[pkg-nagios-changes] [Git][nagios-team/pkg-nagios-plugins-contrib][master] 3 commits: check_ssl_cert: Update to 2.2.0
Jan Wagner (@waja)
gitlab at salsa.debian.org
Tue May 11 20:37:38 BST 2021
Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / pkg-nagios-plugins-contrib
Commits:
34891c59 by Jan Wagner at 2021-05-11T21:31:51+02:00
check_ssl_cert: Update to 2.2.0
- - - - -
1eaadbaf by Jan Wagner at 2021-05-11T21:32:12+02:00
Auto update of debian/control
- - - - -
1b7ec4b1 by Jan Wagner at 2021-05-11T21:34:44+02:00
Merge branch 'development'
- - - - -
23 changed files:
- − check_ssl_cert/check_ssl_cert_2.0.1/VERSION
- check_ssl_cert/check_ssl_cert_2.0.1/AUTHORS → check_ssl_cert/check_ssl_cert_2.2.0/AUTHORS
- check_ssl_cert/check_ssl_cert_2.0.1/COPYING → check_ssl_cert/check_ssl_cert_2.2.0/COPYING
- check_ssl_cert/check_ssl_cert_2.0.1/COPYRIGHT → check_ssl_cert/check_ssl_cert_2.2.0/COPYRIGHT
- check_ssl_cert/check_ssl_cert_2.0.1/ChangeLog → check_ssl_cert/check_ssl_cert_2.2.0/ChangeLog
- check_ssl_cert/check_ssl_cert_2.0.1/INSTALL → check_ssl_cert/check_ssl_cert_2.2.0/INSTALL
- check_ssl_cert/check_ssl_cert_2.0.1/Makefile → check_ssl_cert/check_ssl_cert_2.2.0/Makefile
- check_ssl_cert/check_ssl_cert_2.0.1/NEWS → check_ssl_cert/check_ssl_cert_2.2.0/NEWS
- check_ssl_cert/check_ssl_cert_2.0.1/README.md → check_ssl_cert/check_ssl_cert_2.2.0/README.md
- + check_ssl_cert/check_ssl_cert_2.2.0/VERSION
- check_ssl_cert/check_ssl_cert_2.0.1/check_ssl_cert → check_ssl_cert/check_ssl_cert_2.2.0/check_ssl_cert
- check_ssl_cert/check_ssl_cert_2.0.1/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_2.2.0/check_ssl_cert.1
- check_ssl_cert/check_ssl_cert_2.0.1/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_2.2.0/check_ssl_cert.spec
- check_ssl_cert/check_ssl_cert_2.0.1/test/cabundle.crt → check_ssl_cert/check_ssl_cert_2.2.0/test/cabundle.crt
- check_ssl_cert/check_ssl_cert_2.0.1/test/cacert.crt → check_ssl_cert/check_ssl_cert_2.2.0/test/cacert.crt
- check_ssl_cert/check_ssl_cert_2.0.1/test/cert_with_empty_subject.crt → check_ssl_cert/check_ssl_cert_2.2.0/test/cert_with_empty_subject.crt
- check_ssl_cert/check_ssl_cert_2.0.1/test/cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_2.2.0/test/cert_with_subject_without_cn.crt
- check_ssl_cert/check_ssl_cert_2.0.1/test/client.p12 → check_ssl_cert/check_ssl_cert_2.2.0/test/client.p12
- check_ssl_cert/check_ssl_cert_2.0.1/test/der.cer → check_ssl_cert/check_ssl_cert_2.2.0/test/der.cer
- check_ssl_cert/check_ssl_cert_2.0.1/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_2.2.0/test/unit_tests.sh
- check_ssl_cert/control
- check_ssl_cert/src
- debian/control
Changes:
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/VERSION deleted
=====================================
@@ -1 +0,0 @@
-2.0.1
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/AUTHORS → check_ssl_cert/check_ssl_cert_2.2.0/AUTHORS
=====================================
@@ -112,3 +112,6 @@ Thanks:
* Many thanks to Christoph Moench-Tegeder (https://github.com/moench-tegeder) for the OpenSSL version patch
* Many thanks to waja (https://github.com/waja) for the GitHub workflows
* Many thanks to Tobias Grünewald (https://github.com/tobias-gruenewald) for the client certificate
+* Many thanks to chornberger-c2c (https://github.com/chornberger-c2c) for the critical and warning output fix
+* Many thanks to Claus-Theodor Riegg (https://github.com/ctriegg-mak) for the domain with underscores fix
