[pkg-nagios-changes] [Git][nagios-team/pkg-nagios-plugins-contrib][master] check_ssl_cert: Update to 1.144.0
Jan Wagner
gitlab at salsa.debian.org
Mon Mar 15 11:50:09 GMT 2021
Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / pkg-nagios-plugins-contrib
Commits:
a21a9b7d by Jan Wagner at 2021-03-15T11:47:41+01:00
check_ssl_cert: Update to 1.144.0
- Removed the dependency on man
- - - - -
28 changed files:
- − check_ssl_cert/check_ssl_cert_1.143.0/VERSION
- check_ssl_cert/check_ssl_cert_1.143.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.144.0/AUTHORS
- check_ssl_cert/check_ssl_cert_1.143.0/COPYING → check_ssl_cert/check_ssl_cert_1.144.0/COPYING
- check_ssl_cert/check_ssl_cert_1.143.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.144.0/COPYRIGHT
- check_ssl_cert/check_ssl_cert_1.143.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.144.0/ChangeLog
- check_ssl_cert/check_ssl_cert_1.143.0/INSTALL → check_ssl_cert/check_ssl_cert_1.144.0/INSTALL
- check_ssl_cert/check_ssl_cert_1.143.0/Makefile → check_ssl_cert/check_ssl_cert_1.144.0/Makefile
- check_ssl_cert/check_ssl_cert_1.143.0/NEWS → check_ssl_cert/check_ssl_cert_1.144.0/NEWS
- check_ssl_cert/check_ssl_cert_1.143.0/README.md → check_ssl_cert/check_ssl_cert_1.144.0/README.md
- check_ssl_cert/check_ssl_cert_1.143.0/TODO → check_ssl_cert/check_ssl_cert_1.144.0/TODO
- + check_ssl_cert/check_ssl_cert_1.144.0/VERSION
- check_ssl_cert/check_ssl_cert_1.143.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.144.0/check_ssl_cert
- check_ssl_cert/check_ssl_cert_1.143.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.144.0/check_ssl_cert.1
- check_ssl_cert/check_ssl_cert_1.143.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.144.0/check_ssl_cert.spec
- check_ssl_cert/check_ssl_cert_1.143.0/test/._cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/._cert_with_subject_without_cn.crt
- + check_ssl_cert/check_ssl_cert_1.144.0/test/._client.p12
- check_ssl_cert/check_ssl_cert_1.143.0/test/._der.cer → check_ssl_cert/check_ssl_cert_1.144.0/test/._der.cer
- check_ssl_cert/check_ssl_cert_1.143.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/cabundle.crt
- check_ssl_cert/check_ssl_cert_1.143.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/cacert.crt
- check_ssl_cert/check_ssl_cert_1.143.0/test/cert_with_empty_subject.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/cert_with_empty_subject.crt
- check_ssl_cert/check_ssl_cert_1.143.0/test/cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/cert_with_subject_without_cn.crt
- check_ssl_cert/check_ssl_cert_1.143.0/test/client.p12 → check_ssl_cert/check_ssl_cert_1.144.0/test/client.p12
- check_ssl_cert/check_ssl_cert_1.143.0/test/der.cer → check_ssl_cert/check_ssl_cert_1.144.0/test/der.cer
- check_ssl_cert/check_ssl_cert_1.143.0/test/localhost.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/localhost.crt
- check_ssl_cert/check_ssl_cert_1.143.0/test/no-sct.badssl.com.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/no-sct.badssl.com.crt
- check_ssl_cert/check_ssl_cert_1.143.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.144.0/test/unit_tests.sh
- check_ssl_cert/control
- check_ssl_cert/src
Changes:
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/VERSION deleted
=====================================
@@ -1 +0,0 @@
-1.143.0
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.144.0/AUTHORS
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/COPYING → check_ssl_cert/check_ssl_cert_1.144.0/COPYING
