[pkg-nagios-changes] [Git][nagios-team/pkg-nagios-plugins-contrib][master] check_ssl_cert: Update to 1.144.0

Jan Wagner gitlab at salsa.debian.org
Mon Mar 15 11:50:09 GMT 2021


Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / pkg-nagios-plugins-contrib


Commits:
a21a9b7d by Jan Wagner at 2021-03-15T11:47:41+01:00
check_ssl_cert: Update to 1.144.0

- Removed the dependency on man

- - - - -


28 changed files:

- − check_ssl_cert/check_ssl_cert_1.143.0/VERSION
- check_ssl_cert/check_ssl_cert_1.143.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.144.0/AUTHORS
- check_ssl_cert/check_ssl_cert_1.143.0/COPYING → check_ssl_cert/check_ssl_cert_1.144.0/COPYING
- check_ssl_cert/check_ssl_cert_1.143.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.144.0/COPYRIGHT
- check_ssl_cert/check_ssl_cert_1.143.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.144.0/ChangeLog
- check_ssl_cert/check_ssl_cert_1.143.0/INSTALL → check_ssl_cert/check_ssl_cert_1.144.0/INSTALL
- check_ssl_cert/check_ssl_cert_1.143.0/Makefile → check_ssl_cert/check_ssl_cert_1.144.0/Makefile
- check_ssl_cert/check_ssl_cert_1.143.0/NEWS → check_ssl_cert/check_ssl_cert_1.144.0/NEWS
- check_ssl_cert/check_ssl_cert_1.143.0/README.md → check_ssl_cert/check_ssl_cert_1.144.0/README.md
- check_ssl_cert/check_ssl_cert_1.143.0/TODO → check_ssl_cert/check_ssl_cert_1.144.0/TODO
- + check_ssl_cert/check_ssl_cert_1.144.0/VERSION
- check_ssl_cert/check_ssl_cert_1.143.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.144.0/check_ssl_cert
- check_ssl_cert/check_ssl_cert_1.143.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.144.0/check_ssl_cert.1
- check_ssl_cert/check_ssl_cert_1.143.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.144.0/check_ssl_cert.spec
- check_ssl_cert/check_ssl_cert_1.143.0/test/._cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/._cert_with_subject_without_cn.crt
- + check_ssl_cert/check_ssl_cert_1.144.0/test/._client.p12
- check_ssl_cert/check_ssl_cert_1.143.0/test/._der.cer → check_ssl_cert/check_ssl_cert_1.144.0/test/._der.cer
- check_ssl_cert/check_ssl_cert_1.143.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/cabundle.crt
- check_ssl_cert/check_ssl_cert_1.143.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/cacert.crt
- check_ssl_cert/check_ssl_cert_1.143.0/test/cert_with_empty_subject.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/cert_with_empty_subject.crt
- check_ssl_cert/check_ssl_cert_1.143.0/test/cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/cert_with_subject_without_cn.crt
- check_ssl_cert/check_ssl_cert_1.143.0/test/client.p12 → check_ssl_cert/check_ssl_cert_1.144.0/test/client.p12
- check_ssl_cert/check_ssl_cert_1.143.0/test/der.cer → check_ssl_cert/check_ssl_cert_1.144.0/test/der.cer
- check_ssl_cert/check_ssl_cert_1.143.0/test/localhost.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/localhost.crt
- check_ssl_cert/check_ssl_cert_1.143.0/test/no-sct.badssl.com.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/no-sct.badssl.com.crt
- check_ssl_cert/check_ssl_cert_1.143.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.144.0/test/unit_tests.sh
- check_ssl_cert/control
- check_ssl_cert/src


Changes:

=====================================
check_ssl_cert/check_ssl_cert_1.143.0/VERSION deleted
=====================================
@@ -1 +0,0 @@
-1.143.0
\ No newline at end of file


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.144.0/AUTHORS
=====================================


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/COPYING → check_ssl_cert/check_ssl_cert_1.144.0/COPYING
=====================================


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.144.0/COPYRIGHT
=====================================


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.144.0/ChangeLog
=====================================
@@ -1,3 +1,11 @@
+2021-03-14  Matteo Corti  <matteo at corti.li>
+
+	* check_ssl_cert (openssl_version): added a function to compare OpenSSL versions. Getting rid of the man dependency
+
+2021-03-12  Matteo Corti  <matteo at corti.li>
+
+	* check_ssl_cert (exec_with_timeout): fixing timeout on systems using 'timeout'
+
 2021-03-12  Matteo Corti  <matteo at corti.li>
 