+* Many thanks to Ed Sabol (https://github.com/esabol) for the FQDN patch
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/COPYING → check_ssl_cert/check_ssl_cert_2.2.0/COPYING
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/COPYRIGHT → check_ssl_cert/check_ssl_cert_2.2.0/COPYRIGHT
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/ChangeLog → check_ssl_cert/check_ssl_cert_2.2.0/ChangeLog
=====================================
@@ -1,3 +1,39 @@
+2021-05-07 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (check_ocsp): Do not store the debugging copy of the certificate in the $TMPDIR
+
+2021-05-06 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): Fixed an error in the parameter validation
+
+2021-05-05 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (check_attr): do not wait if SSL Labs is giving an error
+
+2021-04-30 Matteo Corti <matteo at corti.li>
+
+ * Makefile: avoid putting extended attribute files in the archives
+
+2021-04-29 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (check_attr): Do not remove parenthesis from URI
+
+2021-04-29 Claus-Theodor Riegg (https://github.com/ctriegg-mak)
+
+ * check_ssl_cert: match underscores in subdomains when matching name to wildcard certs
+
+2021-04-28 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (check_attr): adds and option to remove performance data
+
+2021-04-23 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (fetch_certificate): Better handling of timeouts
+
+2021-04-12 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (critical): Fixed the output when the CN is not available
+
2021-04-07 Matteo Corti <matteo at corti.li>
* check_ssl_cert (main): adding -starttls to the renegotiation check if needed
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/INSTALL → check_ssl_cert/check_ssl_cert_2.2.0/INSTALL
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/Makefile → check_ssl_cert/check_ssl_cert_2.2.0/Makefile
=====================================
@@ -4,14 +4,16 @@ DIST_DIR=$(PLUGIN)-$(VERSION)
DIST_FILES=AUTHORS COPYING ChangeLog INSTALL Makefile NEWS README.md VERSION $(PLUGIN) $(PLUGIN).spec COPYRIGHT ${PLUGIN}.1 test
YEAR=`date +"%Y"`
MONTH_YEAR=`date +"%B, %Y"`
-FORMATTED_FILES=test/unit_tests.sh AUTHORS COPYING ChangeLog INSTALL Makefile NEWS README.md VERSION $(PLUGIN) $(PLUGIN).spec COPYRIGHT ${PLUGIN}.1 .github/workflows/* doc_check.sh
+FORMATTED_FILES=test/unit_tests.sh AUTHORS COPYING ChangeLog INSTALL Makefile NEWS README.md VERSION $(PLUGIN) $(PLUGIN).spec COPYRIGHT ${PLUGIN}.1 .github/workflows/*
dist: version_check formatting_check copyright_check shellcheck
rm -rf $(DIST_DIR) $(DIST_DIR).tar.gz
mkdir $(DIST_DIR)
cp -r $(DIST_FILES) $(DIST_DIR)
- tar cfz $(DIST_DIR).tar.gz $(DIST_DIR)
- tar cfj $(DIST_DIR).tar.bz2 $(DIST_DIR)
+# avoid to include extended attribute data files
+# see https://superuser.com/questions/259703/get-mac-tar-to-stop-putting-filenames-in-tar-archives
+ env COPYFILE_DISABLE=1 tar cfz $(DIST_DIR).tar.gz $(DIST_DIR)
+ env COPYFILE_DISABLE=1 tar cfj $(DIST_DIR).tar.bz2 $(DIST_DIR)
install:
mkdir -p $(DESTDIR)
@@ -34,9 +36,6 @@ formatting_check:
! grep -q '\\t' check_ssl_cert test/unit_tests.sh
! grep -q '[[:blank:]]$$' $(FORMATTED_FILES)
-doc_check:
- ./doc_check.sh
-
remove_blanks:
sed -i '' 's/[[:blank:]]*$$//' $(FORMATTED_FILES)
@@ -58,11 +57,11 @@ shellcheck:
ifndef SHELLCHECK
echo "No shellcheck installed: skipping test"
else
