAe8wggHr
+MB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBSd7sF7
+gQs6R2lxGH0RN5O8pRs/+zAzBgNVHREELDAqghFuby1zY3QuYmFkc3NsLmNvbYIV
+d3d3Lm5vLXNjdC5iYWRzc2wuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
+BggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2Ny
+bDMuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwL6AtoCuGKWh0dHA6Ly9j
+cmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3JsMEwGA1UdIARFMEMwNwYJ
+YIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv
+bS9DUFMwCAYGZ4EMAQIDMHwGCCsGAQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0
+cDovL29jc3AuZGlnaWNlcnQuY29tMEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0
+cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwG
+A1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAAAaeeVMydJv9LGUYgcE4zy0
+K8ZJpTAQ4wTK7OyyUnuWY6ohfYLIGHHGq/rntMXRSmm6WyzG3pQjPZtKiSOYyerw
+WLh6GRcEkA9ZIXeG1em2zYQV13ctEIr0ZwD9XmdjpS7TCD2qc9uN++dK0Ri1U4SZ
+CWI2kVrigk8Io5zmAE8bNTmqFR+on34RdXoyRmRdffcPMPvWY3SkMeW2/oXkkpz2
+DJ/LL4G5qc1h2dd0kwSkVic6r4sCk8k7thwrY8XMTo91qCDcmDk03aTnWbVFx5dT
+nZaWmijZyAYIiYQH0yJ0VZY3ts3uj7idOFVzISfWNAsNnK8UqVf8CSYCTO+rB68=
+-----END CERTIFICATE-----
+ 1 s:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
+ i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
+-----BEGIN CERTIFICATE-----
+MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
+U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
+nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
+KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
+/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
+kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
+/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
+AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
+aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
+Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
+oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
+QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
+d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
+xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
+CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
+5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
+8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
+2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
+c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
+j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
+-----END CERTIFICATE-----
+---
+Server certificate
+subject=C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = no-sct.badssl.com
+
+issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
+
+---
+No client certificate CA names sent
+Peer signing digest: SHA512
+Peer signature type: RSA
+Server Temp Key: ECDH, P-256, 256 bits
+---
+SSL handshake has read 3212 bytes and written 445 bytes
+Verification: OK
+---
+New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
+Server public key is 2048 bit
+Secure Renegotiation IS supported
+Compression: NONE
+Expansion: NONE
+No ALPN negotiated
+SSL-Session:
+ Protocol : TLSv1.2
+ Cipher : ECDHE-RSA-AES128-GCM-SHA256
+ Session-ID: A8AB48CACC53F106A3BF1BC0347025F7AFE49422F6CADEB3DE05293946080ED1
+ Session-ID-ctx:
+ Master-Key: 91831DD4DAB4645ACD3E6F5865A413161588C8299AD96CFA21ADA4B88BA43F2A0E765E09A0A3061AF67ECFE191A4EB2D
+ PSK identity: None
+ PSK identity hint: None
+ SRP username: None
+ TLS session ticket lifetime hint: 300 (seconds)
+ TLS session ticket:
+ 0000 - 5b d5 ed df 6b dc 79 68-af a2 3e 33 a2 72 4a fe [...k.yh..>3.rJ.
+ 0010 - 2f a7 ba 2d 74 a9 1d 9c-49 c3 35 ce 3b 4a 0f 7e /..-t...I.5.;J.~
+ 0020 - df dd 2a a4 9c 3f 86 c5-e5 c7 29 5a 72 7c 1a 34 ..*..?....)Zr|.4
+ 0030 - 00 96 28 f8 4b 7a 3c 04-ca 44 a8 51 ff 29 2c 27 ..(.Kz<..D.Q.),'
+ 0040 - 68 d8 56 19 8c d5 ab 3c-3b 33 a3 66 f8 3a 97 94 h.V....<;3.f.:..
+ 0050 - 90 f1 40 73 e6 40 97 f2-1f 49 f6 c1 2c 1b a9 f0 .. at s.@...I..,...
+ 0060 - 76 b8 c7 88 de 49 7a a6-e9 12 42 df e7 48 3c b8 v....Iz...B..H<.