 	* check_ssl_cert (exec_with_timeout): reducing the total timeout by each execution


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/INSTALL → check_ssl_cert/check_ssl_cert_1.144.0/INSTALL
=====================================


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/Makefile → check_ssl_cert/check_ssl_cert_1.144.0/Makefile
=====================================


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/NEWS → check_ssl_cert/check_ssl_cert_1.144.0/NEWS
=====================================
@@ -1,3 +1,4 @@
+2021-03-14 Version 1.144.0: Getting rid of the man dependency
 2021-03-12 Version 1.143.0: Better handling of the timeout
                             Checks ciphers with nmap (--check-ciphers and --check-ciphers-warnings)
                             Checks oll the supplied OCSP URIs


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/README.md → check_ssl_cert/check_ssl_cert_1.144.0/README.md
=====================================
@@ -104,7 +104,7 @@ Options:
    -o,--org org                    pattern to match the organization of the certificate
       --openssl path               path of the openssl binary to be used
       --password source            password source for a local certificate, see the PASS PHRASE ARGUMENTS section
-                                   openssl(1)      
+                                   openssl(1)
    -p,--port port                  TCP port
    -P,--protocol protocol          use the specific protocol
                                    {ftp|ftps|http|https|h2|imap|imaps|irc|ircs|ldap|ldaps|pop3|pop3s|


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/TODO → check_ssl_cert/check_ssl_cert_1.144.0/TODO
=====================================


=====================================
check_ssl_cert/check_ssl_cert_1.144.0/VERSION
=====================================
@@ -0,0 +1 @@
+1.144.0
\ No newline at end of file


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.144.0/check_ssl_cert
=====================================
@@ -19,7 +19,7 @@
 ################################################################################
 # Constants
 
-VERSION=1.143.0
+VERSION=1.144.0
 SHORTNAME="SSL_CERT"
 
 VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -324,6 +324,82 @@ EOF
 
 }
 
+################################################################################
+# checks if OpenSSL version is at least the given parameter
+# Params
+#   $1 minumum version
+openssl_version() {
+
+    # See https://wiki.openssl.org/index.php/Versioning
+    
+    # Required version
+    MIN_VERSION=$1
+
+    IFS='.' read -r MIN_MAJOR1 MIN_MAJOR2 MIN_MINOR <<EOF
+${MIN_VERSION}
+EOF
+
+    if echo "${MIN_MINOR}" | grep -q '[:alpha:]' ; then
+        MIN_FIX=$( echo "${MIN_MINOR}" | sed 's/[[:digit:]][[:digit:]]*//' )
+        MIN_MINOR=$( echo "${MIN_MINOR}" | sed 's/[[:alpha:]][[:alpha:]]*//' )
+    fi
+
+    if [ -n "${MIN_FIX}" ] ; then MIN_FIX_NUM=$( printf '%d' "'${MIN_FIX}" ) ; else MIN_FIX_NUM=0 ; fi
+    debuglog "Checking if OpenSSL version is at least ${MIN_VERSION} ( '${MIN_MAJOR1}' '${MIN_MAJOR2}' '${MIN_MINOR}' '${MIN_FIX}:${MIN_FIX_NUM}' )"
+
+    # current version
+    
+    OPENSSL_VERSION=$( ${OPENSSL} version | sed 's/^OpenSSL\ \([^ ]*\).*/\1/' )
+
+    IFS='.' read -r MAJOR1 MAJOR2 MINOR <<EOF
+${OPENSSL_VERSION}
+EOF
+
+    if echo "${MINOR}" | grep -q '[[:alpha:]]' ; then
+        FIX=$( echo "${MINOR}" | sed 's/[[:digit:]][[:digit:]]*//' )
+        MINOR=$( echo "${MINOR}" | sed 's/[[:alpha:]][[:alpha:]]*//' )
+    fi
+
+    if [ -n "${FIX}" ] ; then FIX_NUM=$( printf '%d' "'${FIX}" ) ; else FIX_NUM=0 ; fi
+    debuglog "Current version ${OPENSSL_VERSION} ( '${MAJOR1}' '${MAJOR2}' '${MINOR}' '${FIX}:${FIX_NUM}' )"
+
+    # return 0 for true and 1 for false
+    # check MAJOR1
+    if [ "${MAJOR1}" -gt "${MIN_MAJOR1}" ] ; then
+        RET=0
+    elif [ "${MAJOR1}" -lt "${MIN_MAJOR1}" ] ; then
+        RET=1
+    else
+        # check MAJOR2
+        if [ "${MAJOR2}" -gt "${MIN_MAJOR2}" ] ; then
+            RET=0
+        elif [ "${MAJOR2}" -lt "${MIN_MAJOR2}" ] ; then
+            RET=1
+        else
+            # check MINOR
+            if [ "${MINOR}" -gt "${MIN_MINOR}" ] ; then
+                RET=0
+            elif [ "${MINOR}" -lt "${MIN_MINOR}" ] ; then
+                RET=1
+            else
+                # check FIX
+                RET=$( [ "${FIX_NUM}" -ge "${MIN_FIX_NUM}" ]  )
+            fi
+        fi
+    fi
+
+    if [ -n "${DEBUG}" ] ; then
+        if [ "${RET}" -eq 0 ] ; then
+            debuglog '  true'
+        else
+            debuglog '  false'
+        fi
+    fi
+    
+    return "${RET}"
+
+}
+
 ################################################################################
 # prepends critical messages to list of all messages
 # Params
@@ -528,9 +604,9 @@ exec_with_timeout() {
     if [ -n "$3" ] ; then
         ERRFILE=$3
     fi
-    
+
     start_time=$( date +%s )
-    
+
     debuglog "executing with timeout (${time}s): $1"
 