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.144.0/COPYRIGHT
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.144.0/ChangeLog
=====================================
@@ -1,3 +1,11 @@
+2021-03-14 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (openssl_version): added a function to compare OpenSSL versions. Getting rid of the man dependency
+
+2021-03-12 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (exec_with_timeout): fixing timeout on systems using 'timeout'
+
2021-03-12 Matteo Corti <matteo at corti.li>
* check_ssl_cert (exec_with_timeout): reducing the total timeout by each execution
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/INSTALL → check_ssl_cert/check_ssl_cert_1.144.0/INSTALL
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/Makefile → check_ssl_cert/check_ssl_cert_1.144.0/Makefile
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/NEWS → check_ssl_cert/check_ssl_cert_1.144.0/NEWS
=====================================
@@ -1,3 +1,4 @@
+2021-03-14 Version 1.144.0: Getting rid of the man dependency
2021-03-12 Version 1.143.0: Better handling of the timeout
Checks ciphers with nmap (--check-ciphers and --check-ciphers-warnings)
Checks oll the supplied OCSP URIs
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/README.md → check_ssl_cert/check_ssl_cert_1.144.0/README.md
=====================================
@@ -104,7 +104,7 @@ Options:
-o,--org org pattern to match the organization of the certificate
--openssl path path of the openssl binary to be used
--password source password source for a local certificate, see the PASS PHRASE ARGUMENTS section
- openssl(1)
+ openssl(1)
-p,--port port TCP port
-P,--protocol protocol use the specific protocol
{ftp|ftps|http|https|h2|imap|imaps|irc|ircs|ldap|ldaps|pop3|pop3s|
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/TODO → check_ssl_cert/check_ssl_cert_1.144.0/TODO
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.144.0/VERSION
=====================================
@@ -0,0 +1 @@
+1.144.0
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.144.0/check_ssl_cert
=====================================
@@ -19,7 +19,7 @@
################################################################################
# Constants
-VERSION=1.143.0
+VERSION=1.144.0
SHORTNAME="SSL_CERT"
VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -324,6 +324,82 @@ EOF
}
+################################################################################
+# checks if OpenSSL version is at least the given parameter
+# Params
+# $1 minumum version
+openssl_version() {
+
+ # See https://wiki.openssl.org/index.php/Versioning
+
+ # Required version
+ MIN_VERSION=$1
+
+ IFS='.' read -r MIN_MAJOR1 MIN_MAJOR2 MIN_MINOR <<EOF
+${MIN_VERSION}
+EOF
+
+ if echo "${MIN_MINOR}" | grep -q '[:alpha:]' ; then
+ MIN_FIX=$( echo "${MIN_MINOR}" | sed 's/[[:digit:]][[:digit:]]*//' )
+ MIN_MINOR=$( echo "${MIN_MINOR}" | sed 's/[[:alpha:]][[:alpha:]]*//' )
+ fi
+
+ if [ -n "${MIN_FIX}" ] ; then MIN_FIX_NUM=$( printf '%d' "'${MIN_FIX}" ) ; else MIN_FIX_NUM=0 ; fi
+ debuglog "Checking if OpenSSL version is at least ${MIN_VERSION} ( '${MIN_MAJOR1}' '${MIN_MAJOR2}' '${MIN_MINOR}' '${MIN_FIX}:${MIN_FIX_NUM}' )"
+
+ # current version
+
+ OPENSSL_VERSION=$( ${OPENSSL} version | sed 's/^OpenSSL\ \([^ ]*\).*/\1/' )
+
+ IFS='.' read -r MAJOR1 MAJOR2 MINOR <<EOF
+${OPENSSL_VERSION}
+EOF
+
+ if echo "${MINOR}" | grep -q '[[:alpha:]]' ; then
+ FIX=$( echo "${MINOR}" | sed 's/[[:digit:]][[:digit:]]*//' )