+ 0070 - 98 4a f3 eb aa 57 13 97-4c f3 35 07 b8 97 60 78 .J...W..L.5...`x
+ 0080 - 03 e1 9e 40 43 45 f2 d5-b6 3f 34 7e 9d 2e 24 88 ... at CE...?4~..$.
+ 0090 - 83 cf 71 75 3d c9 b4 0d-f0 8b 9d f0 09 09 a1 b9 ..qu=...........
+ 00a0 - 74 5a f3 fb 0f bf 44 6f-93 2f 2a 19 9e b3 fe ec tZ....Do./*.....
+ 00b0 - 69 66 2b ac 27 f8 38 af-a7 ad 6d 07 8b eb d9 14 if+.'.8...m.....
+
+ Start Time: 1615387416
+ Timeout : 7200 (sec)
+ Verify return code: 0 (ok)
+ Extended master secret: no
+---
+HTTP/1.1 200 OK
+Server: nginx/1.10.3 (Ubuntu)
+Date: Wed, 10 Mar 2021 14:43:36 GMT
+Content-Type: text/html
+Content-Length: 667
+Last-Modified: Tue, 23 Feb 2021 21:28:41 GMT
+Connection: close
+ETag: "60357389-29b"
+Cache-Control: no-store
+Accept-Ranges: bytes
+
+closed
=====================================
check_ssl_cert/check_ssl_cert_1.140.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.142.0/test/unit_tests.sh
=====================================
@@ -79,126 +79,126 @@ testUsage() {
}
testMissingArgument() {
- ${SCRIPT} -H www.google.com --critical > /dev/null 2>&1
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com --critical > /dev/null 2>&1
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
}
testMissingArgument2() {
- ${SCRIPT} -H www.google.com --critical --warning 10 > /dev/null 2>&1
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com --critical --warning 10 > /dev/null 2>&1
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
}
testETHZ() {
- ${SCRIPT} -H ethz.ch --cn ethz.ch --rootcert cabundle.crt
+ ${SCRIPT} --rootcert-file cabundle.crt -H ethz.ch --cn ethz.ch
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testLetsEncrypt() {
- ${SCRIPT} -H helloworld.letsencrypt.org --rootcert cabundle.crt
+ ${SCRIPT} --rootcert-file cabundle.crt -H helloworld.letsencrypt.org
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testGoDaddy() {
- ${SCRIPT} -H www.godaddy.com --cn www.godaddy.com --rootcert cabundle.crt
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.godaddy.com --cn www.godaddy.com
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testETHZCaseInsensitive() {
# debugging: to be removed
- ${SCRIPT} -H ethz.ch --cn ETHZ.CH --rootcert cabundle.crt
+ ${SCRIPT} --rootcert-file cabundle.crt -H ethz.ch --cn ETHZ.CH
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testETHZWildCard() {
- ${SCRIPT} -H sherlock.sp.ethz.ch --cn sp.ethz.ch --rootcert cabundle.crt
+ ${SCRIPT} --rootcert-file cabundle.crt -H sherlock.sp.ethz.ch --cn sp.ethz.ch
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testETHZWildCardCaseInsensitive() {
- ${SCRIPT} -H sherlock.sp.ethz.ch --cn SP.ETHZ.CH --rootcert cabundle.crt
+ ${SCRIPT} --rootcert-file cabundle.crt -H sherlock.sp.ethz.ch --cn SP.ETHZ.CH
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testETHZWildCardSub() {
- ${SCRIPT} -H sherlock.sp.ethz.ch --cn sub.sp.ethz.ch --rootcert cabundle.crt
+ ${SCRIPT} --rootcert-file cabundle.crt -H sherlock.sp.ethz.ch --cn sub.sp.ethz.ch
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testETHZWildCardSubCaseInsensitive() {