- if shellcheck --help 2>&1 | grep -q -- '-o\ ' ; then shellcheck -o all check_ssl_cert test/unit_tests.sh prepare_rpm.sh publish_release.sh ; else shellcheck check_ssl_cert test/unit_tests.sh prepare_rpm.sh publish_release.sh doc_check.sh ; fi
+ if shellcheck --help 2>&1 | grep -q -- '-o\ ' ; then shellcheck -o all check_ssl_cert test/unit_tests.sh prepare_rpm.sh publish_release.sh ; else shellcheck check_ssl_cert test/unit_tests.sh prepare_rpm.sh publish_release.sh ; fi
endif
copyright_check:
- grep -q "(c) Matteo Corti, 2007-$(YEAR)" README.md
+ grep -q "© Matteo Corti, 2007-$(YEAR)" README.md
grep -q "Copyright (c) 2007-$(YEAR) Matteo Corti" COPYRIGHT
grep -q "Copyright (c) 2007-$(YEAR) Matteo Corti <matteo at corti.li>" $(PLUGIN)
echo "Copyright year check: OK"
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/NEWS → check_ssl_cert/check_ssl_cert_2.2.0/NEWS
=====================================
@@ -1,3 +1,11 @@
+2021-05-07 Version 2.2.0: Bug fix: --debug does not store any information in $TMPDIR anymore
+ To locally store the retrieved certificates in debug mode the option --debug-cert has to be specified
+2021-05-06 Version 2.1.4: Bug fix in the handling of Qualy's SSL Lab command line options
+2021-05-05 Version 2.1.3: Bug fix in the Qualy's SSL Lab check of non-reachable machines
+2021-04-30 Version 2.1.2: Add domain if FQDN is missing
+2021-04-29 Version 2.1.1: Correct handling of subdomains with underscores
+2021-04-25 Version 2.1.0: Added an option to hide performance data
+ Fixed a bug in the critical and warning output when the CN is not available
2021-04-07 Version 2.0.1: Fixed a bug in renegotiation checks with STARTTLS
2021-03-29 Version 2.0.0: Fixed the documentation of various options
The host name must now always match with the certificate
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/README.md → check_ssl_cert/check_ssl_cert_2.2.0/README.md
=====================================
@@ -1,10 +1,10 @@
- (c) Matteo Corti, ETH Zurich, 2007-2012
+ © Matteo Corti, ETH Zurich, 2007-2012
- (c) Matteo Corti, 2007-2021
+ © Matteo Corti, 2007-2021
see AUTHORS for the complete list of contributors
-# check_ssl_cert
+# check\_ssl\_cert
A shell script (that can be used as a Nagios plugin) to check an SSL/TLS connection
@@ -41,6 +41,7 @@ Options:
--dane 311 verify that a valid DANE-EE(3) SPKI(1) SHA2-256(1) TLSA record exists
--date path path of the date binary to be used
-d,--debug produces debugging output (can be specified more than once)
+ --debug-cert stores the retrieved certificates in the current directory
--dig-bin path path of the dig binary to be used
--ecdsa signature algorithm selection: force ECDSA certificate
--element number checks N cert element from the begining of the chain
@@ -86,6 +87,7 @@ Options:
-n,--cn name pattern to match the CN of the certificate (can be
specified multiple times)
--nmap-bin path path of the nmap binary to be used
+ --no-perf do not show performance data
--no-proxy ignores the http_proxy and https_proxy environment variables
--no_ssl2 disable SSL version 2
--no_ssl3 disable SSL version 3
@@ -165,15 +167,15 @@ Report bugs to https://github.com/matteocorti/check_ssl_cert/issues
## Expect & timeout
-check_ssl_cert requires 'expect' or 'timeout' to enable timeouts. If 'expect' or 'timeout' is not
+check\_ssl\_cert requires 'expect' or 'timeout' to enable timeouts. If 'expect' or 'timeout' is not
present on your system timeouts will be disabled.