     if [ -n "${TIMEOUT_BIN}" ] ; then
@@ -550,6 +626,7 @@ exec_with_timeout() {
         # because of the execution in the backgroud we get a 137 for a timeout
         if [ "${RET}" -eq 137 ] || [ "${RET}" -eq 124 ] ; then
             prepend_critical_message "Timeout after ${time} seconds"
+            critical "${SHORTNAME} CRITICAL: Timeout after ${time} seconds"
         elif [ "${RET}" -eq 125 ] ; then
             prepend_critical_message "execution of ${command} failed"
         elif [ "${RET}" -eq 126 ] ; then
@@ -560,7 +637,8 @@ exec_with_timeout() {
 
         end_time=$( date +%s )
         TIMEOUT=$(( TIMEOUT - end_time + start_time ))
-        
+	if [ "${TIMEOUT}" -lt 1 ] ; then TIMEOUT=1; fi
+
         return "${RET}"
 
     elif [ -n "${EXPECT}" ] ; then
@@ -608,6 +686,7 @@ EOT
 
         end_time=$( date +%s )
         TIMEOUT=$(( TIMEOUT - end_time + start_time ))
+	if [ "${TIMEOUT}" -lt 1 ] ; then TIMEOUT=1; fi
 
         return "${RET}"
 
@@ -617,17 +696,18 @@ EOT
 
         eval "${command}" > "${OUTFILE}" 2> "${ERRFILE}"
         RET=$?
-        
+
         end_time=$( date +%s )
 
         # we deduce the command duration from the total specified timeout
         TIMEOUT=$(( TIMEOUT - end_time + start_time ))
+	if [ "${TIMEOUT}" -lt 1 ] ; then TIMEOUT=1; fi
 
         return "${RET}"
 
     fi
-    
-    
+
+
 }
 
 ################################################################################
@@ -726,7 +806,7 @@ check_crl() {
 #   $1 cert
 #   $2 element number
 check_ocsp() {
-    
+
     el_number=1
     if [ -n "$2" ]; then
         el_number=$2
@@ -775,7 +855,7 @@ check_ocsp() {
 
         # shellcheck disable=SC2086,SC2016
         ELEMENT_ISSUER_URIS="$( ${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -text -noout -in ${CERT_ELEMENT} | grep -F "CA Issuers" | grep -F -i "http" | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;$(){}<>`&')"
-        
+
         if [ -z "${ELEMENT_ISSUER_URIS}" ] ; then
             verboselog "cannot find the CA Issuers in the certificate: disabling OCSP checks on element ${el_number}"
             return
@@ -797,7 +877,7 @@ check_ocsp() {
 
 
             if [ -z "${ISSUER_CERT}" ] ; then
-                
+
                 debuglog "OCSP: fetching issuer certificate ${ELEMENT_ISSUER_URI} to ${ISSUER_CERT_TMP}"
 