- ${SCRIPT} -H sherlock.sp.ethz.ch --cn SUB.SP.ETHZ.CH --rootcert cabundle.crt
+ ${SCRIPT} --rootcert-file cabundle.crt -H sherlock.sp.ethz.ch --cn SUB.SP.ETHZ.CH
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testRootIssuer() {
- ${SCRIPT} --rootcert cabundle.crt -H google.com --issuer 'GlobalSign'
+ ${SCRIPT} --rootcert-file cabundle.crt -H google.com --issuer 'GlobalSign'
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testValidity() {
# Tests bug #8
- ${SCRIPT} --rootcert cabundle.crt -H www.ethz.ch -w 1000
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.ethz.ch -w 1000
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_WARNING}" "${EXIT_CODE}"
}
testValidityWithPerl() {
- ${SCRIPT} --rootcert cabundle.crt -H www.ethz.ch -w 1000 --force-perl-date
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.ethz.ch -w 1000 --force-perl-date
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_WARNING}" "${EXIT_CODE}"
}
testAltNames() {
- ${SCRIPT} -H www.inf.ethz.ch --cn www.inf.ethz.ch --rootcert cabundle.crt --altnames
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.inf.ethz.ch --cn www.inf.ethz.ch --altnames
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
#Do not require to match Alternative Name if CN already matched
testWildcardAltNames1() {
- ${SCRIPT} -H sherlock.sp.ethz.ch --rootcert cabundle.crt --altnames --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H sherlock.sp.ethz.ch --altnames --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
#Check for wildcard support in Alternative Names
testWildcardAltNames2() {
- ${SCRIPT} -H sherlock.sp.ethz.ch \
+ ${SCRIPT} --rootcert-file cabundle.crt -H sherlock.sp.ethz.ch \
--cn somehost.spapps.ethz.ch \
--cn otherhost.sPaPPs.ethz.ch \
--cn spapps.ethz.ch \
- --rootcert cabundle.crt --altnames \
+ --altnames \
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testAltNamesCaseInsensitve() {
- ${SCRIPT} -H www.inf.ethz.ch --cn WWW.INF.ETHZ.CH --rootcert cabundle.crt --altnames
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.inf.ethz.ch --cn WWW.INF.ETHZ.CH --altnames
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testMultipleAltNamesFailOne() {
# Test with wiltiple CN's but last one is wrong
- ${SCRIPT} -H inf.ethz.ch -n www.ethz.ch -n wrong.ch --rootcert cabundle.crt --altnames
+ ${SCRIPT} --rootcert-file cabundle.crt -H inf.ethz.ch -n www.ethz.ch -n wrong.ch --altnames
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testMultipleAltNamesFailTwo() {
# Test with multiple CN's but first one is wrong
- ${SCRIPT} -H inf.ethz.ch -n wrong.ch -n www.ethz.ch --rootcert cabundle.crt --altnames
+ ${SCRIPT} --rootcert-file cabundle.crt -H inf.ethz.ch -n wrong.ch -n www.ethz.ch --altnames
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
@@ -207,7 +207,7 @@ testXMPPHost() {
# $TRAVIS is set an environment variable
# shellcheck disable=SC2154
if [ -z "${TRAVIS+x}" ] ; then
- out=$(${SCRIPT} -H prosody.xmpp.is --port 5222 --protocol xmpp --xmpphost xmpp.is )
+ out=$(${SCRIPT} --rootcert-file cabundle.crt -H prosody.xmpp.is --port 5222 --protocol xmpp --xmpphost xmpp.is )
EXIT_CODE=$?