+ MINOR=$( echo "${MINOR}" | sed 's/[[:alpha:]][[:alpha:]]*//' )
+ fi
+
+ if [ -n "${FIX}" ] ; then FIX_NUM=$( printf '%d' "'${FIX}" ) ; else FIX_NUM=0 ; fi
+ debuglog "Current version ${OPENSSL_VERSION} ( '${MAJOR1}' '${MAJOR2}' '${MINOR}' '${FIX}:${FIX_NUM}' )"
+
+ # return 0 for true and 1 for false
+ # check MAJOR1
+ if [ "${MAJOR1}" -gt "${MIN_MAJOR1}" ] ; then
+ RET=0
+ elif [ "${MAJOR1}" -lt "${MIN_MAJOR1}" ] ; then
+ RET=1
+ else
+ # check MAJOR2
+ if [ "${MAJOR2}" -gt "${MIN_MAJOR2}" ] ; then
+ RET=0
+ elif [ "${MAJOR2}" -lt "${MIN_MAJOR2}" ] ; then
+ RET=1
+ else
+ # check MINOR
+ if [ "${MINOR}" -gt "${MIN_MINOR}" ] ; then
+ RET=0
+ elif [ "${MINOR}" -lt "${MIN_MINOR}" ] ; then
+ RET=1
+ else
+ # check FIX
+ RET=$( [ "${FIX_NUM}" -ge "${MIN_FIX_NUM}" ] )
+ fi
+ fi
+ fi
+
+ if [ -n "${DEBUG}" ] ; then
+ if [ "${RET}" -eq 0 ] ; then
+ debuglog ' true'
+ else
+ debuglog ' false'
+ fi
+ fi
+
+ return "${RET}"
+
+}
+
################################################################################
# prepends critical messages to list of all messages
# Params
@@ -528,9 +604,9 @@ exec_with_timeout() {
if [ -n "$3" ] ; then
ERRFILE=$3
fi
-
+
start_time=$( date +%s )
-
+
debuglog "executing with timeout (${time}s): $1"
if [ -n "${TIMEOUT_BIN}" ] ; then
@@ -550,6 +626,7 @@ exec_with_timeout() {
# because of the execution in the backgroud we get a 137 for a timeout
if [ "${RET}" -eq 137 ] || [ "${RET}" -eq 124 ] ; then
prepend_critical_message "Timeout after ${time} seconds"
+ critical "${SHORTNAME} CRITICAL: Timeout after ${time} seconds"
elif [ "${RET}" -eq 125 ] ; then
prepend_critical_message "execution of ${command} failed"
elif [ "${RET}" -eq 126 ] ; then
@@ -560,7 +637,8 @@ exec_with_timeout() {
end_time=$( date +%s )
TIMEOUT=$(( TIMEOUT - end_time + start_time ))
-
+ if [ "${TIMEOUT}" -lt 1 ] ; then TIMEOUT=1; fi
+
return "${RET}"
elif [ -n "${EXPECT}" ] ; then
@@ -608,6 +686,7 @@ EOT
end_time=$( date +%s )
TIMEOUT=$(( TIMEOUT - end_time + start_time ))
+ if [ "${TIMEOUT}" -lt 1 ] ; then TIMEOUT=1; fi
return "${RET}"
@@ -617,17 +696,18 @@ EOT
eval "${command}" > "${OUTFILE}" 2> "${ERRFILE}"
RET=$?
-
+
end_time=$( date +%s )
# we deduce the command duration from the total specified timeout
TIMEOUT=$(( TIMEOUT - end_time + start_time ))
+ if [ "${TIMEOUT}" -lt 1 ] ; then TIMEOUT=1; fi
return "${RET}"
fi
-
-
+
+
}
################################################################################
@@ -726,7 +806,7 @@ check_crl() {
# $1 cert
# $2 element number
check_ocsp() {
-
+
el_number=1
if [ -n "$2" ]; then
el_number=$2
@@ -775,7 +855,7 @@ check_ocsp() {
# shellcheck disable=SC2086,SC2016
ELEMENT_ISSUER_URIS="$( ${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -text -noout -in ${CERT_ELEMENT} | grep -F "CA Issuers" | grep -F -i "http" | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;$(){}<>`&')"
-
+
if [ -z "${ELEMENT_ISSUER_URIS}" ] ; then
verboselog "cannot find the CA Issuers in the certificate: disabling OCSP checks on element ${el_number}"
return
@@ -797,7 +877,7 @@ check_ocsp() {
if [ -z "${ISSUER_CERT}" ] ; then
-
+
debuglog "OCSP: fetching issuer certificate ${ELEMENT_ISSUER_URI} to ${ISSUER_CERT_TMP}"
if [ -n "${CURL_USER_AGENT}" ] ; then
@@ -859,11 +939,11 @@ check_ocsp() {
debuglog "OCSP: storing a copy of the retrieved issuer certificate to ${FILE_NAME}"
cp "${ISSUER_CERT_TMP}" "${FILE_NAME}"
-
+
fi
if [ -n "${ISSUER_CERT_CACHE}" ] ; then
-
+
if [ ! -w "${ISSUER_CERT_CACHE}" ]; then
unknown "Issuer certificates cache ${ISSUER_CERT_CACHE} is not writeable!"