                 if [ -n "${CURL_USER_AGENT}" ] ; then
@@ -859,11 +939,11 @@ check_ocsp() {
                     debuglog "OCSP: storing a copy of the retrieved issuer certificate to ${FILE_NAME}"
 
                     cp "${ISSUER_CERT_TMP}" "${FILE_NAME}"
-                    
+
                 fi
 
                 if [ -n "${ISSUER_CERT_CACHE}" ] ; then
-                    
+
                     if [ ! -w "${ISSUER_CERT_CACHE}" ]; then
                         unknown "Issuer certificates cache ${ISSUER_CERT_CACHE} is not writeable!"
                     fi
@@ -885,9 +965,9 @@ check_ocsp() {
         OCSP_URIS="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT_ELEMENT}" -ocsp_uri -noout)"
 
         debuglog "OSCP: URIs = ${OCSP_URIS}"
-                
+
         for OCSP_URI in ${OCSP_URIS} ; do
-        
+
             debuglog "OSCP: URI = ${OCSP_URI}"
 
             OCSP_HOST="$(echo "${OCSP_URI}" | sed -e "s at .*//\\([^/]\\+\\)\\(/.*\\)\\?\$@\\1 at g" | sed 's/^http:\/\///' | sed 's/\/.*//' )"
@@ -1100,12 +1180,13 @@ check_cert_end_date() {
 
 
 ################################################################################
-# Converts SSL Labs grades to a numeric value
-#   (see https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide.pdf)
+# Converts SSL Labs or nmap grades to a numeric value
+#   (see https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide.pdf and
+#    https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html)
 # Params
 #   $1 program name
 # Sets NUMERIC_SSL_LAB_GRADE
-convert_ssl_lab_grade() {
+convert_grade() {
 
     GRADE="$1"
 
@@ -1117,7 +1198,7 @@ convert_ssl_lab_grade() {
             NUMERIC_SSL_LAB_GRADE=85
             shift
             ;;
-        A|a)
+        A|a|strong|Strong)
             NUMERIC_SSL_LAB_GRADE=80
             shift
             ;;
@@ -1130,7 +1211,7 @@ convert_ssl_lab_grade() {
             NUMERIC_SSL_LAB_GRADE=65
             shift
             ;;
-        C|c)
+        C|c|weak|Weak)
             NUMERIC_SSL_LAB_GRADE=50
             shift
             ;;
@@ -1146,7 +1227,7 @@ convert_ssl_lab_grade() {
             NUMERIC_SSL_LAB_GRADE=0
             shift
             ;;
-        T|t)
+        T|t|unknown|Unknown)
             # No trust: value not in documentation
             NUMERIC_SSL_LAB_GRADE=0
             shift
@@ -1270,7 +1351,7 @@ fetch_certificate() {
 		    debuglog "executing ${OPENSSL} pkcs12 -in ${FILE} -out ${CERT} -nokeys"
                     "${OPENSSL}" pkcs12 -in "${FILE}" -out "${CERT}" -nokeys 2> "${PKCS12_ERROR}"
                 fi
-                
+
                 if [ $? -eq 1 ] ; then
                     unknown "Error converting ${FILE}: $( head -n 1 "${PKCS12_ERROR}" ) "
                 fi
@@ -1279,18 +1360,18 @@ fetch_certificate() {
 
                 debuglog 'converting DER to PEM'
                 "${OPENSSL}" x509 -inform der -in "${FILE}" -out "${CERT}"
-                
+
             else
-                
+
                 debuglog "Copying the certificate to ${CERT}"
                 /bin/cat "${FILE}" > "${CERT}"
                 RET=$?
 
             fi
-                
+
             debuglog "storing the certificate to ${CERT}"
             debuglog "certificate type (2): $(${FILE_BIN} "${CERT}" | sed 's/.*://' )"
-            
+
         else
             unknown "Error: option 'file' works with -H localhost only"
         fi
@@ -1488,10 +1569,10 @@ main() {
     while true; do
 
         case "$1" in
-            
+
             ########################################
             # Options without arguments
-            
+
             -A|--noauth)
                 NOAUTH=1
                 shift
@@ -2201,12 +2282,12 @@ main() {
     fi
 