-See: http://en.wikipedia.org/wiki/Expect and https://man7.org/linux/man-pages/man1/timeout.1.html
+See: [http://en.wikipedia.org/wiki/Expect](http://en.wikipedia.org/wiki/Expect) and [https://man7.org/linux/man-pages/man1/timeout.1.html](https://man7.org/linux/man-pages/man1/timeout.1.html)
## Virtual servers
-check_ssl_cert supports the servername TLS extension in ClientHello
+check\_ssl\_cert supports the servername TLS extension in ClientHello
if the installed openssl version provides it. This is needed if you
are checking a machine with virtual hosts.
@@ -218,4 +220,4 @@ and then submitted to `check_ssl_cert` with the `-r,--rootcert path` option
The timeout is applied to each action involving a download.
-Report bugs to https://github.com/matteocorti/check_ssl_cert/issues
+Report bugs to [https://github.com/matteocorti/check_ssl_cert/issues](https://github.com/matteocorti/check_ssl_cert/issues)
=====================================
check_ssl_cert/check_ssl_cert_2.2.0/VERSION
=====================================
@@ -0,0 +1 @@
+2.2.0
\ No newline at end of file
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/check_ssl_cert → check_ssl_cert/check_ssl_cert_2.2.0/check_ssl_cert
=====================================
@@ -19,7 +19,7 @@
################################################################################
# Constants
-VERSION=2.0.1
+VERSION=2.2.0
SHORTNAME="SSL_CERT"
VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -86,6 +86,7 @@ usage() {
echo " --dane 311 verify that a valid DANE-EE(3) SPKI(1) SHA2-256(1) TLSA record exists"
echo " --date path path of the date binary to be used"
echo " -d,--debug produces debugging output (can be specified more than once)"
+ echo " --debug-cert stores the retrieved certificates in the current directory"
echo " --dig-bin path path of the dig binary to be used"
echo " --ecdsa signature algorithm selection: force ECDSA certificate"
echo " --element number checks N cert element from the begining of the chain"
@@ -131,6 +132,7 @@ usage() {
echo " -n,--cn name pattern to match the CN of the certificate (can be"
echo " specified multiple times)"
echo " --nmap-bin path path of the nmap binary to be used"
+ echo " --no-perf do not show performance data"
echo " --no-proxy ignores the http_proxy and https_proxy environment variables"
echo " --no-ssl2 disable SSL version 2"
echo " --no-ssl3 disable SSL version 3"
@@ -455,7 +457,11 @@ prepend_critical_message() {
debuglog "prepend_critical_message: ALL_MSG 1 = ${ALL_MSG}"
if [ -n "${CN}" ] ; then
- tmp=" ${CN}"
+ if echo "${CN}" | grep -q -F 'unavailable' ; then
+ tmp=" ${SUBJECT_ALTERNATIVE_NAME}"
+ else
+ tmp=" ${CN}"
+ fi
else
if [ -n "${HOST_NAME}" ] ; then
if [ -n "${SNI}" ] ; then
@@ -525,7 +531,11 @@ append_warning_message() {
debuglog "prepend_warning_message: ALL_MSG 1 = ${ALL_MSG}"
if [ -n "${CN}" ] ; then
- tmp=" ${CN}"