fi
@@ -885,9 +965,9 @@ check_ocsp() {
OCSP_URIS="$(${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT_ELEMENT}" -ocsp_uri -noout)"
debuglog "OSCP: URIs = ${OCSP_URIS}"
-
+
for OCSP_URI in ${OCSP_URIS} ; do
-
+
debuglog "OSCP: URI = ${OCSP_URI}"
OCSP_HOST="$(echo "${OCSP_URI}" | sed -e "s at .*//\\([^/]\\+\\)\\(/.*\\)\\?\$@\\1 at g" | sed 's/^http:\/\///' | sed 's/\/.*//' )"
@@ -1100,12 +1180,13 @@ check_cert_end_date() {
################################################################################
-# Converts SSL Labs grades to a numeric value
-# (see https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide.pdf)
+# Converts SSL Labs or nmap grades to a numeric value
+# (see https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide.pdf and
+# https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html)
# Params
# $1 program name
# Sets NUMERIC_SSL_LAB_GRADE
-convert_ssl_lab_grade() {
+convert_grade() {
GRADE="$1"
@@ -1117,7 +1198,7 @@ convert_ssl_lab_grade() {
NUMERIC_SSL_LAB_GRADE=85
shift
;;
- A|a)
+ A|a|strong|Strong)
NUMERIC_SSL_LAB_GRADE=80
shift
;;
@@ -1130,7 +1211,7 @@ convert_ssl_lab_grade() {
NUMERIC_SSL_LAB_GRADE=65
shift
;;
- C|c)
+ C|c|weak|Weak)
NUMERIC_SSL_LAB_GRADE=50
shift
;;
@@ -1146,7 +1227,7 @@ convert_ssl_lab_grade() {
NUMERIC_SSL_LAB_GRADE=0
shift
;;
- T|t)
+ T|t|unknown|Unknown)
# No trust: value not in documentation
NUMERIC_SSL_LAB_GRADE=0
shift
@@ -1270,7 +1351,7 @@ fetch_certificate() {
debuglog "executing ${OPENSSL} pkcs12 -in ${FILE} -out ${CERT} -nokeys"
"${OPENSSL}" pkcs12 -in "${FILE}" -out "${CERT}" -nokeys 2> "${PKCS12_ERROR}"
fi
-
+
if [ $? -eq 1 ] ; then
unknown "Error converting ${FILE}: $( head -n 1 "${PKCS12_ERROR}" ) "
fi
@@ -1279,18 +1360,18 @@ fetch_certificate() {
debuglog 'converting DER to PEM'
"${OPENSSL}" x509 -inform der -in "${FILE}" -out "${CERT}"
-
+
else
-
+
debuglog "Copying the certificate to ${CERT}"
/bin/cat "${FILE}" > "${CERT}"
RET=$?