if echo "${out}" | grep -q "s_client' does not support '-xmpphost'" ; then
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
@@ -220,7 +220,7 @@ testXMPPHost() {
}
testTimeOut() {
- ${SCRIPT} --rootcert cabundle.crt -H gmail.com --protocol imap --port 993 --timeout 1
+ ${SCRIPT} --rootcert-file cabundle.crt -H gmail.com --protocol imap --port 993 --timeout 1
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
@@ -228,7 +228,7 @@ testTimeOut() {
testIMAP() {
if [ -z "${TRAVIS+x}" ] ; then
# minimal critical and warning as they renew pretty late
- ${SCRIPT} --rootcert cabundle.crt -H imap.gmx.com --port 143 --timeout 30 --protocol imap --critical 1 --warning 2
+ ${SCRIPT} --rootcert-file cabundle.crt -H imap.gmx.com --port 143 --timeout 30 --protocol imap --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
@@ -238,7 +238,7 @@ testIMAP() {
testIMAPS() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} --rootcert cabundle.crt -H imap.gmail.com --port 993 --timeout 30 --protocol imaps
+ ${SCRIPT} --rootcert-file cabundle.crt -H imap.gmail.com --port 993 --timeout 30 --protocol imaps
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
@@ -248,7 +248,7 @@ testIMAPS() {
testPOP3S() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} --rootcert cabundle.crt -H pop.gmail.com --port 995 --timeout 30 --protocol pop3s
+ ${SCRIPT} --rootcert-file cabundle.crt -H pop.gmail.com --port 995 --timeout 30 --protocol pop3s
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
@@ -259,7 +259,7 @@ testPOP3S() {
testSMTP() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} --rootcert cabundle.crt -H smtp.gmail.com --protocol smtp --port 25 --timeout 60
+ ${SCRIPT} --rootcert-file cabundle.crt -H smtp.gmail.com --protocol smtp --port 25 --timeout 60
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
@@ -268,26 +268,30 @@ testSMTP() {
}
testSMTPSubmbission() {
- ${SCRIPT} --rootcert cabundle.crt -H smtp.gmail.com --protocol smtp --port 587 --timeout 60
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ if [ -z "${TRAVIS+x}" ] ; then
+ ${SCRIPT} --rootcert-file cabundle.crt -H smtp.gmail.com --protocol smtp --port 587 --timeout 60
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ else
+ echo "Skipping SMTP tests on Travis CI"
+ fi
}
testSMTPS() {
- ${SCRIPT} --rootcert cabundle.crt -H smtp.gmail.com --protocol smtps --port 465 --timeout 60
+ ${SCRIPT} --rootcert-file cabundle.crt -H smtp.gmail.com --protocol smtps --port 465 --timeout 60
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
# Disabled as test.rebex.net is currently not workin. Should find another public FTP server with TLS
#testFTP() {
-# ${SCRIPT} --rootcert cabundle.crt -H test.rebex.net --protocol ftp --port 21 --timeout 60
+# ${SCRIPT} --rootcert-file cabundle.crt -H test.rebex.net --protocol ftp --port 21 --timeout 60
# EXIT_CODE=$?
# assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
#}
#
#testFTPS() {
-# ${SCRIPT} --rootcert cabundle.crt -H test.rebex.net --protocol ftps --port 990 --timeout 60
+# ${SCRIPT} --rootcert-file cabundle.crt -H test.rebex.net --protocol ftps --port 990 --timeout 60
# EXIT_CODE=$?
# assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
#}
@@ -296,74 +300,74 @@ testSMTPS() {
# From https://badssl.com
testBadSSLExpired() {
- ${SCRIPT} -H expired.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H expired.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLExpiredAndWarnThreshold() {
- ${SCRIPT} -H expired.badssl.com --host-cn --warning 3000
+ ${SCRIPT} --rootcert-file cabundle.crt -H expired.badssl.com --host-cn --warning 3000
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLWrongHost() {
- ${SCRIPT} -H wrong.host.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H wrong.host.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLSelfSigned() {
- ${SCRIPT} -H self-signed.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H self-signed.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLUntrustedRoot() {
- ${SCRIPT} -H untrusted-root.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H untrusted-root.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLRevoked() {
- ${SCRIPT} -H revoked.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H revoked.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLRevokedCRL() {
- ${SCRIPT} -H revoked.badssl.com --host-cn --crl --rootcert-file cabundle.crt --ignore-ocsp
+ ${SCRIPT} --rootcert-file cabundle.crt -H revoked.badssl.com --host-cn --crl --ignore-ocsp
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testGRCRevoked() {
- ${SCRIPT} -H revoked.grc.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H revoked.grc.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLIncompleteChain() {
- ${SCRIPT} -H incomplete-chain.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H incomplete-chain.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLDH480(){
- ${SCRIPT} -H dh480.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H dh480.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLDH512(){
- ${SCRIPT} -H dh512.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H dh512.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLRC4MD5(){