+ if echo "${CN}" | grep -q -F 'unavailable' ; then
+ tmp=" ${SUBJECT_ALTERNATIVE_NAME}"
+ else
+ tmp=" ${CN}"
+ fi
else
if [ -n "${HOST_NAME}" ] ; then
if [ -n "${SNI}" ] ; then
@@ -899,7 +909,7 @@ check_ocsp() {
fi
# shellcheck disable=SC2086,SC2016
- ELEMENT_ISSUER_URIS="$( ${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -text -noout -in ${CERT_ELEMENT} | grep -F "CA Issuers" | grep -F -i "http" | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;$(){}<>`&')"
+ ELEMENT_ISSUER_URIS="$( ${OPENSSL} "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -text -noout -in ${CERT_ELEMENT} | grep -F "CA Issuers" | grep -F -i "http" | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;${}<>`&')"
if [ -z "${ELEMENT_ISSUER_URIS}" ] ; then
verboselog "cannot find the CA Issuers in the certificate: disabling OCSP checks on element ${el_number}"
@@ -973,15 +983,15 @@ check_ocsp() {
debuglog "OCSP: issuer certificate type (3): $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
- if [ "${DEBUG}" -ge 1 ] ; then
+ if [ -n "${DEBUG_CERT}" ] ; then
# remove trailing /
FILE_NAME=${ELEMENT_ISSUER_URI%/}
# remove everything up to the last slash
- FILE_NAME="${TMPDIR}/${FILE_NAME##*/}"
+ FILE_NAME="${FILE_NAME##*/}"
- debuglog "OCSP: storing a copy of the retrieved issuer certificate to ${FILE_NAME}"
+ debuglog "OCSP: storing a copy of the retrieved issuer certificate to ${FILE_NAME} for debugging purposes"
cp "${ISSUER_CERT_TMP}" "${FILE_NAME}"
@@ -1433,16 +1443,18 @@ fetch_certificate() {
fi
- if [ "${DEBUG}" -ge 1 ] ; then
- debuglog "storing a copy of the retrieved certificate in ${HOST_NAME}.crt"
+ if [ -n "${DEBUG_CERT}" ] ; then
+
+ debuglog "storing a copy of the retrieved certificate in ${HOST_NAME}.crt for debugging purposes"
cp "${CERT}" "${HOST_NAME}.crt"
- debuglog "storing a copy of the OpenSSL errors in ${HOST_NAME}.error"
+ debuglog "storing a copy of the OpenSSL errors in ${HOST_NAME}.error for debugging purposes"
cp "${ERROR}" "${HOST_NAME}.error"
- debuglog "Return value of the command = ${RET}"
fi
+ debuglog "Return value of the command = ${RET}"
+
if [ "${RET}" -ne 0 ] ; then
debuglog "$(sed 's/^/SSL error: /' "${ERROR}")"
@@ -1459,7 +1471,6 @@ fetch_certificate() {
prepend_critical_message "${ERROR}"
critical "SSL_CERT CRITICAL ${HOST_NAME}: ${ERROR}"
-
elif ascii_grep 'Connection\ refused' "${ERROR}" ; then
ERROR='Connection refused'
@@ -1484,6 +1495,12 @@ fetch_certificate() {
prepend_critical_message 'No TLS connection possible'
+ elif ascii_grep 'Operation\ timed\ out' "${ERROR}" ; then
+
+ ERROR='OpenSSL timed out'
+ prepend_critical_message "${ERROR}"
+ critical "SSL_CERT CRITICAL ${HOST_NAME}: ${ERROR}"
+
elif ascii_grep 'write:errno=54' "${ERROR}" ; then
ERROR='No certificate returned (SNI reqired?)'
@@ -1613,6 +1630,10 @@ parse_command_line_options() {
DEBUG=$(( DEBUG + 1 ))
shift
;;
+ --debug-cert)
+ DEBUG_CERT=1
+ shift
+ ;;
-h|--help|-\?)