fi
-
+
debuglog "storing the certificate to ${CERT}"
debuglog "certificate type (2): $(${FILE_BIN} "${CERT}" | sed 's/.*://' )"
-
+
else
unknown "Error: option 'file' works with -H localhost only"
fi
@@ -1488,10 +1569,10 @@ main() {
while true; do
case "$1" in
-
+
########################################
# Options without arguments
-
+
-A|--noauth)
NOAUTH=1
shift
@@ -2201,12 +2282,12 @@ main() {
fi
if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] ; then
- convert_ssl_lab_grade "${SSL_LAB_CRIT_ASSESSMENT}"
+ convert_grade "${SSL_LAB_CRIT_ASSESSMENT}"
SSL_LAB_CRIT_ASSESSMENT_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
fi
if [ -n "${SSL_LAB_WARN_ASSESTMENT}" ] ; then
- convert_ssl_lab_grade "${SSL_LAB_WARN_ASSESTMENT}"
+ convert_grade "${SSL_LAB_WARN_ASSESTMENT}"
SSL_LAB_WARN_ASSESTMENT_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
if [ "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" -lt "${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}" ]; then
unknown '--check-ssl-labs-warn must be greater than -L|--check-ssl-labs'
@@ -2214,7 +2295,7 @@ main() {
fi
if [ -n "${CHECK_CIPHERS}" ] ; then
- convert_ssl_lab_grade "${CHECK_CIPHERS}"
+ convert_grade "${CHECK_CIPHERS}"
CHECK_CIPHERS_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
fi
@@ -2291,7 +2372,7 @@ main() {
# nmap
if [ -z "${NMAP_BIN}" ] ; then
-
+
if [ -n "${DISALLOWED_PROTOCOLS}" ] || [ -n "${CHECK_CIPHERS}" ] || [ -n "${CHECK_CIPHERS_WARNINGS}" ] ; then
if [ -n "${DISALLOWED_PROTOCOLS}" ] ; then debuglog "nmap binary needed. DISALLOWED_PROTOCOLS = ${DISALLOWED_PROTOCOLS}" ; fi
@@ -2306,11 +2387,11 @@ main() {
else
debuglog "nmap binary not needed. No disallowed protocols"
fi
-
+
else
# we check if the provided binary actually works
check_required_prog "${NMAP_BIN}"
-
+
fi
# Expect (optional)
@@ -2394,8 +2475,10 @@ main() {
if [ -n "${DEBUG}" ] ; then
debuglog "check_ssl_cert version: ${VERSION}"
debuglog "OpenSSL binary: ${OPENSSL}"
- debuglog "OpenSSL version: $( ${OPENSSL} version )"
-
+ if [ -n "${DEBUG}" ] ; then
+ debuglog "OpenSSL info:"
+ ${OPENSSL} version -a | sed 's/^/[DBG]/'
+ fi
OPENSSL_DIR="$( ${OPENSSL} version -d | sed -E 's/OPENSSLDIR: "([^"]*)"/\1/' )"
debuglog "OpenSSL configuration directory: ${OPENSSL_DIR}"
@@ -2734,7 +2817,7 @@ main() {
trap_with_arg cleanup ${SIGNALS}
fetch_certificate
-
+
if ascii_grep 'sslv3\ alert\ unexpected\ message' "${ERROR}" ; then
if [ -n "${SERVERNAME}" ] ; then
@@ -2756,11 +2839,11 @@ main() {
# check for TLS renegotiation
if [ -z "${IGNORE_TLS_RENEGOTIATION}" ] ; then
-
+
verboselog "Checking TLS renegotiation"
# see https://www.mcafee.com/blogs/enterprise/tips-securing-ssl-renegotiation/
-
+
exec_with_timeout "printf 'R\\n' | openssl s_client -connect ${HOST}:${PORT} 2>&1 | grep -F -q err"
RET=$?