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H rc4-md5.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H rc4-md5.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
else
@@ -373,7 +377,7 @@ testBadSSLRC4MD5(){
testBadSSLRC4(){
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H rc4.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H rc4.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
else
@@ -383,7 +387,7 @@ testBadSSLRC4(){
testBadSSL3DES(){
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H 3des.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H 3des.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
else
@@ -392,14 +396,14 @@ testBadSSL3DES(){
}
testBadSSLNULL(){
- ${SCRIPT} -H null.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H null.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLSHA256() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H sha256.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H sha256.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
@@ -409,7 +413,7 @@ testBadSSLSHA256() {
testBadSSLEcc256() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H ecc256.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H ecc256.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
@@ -419,7 +423,7 @@ testBadSSLEcc256() {
testBadSSLEcc384() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H ecc384.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H ecc384.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
@@ -429,7 +433,7 @@ testBadSSLEcc384() {
testBadSSLRSA8192() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H rsa8192.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H rsa8192.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
@@ -439,7 +443,7 @@ testBadSSLRSA8192() {
testBadSSLLongSubdomainWithDashes() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
@@ -449,7 +453,7 @@ testBadSSLLongSubdomainWithDashes() {
testBadSSLLongSubdomain() {
if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -H longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
@@ -458,25 +462,25 @@ testBadSSLLongSubdomain() {
}
testBadSSLSHA12016() {
- ${SCRIPT} -H sha1-2016.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H sha1-2016.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLSHA12017() {
- ${SCRIPT} -H sha1-2017.badssl.com --host-cn
+ ${SCRIPT} --rootcert-file cabundle.crt -H sha1-2017.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testMultipleOCSPHosts() {
- ${SCRIPT} -H netlock.hu --rootcert cabundle.crt
+ ${SCRIPT} --rootcert-file cabundle.crt -H netlock.hu
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testRequireOCSP() {
- ${SCRIPT} -H videolan.org --rootcert cabundle.crt --require-ocsp-stapling --critical 1 --warning 2
+ ${SCRIPT} --rootcert-file cabundle.crt -H videolan.org --require-ocsp-stapling --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
@@ -484,7 +488,7 @@ testRequireOCSP() {
# tests for -4 and -6
testIPv4() {
if openssl s_client -help 2>&1 | grep -q -- -4 ; then
- ${SCRIPT} -H www.google.com --rootcert cabundle.crt -4
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com -4
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
@@ -497,9 +501,15 @@ testIPv6() {
if ifconfig -a | grep -q inet6 ; then
- ${SCRIPT} -H www.google.com --rootcert cabundle.crt -6
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ if ping -6 www.google.com > /dev/null 2>&1 ; then
+
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com -6
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+
+ else
+ echo "IPv6 is configured but not working: skipping test"
+ fi
else
echo "Skipping forcing IPv6: not IPv6 configured locally"
@@ -511,14 +521,14 @@ testIPv6() {
}
testFormatShort() {
- OUTPUT=$( ${SCRIPT} -H ethz.ch --cn ethz.ch --rootcert cabundle.crt --format "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'" | cut '-d|' -f 1 )
+ OUTPUT=$( ${SCRIPT} --rootcert-file cabundle.crt -H ethz.ch --cn ethz.ch --format "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'" | cut '-d|' -f 1 )
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
assertEquals "wrong output" "SSL_CERT OK ethz.ch from 'QuoVadis Global SSL ICA G2'" "${OUTPUT}"
}
testMoreErrors() {
- OUTPUT=$( ${SCRIPT} -H www.ethz.ch --email doesnotexist --critical 1000 --warning 1001 --rootcert cabundle.crt --verbose | wc -l | sed 's/\ //g' )
+ OUTPUT=$( ${SCRIPT} --rootcert-file cabundle.crt -H www.ethz.ch --email doesnotexist --critical 1000 --warning 1001 --verbose | wc -l | sed 's/\ //g' )
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
# we should get three lines: the plugin output and three errors
@@ -526,7 +536,7 @@ testMoreErrors() {
}
testMoreErrors2() {
- OUTPUT=$( ${SCRIPT} -H www.ethz.ch --email doesnotexist --warning 1000 --warning 1001 --rootcert cabundle.crt --verbose | wc -l | sed 's/\ //g' )
+ OUTPUT=$( ${SCRIPT} --rootcert-file cabundle.crt -H www.ethz.ch --email doesnotexist --warning 1000 --warning 1001 --verbose | wc -l | sed 's/\ //g' )
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
# we should get three lines: the plugin output and three errors
@@ -536,18 +546,24 @@ testMoreErrors2() {
# dane
testDANE211() {
- ${SCRIPT} --dane 211 --port 25 -P smtp -H hummus.csx.cam.ac.uk
- EXIT_CODE=$?