     if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] ; then
-        convert_ssl_lab_grade "${SSL_LAB_CRIT_ASSESSMENT}"
+        convert_grade "${SSL_LAB_CRIT_ASSESSMENT}"
         SSL_LAB_CRIT_ASSESSMENT_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
     fi
 
     if [ -n "${SSL_LAB_WARN_ASSESTMENT}" ] ; then
-        convert_ssl_lab_grade "${SSL_LAB_WARN_ASSESTMENT}"
+        convert_grade "${SSL_LAB_WARN_ASSESTMENT}"
         SSL_LAB_WARN_ASSESTMENT_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
         if [ "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" -lt "${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}" ]; then
             unknown  '--check-ssl-labs-warn must be greater than -L|--check-ssl-labs'
@@ -2214,7 +2295,7 @@ main() {
     fi
 
     if [ -n "${CHECK_CIPHERS}" ] ; then
-        convert_ssl_lab_grade "${CHECK_CIPHERS}"
+        convert_grade "${CHECK_CIPHERS}"
         CHECK_CIPHERS_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
     fi
 
@@ -2291,7 +2372,7 @@ main() {
 
     # nmap
     if [ -z "${NMAP_BIN}" ] ; then
-        
+
         if [ -n "${DISALLOWED_PROTOCOLS}" ] || [ -n "${CHECK_CIPHERS}" ] || [ -n "${CHECK_CIPHERS_WARNINGS}" ] ; then
 
             if [ -n "${DISALLOWED_PROTOCOLS}" ] ; then debuglog "nmap binary needed. DISALLOWED_PROTOCOLS = ${DISALLOWED_PROTOCOLS}" ; fi
@@ -2306,11 +2387,11 @@ main() {
         else
             debuglog "nmap binary not needed. No disallowed protocols"
         fi
-        
+
     else
         # we check if the provided binary actually works
         check_required_prog "${NMAP_BIN}"
-        
+
     fi
 
     # Expect (optional)
@@ -2394,8 +2475,10 @@ main() {
     if [ -n "${DEBUG}" ] ; then
         debuglog "check_ssl_cert version: ${VERSION}"
         debuglog "OpenSSL binary: ${OPENSSL}"
-        debuglog "OpenSSL version: $( ${OPENSSL} version )"
-
+        if [ -n "${DEBUG}" ] ; then
+            debuglog "OpenSSL info:"
+            ${OPENSSL} version -a | sed 's/^/[DBG]/'
+        fi
         OPENSSL_DIR="$( ${OPENSSL} version -d | sed -E 's/OPENSSLDIR: "([^"]*)"/\1/' )"
 
         debuglog "OpenSSL configuration directory: ${OPENSSL_DIR}"
@@ -2734,7 +2817,7 @@ main() {
     trap_with_arg cleanup ${SIGNALS}
 
     fetch_certificate
-    
+
     if ascii_grep 'sslv3\ alert\ unexpected\ message' "${ERROR}" ; then
 
         if [ -n "${SERVERNAME}" ] ; then
@@ -2756,11 +2839,11 @@ main() {
 
     # check for TLS renegotiation
     if [ -z "${IGNORE_TLS_RENEGOTIATION}" ] ; then
-        
+
         verboselog "Checking TLS renegotiation"
 
         # see https://www.mcafee.com/blogs/enterprise/tips-securing-ssl-renegotiation/
-        
+
         exec_with_timeout "printf 'R\\n' | openssl s_client -connect ${HOST}:${PORT} 2>&1 | grep -F -q err"
         RET=$?
 
@@ -2769,10 +2852,10 @@ main() {
             if ascii_grep '^Secure\ Renegotiation\ IS\ NOT' "${CERT}" && ! ascii_grep 'TLSv1.3' "${CERT}" ; then
                 prepend_critical_message 'TLS renegotiation is supported but not secure'
             fi
-            
+
         fi
 
-    fi        
+    fi
 
     if ascii_grep "BEGIN X509 CRL" "${CERT}" ; then
         # we are dealing with a CRL file
@@ -3274,15 +3357,26 @@ main() {
 
         exec_with_timeout "nmap -sV --script ssl-enum-ciphers ${HOST} -p ${PORT}" "${NMAP_OUT}" "${NMAP_ERR}"
 