@@ -2769,10 +2852,10 @@ main() {
if ascii_grep '^Secure\ Renegotiation\ IS\ NOT' "${CERT}" && ! ascii_grep 'TLSv1.3' "${CERT}" ; then
prepend_critical_message 'TLS renegotiation is supported but not secure'
fi
-
+
fi
- fi
+ fi
if ascii_grep "BEGIN X509 CRL" "${CERT}" ; then
# we are dealing with a CRL file
@@ -3274,15 +3357,26 @@ main() {
exec_with_timeout "nmap -sV --script ssl-enum-ciphers ${HOST} -p ${PORT}" "${NMAP_OUT}" "${NMAP_ERR}"
+ if [ -n "${DEBUG}" ] ; then
+ debuglog 'nmap output:'
+ while read -r LINE; do
+ debuglog "${LINE}"
+ done < "${NMAP_OUT}"
+ debuglog 'nmap errors:'
+ while read -r LINE; do
+ debuglog "${LINE}"
+ done < "${NMAP_ERR}"
+ fi
+
if [ -s "${NMAP_ERR}" ] ; then
NMAP_ERROR=$( head -n 1 "${NMAP_ERR}" )
unknown "nmap exited with error: ${NMAP_ERROR}"
fi
-
+
if [ -n "${CHECK_CIPHERS}" ] ; then
-
+
NMAP_GRADE=$( grep -F 'least strength' "${NMAP_OUT}" | sed 's/.*\ //' )
- convert_ssl_lab_grade "${NMAP_GRADE}"
+ convert_grade "${NMAP_GRADE}"
NMAP_GRADE_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
verboselog "nmap cipher grade ${NMAP_GRADE}: ${NMAP_GRADE_NUMERIC}"
@@ -3297,11 +3391,11 @@ main() {
if [ -n "${CHECK_CIPHERS_WARNINGS}" ] ; then
if grep -F -q 'warnings:' "${NMAP_OUT}" ; then
-
+
PARSING_WARNINGS=
WARNINGS=
while IFS= read -r line; do
-
+
if echo "${line}" | grep -q -F 'warnings:' ; then
PARSING_WARNINGS=1
elif echo "${line}" | grep -q -F ':' ; then
@@ -3315,18 +3409,18 @@ main() {
WARNINGS="${WARNING}"
fi
fi
-
+
done < "${NMAP_OUT}"
WARNINGS=$( echo "${WARNINGS}" | sort | uniq | tr '\n' ',' | sed 's/,/,\ /g' | sed 's/,\ $//' )
prepend_critical_message "${HOST} offers ciphers with warning: ${WARNINGS}"
-
+
fi
-
+
fi
-
+
fi
-
+
################################################################################
# Check SSL Labs
if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] ; then
@@ -3395,7 +3489,7 @@ main() {
verboselog "SSL Labs grade: ${SSL_LABS_HOST_GRADE}"
- convert_ssl_lab_grade "${SSL_LABS_HOST_GRADE}"
+ convert_grade "${SSL_LABS_HOST_GRADE}"
SSL_LABS_HOST_GRADE_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
add_performance_data "ssllabs=${SSL_LABS_HOST_GRADE_NUMERIC}%;;${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}"
@@ -3451,7 +3545,7 @@ main() {
if [ -n "${ORGANIZATION}" ] ; then
debuglog "Checking organization ${ORGANIZATION}"
-
+
ORG=$(${OPENSSL} x509 -in "${CERT}" -subject -noout | sed -e "s/.*\\/O=//" -e "s/\\/.*//")
if ! echo "${ORG}" | grep -q -E "^${ORGANIZATION}" ; then
@@ -3517,17 +3611,17 @@ main() {
##############################################################################
# Check for Signed Certificate Timestamps (SCT)
if [ -z "${SELFSIGNED}" ] ; then
-
- debuglog 'Checking Signed Certificate Timestamps (SCTs)'
-
+
# check if OpenSSL supoort SCTs
- if env GZIP=-q man verify | grep -F -q SCT ; then
-
+ if openssl_version '1.1.0' ; then
+
+ debuglog 'Checking Signed Certificate Timestamps (SCTs)'
+
if [ -n "${SCT}" ] && ! "${OPENSSL}" x509 -in "${CERT}" -text -noout | grep -F -q 'SCTs' ; then
prepend_critical_message "Cannot find Signed Certificate Timestamps (SCT)"
fi
- else
+ else
verboselog 'Skipping SCTs check as not supported by OpenSSL'
fi
fi
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.144.0/check_ssl_cert.1
=====================================
@@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii check_ssl_cert.1
.\"
-.TH "check_ssl_cert" 1 "March, 2021" "1.143.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "March, 2021" "1.144.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.144.0/check_ssl_cert.spec
=====================================
@@ -1,4 +1,4 @@
-%define version 1.143.0
+%define version 1.144.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
@@ -45,6 +45,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/%{sourcename}.1*
%changelog
+* Sun Mar 14 2021 Matteo Corti <matteo at corti.li> - 1.144.0-0
+- Updated to 1.144.0
+
* Fri Mar 12 2021 Matteo Corti <matteo at corti.li> - 1.143.0-0
- Updated to 1.143.0