- if [ -n "${DANE}" ] ; then
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ # $TRAVIS is set an environment variable
+ # shellcheck disable=SC2154
+ if [ -z "${TRAVIS+x}" ] ; then
+ ${SCRIPT} --rootcert-file cabundle.crt --dane 211 --port 25 -P smtp -H hummus.csx.cam.ac.uk
+ EXIT_CODE=$?
+ if [ -n "${DANE}" ] ; then
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ else
+ assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
+ fi
else
- assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
+ echo "Skipping SMTP tests on Travis CI"
fi
}
# does not work anymore
#testDANE311SMTP() {
-# ${SCRIPT} --dane 311 --port 25 -P smtp -H mail.ietf.org
+# ${SCRIPT} --rootcert-file cabundle.crt --dane 311 --port 25 -P smtp -H mail.ietf.org
# EXIT_CODE=$?
# if [ -n "${DANE}" ] ; then
# assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
@@ -557,7 +573,7 @@ testDANE211() {
#}
#
#testDANE311() {
-# ${SCRIPT} --dane 311 -H www.ietf.org
+# ${SCRIPT} --rootcert-file cabundle.crt --dane 311 -H www.ietf.org
# EXIT_CODE=$?
# if [ -n "${DANE}" ] ; then
# assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
@@ -567,7 +583,7 @@ testDANE211() {
#}
testDANE301ECDSA() {
- ${SCRIPT} --dane 301 --ecdsa -H mail.aegee.org
+ ${SCRIPT} --rootcert-file cabundle.crt --dane 301 --ecdsa -H mail.aegee.org
EXIT_CODE=$?
if [ -n "${DANE}" ] ; then
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
@@ -577,71 +593,94 @@ testDANE301ECDSA() {
}
testRequiredProgramFile() {
- ${SCRIPT} -H www.google.com --file-bin /doesnotexist
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com --file-bin /doesnotexist
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
}
testRequiredProgramPermissions() {
- ${SCRIPT} -H www.google.com --file-bin /etc/hosts
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com --file-bin /etc/hosts
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
}
testSieveRSA() {
- if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -P sieve -p 4190 -H mail.aegee.org --rsa
+ if ! { openssl s_client -starttls sieve 2>&1 | grep -F -q 'Value must be one of:' || openssl s_client -starttls sieve 2>&1 | grep -F -q 'usage:' ; } ; then
+ ${SCRIPT} --rootcert-file cabundle.crt -P sieve -p 4190 -H mail.aegee.org --rsa
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- echo "Skipping sieve tests on Travis CI"
+ echo "Skipping sieve tests (not supported)"
fi
}
testSieveECDSA() {
- if [ -z "${TRAVIS+x}" ] ; then
- ${SCRIPT} -P sieve -p 4190 -H mail.aegee.org --ecdsa
+ if ! { openssl s_client -starttls sieve 2>&1 | grep -F -q 'Value must be one of:' || openssl s_client -starttls sieve 2>&1 | grep -F -q 'usage:' ; } ; then
+ ${SCRIPT} --rootcert-file cabundle.crt -P sieve -p 4190 -H mail.aegee.org --ecdsa
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
- echo "Skipping sieve tests on Travis CI"
+ echo "Skipping sieve tests (not supported)"
fi
}
testHTTP2() {
- ${SCRIPT} -H rwserve.readwritetools.com --critical 1 --warning 2
+ ${SCRIPT} --rootcert-file cabundle.crt -H rwserve.readwritetools.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testForceHTTP2() {
- ${SCRIPT} -H www.ethz.ch --protocol h2
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ if openssl s_client -help 2>&1 | grep -q -F alpn ; then
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.ethz.ch --protocol h2
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ else
+ echo "Skupping forced HTTP2 test as -alpn is not supported"
+ fi
}
testNotLongerValidThan() {
- ${SCRIPT} -H www.ethz.ch --not-valid-longer-than 2
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.ethz.ch --not-valid-longer-than 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
+testDERCert() {
+ ${SCRIPT} --rootcert-file cabundle.crt -H localhost -f ./der.cer --ignore-sct
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+}
+
+testPKCS12Cert() {