+        if [ -n "${DEBUG}" ] ; then
+            debuglog 'nmap output:'
+            while read -r LINE; do
+                debuglog "${LINE}"
+            done < "${NMAP_OUT}"
+            debuglog 'nmap errors:'
+            while read -r LINE; do
+                debuglog "${LINE}"
+            done < "${NMAP_ERR}"
+        fi
+
         if [ -s "${NMAP_ERR}" ] ; then
             NMAP_ERROR=$( head -n 1 "${NMAP_ERR}" )
             unknown "nmap exited with error: ${NMAP_ERROR}"
         fi
-        
+
         if [ -n "${CHECK_CIPHERS}" ] ; then
-        
+
             NMAP_GRADE=$( grep -F 'least strength' "${NMAP_OUT}" | sed 's/.*\ //' )
-            convert_ssl_lab_grade "${NMAP_GRADE}"
+            convert_grade "${NMAP_GRADE}"
             NMAP_GRADE_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
 
             verboselog "nmap cipher grade ${NMAP_GRADE}: ${NMAP_GRADE_NUMERIC}"
@@ -3297,11 +3391,11 @@ main() {
         if [ -n "${CHECK_CIPHERS_WARNINGS}" ] ; then
 
             if grep -F -q 'warnings:' "${NMAP_OUT}" ; then
-                
+
                 PARSING_WARNINGS=
                 WARNINGS=
                 while IFS= read -r line; do
-                    
+
                     if echo "${line}" | grep -q -F 'warnings:' ; then
                         PARSING_WARNINGS=1
                     elif echo "${line}" | grep -q -F ':' ; then
@@ -3315,18 +3409,18 @@ main() {
                             WARNINGS="${WARNING}"
                         fi
                     fi
-                    
+
                 done < "${NMAP_OUT}"
 
                 WARNINGS=$( echo "${WARNINGS}" | sort | uniq | tr '\n' ',' | sed 's/,/,\ /g' | sed 's/,\ $//' )
                 prepend_critical_message "${HOST} offers ciphers with warning: ${WARNINGS}"
-                
+
             fi
-            
+
         fi
-        
+
     fi
-    
+
     ################################################################################
     # Check SSL Labs
     if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] ; then
@@ -3395,7 +3489,7 @@ main() {
 
                             verboselog "SSL Labs grade: ${SSL_LABS_HOST_GRADE}"
 
-                            convert_ssl_lab_grade "${SSL_LABS_HOST_GRADE}"
+                            convert_grade "${SSL_LABS_HOST_GRADE}"
                             SSL_LABS_HOST_GRADE_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
 
                             add_performance_data "ssllabs=${SSL_LABS_HOST_GRADE_NUMERIC}%;;${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}"
@@ -3451,7 +3545,7 @@ main() {
     if [ -n "${ORGANIZATION}" ] ; then
 
         debuglog "Checking organization ${ORGANIZATION}"
-        
+
         ORG=$(${OPENSSL} x509 -in "${CERT}" -subject -noout | sed -e "s/.*\\/O=//" -e "s/\\/.*//")
 
         if ! echo "${ORG}" | grep -q -E "^${ORGANIZATION}" ; then
@@ -3517,17 +3611,17 @@ main() {
     ##############################################################################
     # Check for Signed Certificate Timestamps (SCT)
     if [ -z "${SELFSIGNED}" ] ; then
-        
-	debuglog 'Checking Signed Certificate Timestamps (SCTs)'
-
+              
         # check if OpenSSL supoort SCTs
-        if env GZIP=-q man verify | grep -F -q SCT ; then
-        
+        if openssl_version '1.1.0' ; then
+
+            debuglog 'Checking Signed Certificate Timestamps (SCTs)'
+
 	    if [ -n "${SCT}" ] && ! "${OPENSSL}" x509 -in "${CERT}" -text -noout | grep -F -q 'SCTs' ; then
                 prepend_critical_message "Cannot find Signed Certificate Timestamps (SCT)"
             fi
 
-        else            
+        else
             verboselog 'Skipping SCTs check as not supported by OpenSSL'
 	fi
     fi


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.144.0/check_ssl_cert.1
=====================================
@@ -1,7 +1,7 @@
 .\" Process this file with
 .\" groff -man -Tascii check_ssl_cert.1
 .\"
-.TH "check_ssl_cert" 1 "March, 2021" "1.143.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "March, 2021" "1.144.0" "USER COMMANDS"
 .SH NAME
 check_ssl_cert \- checks the validity of X.509 certificates
 .SH SYNOPSIS