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/._cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/._cert_with_subject_without_cn.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.144.0/test/._client.p12
=====================================
Binary files /dev/null and b/check_ssl_cert/check_ssl_cert_1.144.0/test/._client.p12 differ
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/._der.cer → check_ssl_cert/check_ssl_cert_1.144.0/test/._der.cer
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/cabundle.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/cacert.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/cert_with_empty_subject.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/cert_with_empty_subject.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/cert_with_subject_without_cn.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/client.p12 → check_ssl_cert/check_ssl_cert_1.144.0/test/client.p12
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/der.cer → check_ssl_cert/check_ssl_cert_1.144.0/test/der.cer
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/localhost.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/localhost.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/no-sct.badssl.com.crt → check_ssl_cert/check_ssl_cert_1.144.0/test/no-sct.badssl.com.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_1.143.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.144.0/test/unit_tests.sh
=====================================
@@ -178,7 +178,7 @@ testWildcardAltNames2() {
--cn otherhost.sPaPPs.ethz.ch \
--cn spapps.ethz.ch \
--altnames \
-
+
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
@@ -502,7 +502,7 @@ testIPv6() {
if ifconfig -a | grep -q inet6 ; then
if ping -6 www.google.com > /dev/null 2>&1 ; then
-
+
${SCRIPT} --rootcert-file cabundle.crt -H www.google.com -6
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
@@ -682,17 +682,25 @@ testSCT() {
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
fi
}
-
+
testCiphersOK() {
- ${SCRIPT} --rootcert-file cabundle.crt -H corti.li --check-ciphers A --check-ciphers-warnings
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ if [ -z "${TRAVIS+x}" ] ; then
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.wikipedia.org --check-ciphers A --check-ciphers-warnings
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+ else
+ echo "Skipping nmap cipher warnings tests as nmap is too old"
+ fi
}
testCiphersError() {
- ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com --check-ciphers A --check-ciphers-warnings
- EXIT_CODE=$?
- assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+ if [ -z "${TRAVIS+x}" ] ; then
+ ${SCRIPT} --rootcert-file cabundle.crt -H ethz.ch --check-ciphers A --check-ciphers-warnings
+ EXIT_CODE=$?
+ assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+ else
+ echo "Skipping nmap cipher warnings tests as nmap is too old"
+ fi
}
# SSL Labs (last one as it usually takes a lot of time
=====================================
check_ssl_cert/control
=====================================
@@ -1,7 +1,7 @@
Uploaders: Jan Wagner <waja at cyconet.org>
Recommends: curl, file, openssl
Suggests: expect
-Version: 1.143.0
+Version: 1.144.0
Homepage: https://github.com/matteocorti/check_ssl_cert
Watch: https://github.com/matteocorti/check_ssl_cert/releases check_ssl_cert-([0-9.]+)\.tar\.gz
Description: plugin to check the CA and validity of an
=====================================
check_ssl_cert/src
=====================================
@@ -1 +1 @@
-check_ssl_cert_1.143.0
\ No newline at end of file
+check_ssl_cert_1.144.0
\ No newline at end of file
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/commit/a21a9b7d34f67e8df4eb1c76b9695527228f5c8d
--
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/commit/a21a9b7d34f67e8df4eb1c76b9695527228f5c8d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20210315/a5b417ca/attachment-0001.htm>
More information about the pkg-nagios-changes
mailing list