+ export PASS=
+ ${SCRIPT} --rootcert-file cabundle.crt -H localhost -f ./client.p12 --ignore-sct --password env:PASS
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+}
+
testCertificsteWithoutCN() {
- ${SCRIPT} -H localhost -n www.uue.org -f ./cert_with_subject_without_cn.crt --force-perl-date --ignore-sig-alg --ignore-sct
+ ${SCRIPT} --rootcert-file cabundle.crt -H localhost -n www.uue.org -f ./cert_with_subject_without_cn.crt --force-perl-date --ignore-sig-alg --ignore-sct
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testCertificsteWithEmptySubject() {
- ${SCRIPT} -H localhost -n www.uue.org -f ./cert_with_empty_subject.crt --force-perl-date --ignore-sig-alg --ignore-sct
+ ${SCRIPT} --rootcert-file cabundle.crt -H localhost -n www.uue.org -f ./cert_with_empty_subject.crt --force-perl-date --ignore-sig-alg --ignore-sct
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testSCT() {
- ${SCRIPT} -H no-sct.badssl.com
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+ if man verify | grep -F -q SCT ; then
+ ${SCRIPT} --rootcert-file cabundle.crt -H no-sct.badssl.com
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+ else
+ ${SCRIPT} --rootcert-file cabundle.crt -H no-sct.badssl.com
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ fi
}
@@ -649,7 +688,7 @@ testSCT() {
testETHZWithSSLLabs() {
# we assume www.ethz.ch gets at least a B
- ${SCRIPT} -H ethz.ch --cn ethz.ch --check-ssl-labs B --rootcert cabundle.crt
+ ${SCRIPT} --rootcert-file cabundle.crt -H ethz.ch --cn ethz.ch --check-ssl-labs B
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
=====================================
check_ssl_cert/control
=====================================
@@ -1,7 +1,7 @@
Uploaders: Jan Wagner <waja at cyconet.org>
Recommends: curl, file, openssl
Suggests: expect
-Version: 1.140.0
+Version: 1.142.0
Homepage: https://github.com/matteocorti/check_ssl_cert
Watch: https://github.com/matteocorti/check_ssl_cert/releases check_ssl_cert-([0-9.]+)\.tar\.gz
Description: plugin to check the CA and validity of an
=====================================
check_ssl_cert/src
=====================================
@@ -1 +1 @@
-check_ssl_cert_1.140.0/
\ No newline at end of file
+check_ssl_cert_1.142.0
\ No newline at end of file
=====================================
debian/changelog
=====================================
@@ -1,8 +1,7 @@
-nagios-plugins-contrib (31.20210225~1.gbp491241) UNRELEASED; urgency=medium
+nagios-plugins-contrib (32.20210311) unstable; urgency=medium
- ** SNAPSHOT build @491241933e1079e581d980b7dca3a034326e54f6 **
-
- * NOT RELEASED YET
+ * [41971bc] check_ssl_cert: Update to 1.142.0
+ * [059ebda] Auto update of debian/control
-- Jan Wagner <waja at cyconet.org> Thu, 25 Feb 2021 21:02:03 +0100
=====================================
debian/control
=====================================
@@ -173,7 +173,7 @@ Description: Plugins for nagios compatible monitoring systems
HOST-RESOURCES-MIB::hrSystemDate.0 used here returns 8 or 11 byte octets.
SNMP translation needs to be switched off and to be converted the
received SNMP data into readable strings.
- * check_ssl_cert (1.140.0): plugin to check the CA and validity of an
+ * check_ssl_cert (1.142.0): plugin to check the CA and validity of an
X.509 certificate
* check_uptime (0.521): check_uptime returns uptime of a system
in text (readable) format as well as in minutes for performance graphing.
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/compare/09f9e69a1e6a1f7b7645067e3997cc664fefbe42...03de296db5a39035ad7319da33b104d3583dc06a
--
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/compare/09f9e69a1e6a1f7b7645067e3997cc664fefbe42...03de296db5a39035ad7319da33b104d3583dc06a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20210311/b868d4ed/attachment-0001.htm>
More information about the pkg-nagios-changes
mailing list