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.144.0/check_ssl_cert.spec
=====================================
@@ -1,4 +1,4 @@
-%define version          1.143.0
+%define version          1.144.0
 %define release          0
 %define sourcename       check_ssl_cert
 %define packagename      nagios-plugins-check_ssl_cert
@@ -45,6 +45,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/%{sourcename}.1*
 
 %changelog
+* Sun Mar  14 2021 Matteo Corti <matteo at corti.li> - 1.144.0-0
+- Updated to 1.144.0
+
 * Fri Mar  12 2021 Matteo Corti <matteo at corti.li> - 1.143.0-0
 - Updated to 1.143.0
 


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/._cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/._cert_with_subject_without_cn.crt
=====================================


=====================================
check_ssl_cert/check_ssl_cert_1.144.0/test/._client.p12
=====================================
Binary files /dev/null and b/check_ssl_cert/check_ssl_cert_1.144.0/test/._client.p12 differ


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/._der.cer → check_ssl_cert/check_ssl_cert_1.144.0/test/._der.cer
=====================================


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/cabundle.crt
=====================================


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/cacert.crt
=====================================


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/cert_with_empty_subject.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/cert_with_empty_subject.crt
=====================================


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/cert_with_subject_without_cn.crt
=====================================


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/client.p12 → check_ssl_cert/check_ssl_cert_1.144.0/test/client.p12
=====================================


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/der.cer → check_ssl_cert/check_ssl_cert_1.144.0/test/der.cer
=====================================


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/localhost.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/localhost.crt
=====================================


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/no-sct.badssl.com.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/no-sct.badssl.com.crt
=====================================


=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.144.0/test/unit_tests.sh
=====================================
@@ -178,7 +178,7 @@ testWildcardAltNames2() {
         --cn otherhost.sPaPPs.ethz.ch \
         --cn spapps.ethz.ch \
         --altnames \
-       
+
     EXIT_CODE=$?
     assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
 }
@@ -502,7 +502,7 @@ testIPv6() {
         if ifconfig -a | grep -q inet6 ; then
 
             if ping -6 www.google.com > /dev/null 2>&1  ; then
-            
+
                 ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com -6
                 EXIT_CODE=$?
                 assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
@@ -682,17 +682,25 @@ testSCT() {
         assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
     fi
 }
-    
+
 testCiphersOK() {
-    ${SCRIPT} --rootcert-file cabundle.crt -H corti.li --check-ciphers A --check-ciphers-warnings
-    EXIT_CODE=$?
-    assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+    if [ -z "${TRAVIS+x}" ] ; then
+        ${SCRIPT} --rootcert-file cabundle.crt -H www.wikipedia.org --check-ciphers A --check-ciphers-warnings
+        EXIT_CODE=$?
+        assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+    else
+        echo "Skipping nmap cipher warnings tests as nmap is too old"
+    fi
 }
 
 testCiphersError() {
-    ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com --check-ciphers A --check-ciphers-warnings
-    EXIT_CODE=$?
-    assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+    if [ -z "${TRAVIS+x}" ] ; then
+        ${SCRIPT} --rootcert-file cabundle.crt -H ethz.ch --check-ciphers A --check-ciphers-warnings
+        EXIT_CODE=$?
+        assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+    else
+        echo "Skipping nmap cipher warnings tests as nmap is too old"
+    fi
 }
 
 # SSL Labs (last one as it usually takes a lot of time


=====================================
check_ssl_cert/control
=====================================
@@ -1,7 +1,7 @@
 Uploaders: Jan Wagner <waja at cyconet.org>
 Recommends: curl, file, openssl
 Suggests: expect
-Version: 1.143.0
+Version: 1.144.0
 Homepage: https://github.com/matteocorti/check_ssl_cert
 Watch: https://github.com/matteocorti/check_ssl_cert/releases check_ssl_cert-([0-9.]+)\.tar\.gz
 Description: plugin to check the CA and validity of an


=====================================
check_ssl_cert/src
=====================================
@@ -1 +1 @@
-check_ssl_cert_1.143.0
\ No newline at end of file
+check_ssl_cert_1.144.0
\ No newline at end of file



View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/commit/a21a9b7d34f67e8df4eb1c76b9695527228f5c8d

-- 
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/commit/a21a9b7d34f67e8df4eb1c76b9695527228f5c8d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20210315/a5b417ca/attachment-0001.htm>


More information about the pkg-nagios-changes mailing list