usage
;;
@@ -1657,6 +1678,10 @@ parse_command_line_options() {
IGNORE_TLS_RENEGOTIATION='1'
shift
;;
+ --no-perf)
+ NO_PERF=1
+ shift
+ ;;
--no-proxy)
NO_PROXY=1
shift
@@ -2258,6 +2283,18 @@ main() {
usage "No host specified"
fi
+ # we need the FQDN of an host to check the CN
+ if ! echo "${HOST}" | grep -q '[.]' && [ -z "${FILE}" ] && [ "${HOST}" != 'localhost' ] ; then
+ debuglog "Domain for ${HOST} missing"
+ DOMAIN=$( nslookup "${HOST}" | grep ^Name: | head -n 1 | cut -d. -f2- )
+ if [ -z "${DOMAIN}" ] ; then
+ unknown "Cannot resolve ${HOST}"
+ fi
+ debuglog "Adding domain ${DOMAIN} to ${HOST}"
+ HOST="${HOST}.${DOMAIN}"
+ debuglog "New host: ${HOST}"
+ fi
+
################################################################################
# Ususally SERVERADDR and SERVERNAME both contain the fully qualified domain name
# (FQDN) or IP address of the host to check
@@ -2450,8 +2487,10 @@ main() {
if [ -n "${SSL_LAB_WARN_ASSESTMENT}" ] ; then
convert_grade "${SSL_LAB_WARN_ASSESTMENT}"
SSL_LAB_WARN_ASSESTMENT_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
- if [ "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" -lt "${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}" ]; then
- unknown '--check-ssl-labs-warn must be greater than -L|--check-ssl-labs'
+ if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] ; then
+ if [ "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" -lt "${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}" ]; then
+ unknown '--check-ssl-labs-warn must be greater than -L|--check-ssl-labs'
+ fi
fi
fi
@@ -3301,9 +3340,9 @@ main() {
if echo "${CN}" | grep -q -i "^\\*\\." ; then
# Or the literal with the wildcard
- debuglog "checking if the common name matches ^$(echo "${CN}" | sed -e 's/[.]/[.]/g' -e 's/[*]/[A-Za-z0-9\-]*/' )\$"
- if echo "${COMMON_NAME}" | grep -q -i "^$(echo "${CN}" | sed -e 's/[.]/[.]/g' -e 's/[*]/[A-Za-z0-9\-]*/' )\$" ; then
- debuglog "the common name ${COMMON_NAME} matches ^$(echo "${CN}" | sed -e 's/[.]/[.]/g' -e 's/[*]/[A-Za-z0-9\-]*/' )\$"
+ debuglog "checking if the common name matches ^$(echo "${CN}" | sed -e 's/[.]/[.]/g' -e 's/[*]/[A-Za-z0-9_\-]*/' )\$"
+ if echo "${COMMON_NAME}" | grep -q -i "^$(echo "${CN}" | sed -e 's/[.]/[.]/g' -e 's/[*]/[A-Za-z0-9_\-]*/' )\$" ; then
+ debuglog "the common name ${COMMON_NAME} matches ^$(echo "${CN}" | sed -e 's/[.]/[.]/g' -e 's/[*]/[A-Za-z0-9_\-]*/' )\$"
ok="true"
fi
@@ -3350,10 +3389,10 @@ main() {
fi
# Or the literal with the wildcard
- debuglog "checking if the common name matches ^$(echo "${alt_name}" | sed -e 's/[.]/[.]/g' -e 's/[*]/[A-Za-z0-9\-]*/' )\$"
+ debuglog "checking if the common name matches ^$(echo "${alt_name}" | sed -e 's/[.]/[.]/g' -e 's/[*]/[A-Za-z0-9_\-]*/' )\$"
- if echo "${cn}" | grep -q -i "^$(echo "${alt_name}" | sed -e 's/[.]/[.]/g' -e 's/[*]/[A-Za-z0-9\-]*/' )\$" ; then
- debuglog "the common name ${cn} matches ^$(echo "${alt_name}" | sed -e 's/[.]/[.]/g' -e 's/[*]/[A-Za-z0-9\-]*/' )\$"
+ if echo "${cn}" | grep -q -i "^$(echo "${alt_name}" | sed -e 's/[.]/[.]/g' -e 's/[*]/[A-Za-z0-9_\-]*/' )\$" ; then
+ debuglog "the common name ${cn} matches ^$(echo "${alt_name}" | sed -e 's/[.]/[.]/g' -e 's/[*]/[A-Za-z0-9_\-]*/' )\$"
ok="true"
fi
@@ -3660,6 +3699,7 @@ main() {
SSL_LABS_STATUS_MESSAGE=$(echo "${JSON}" \
| sed 's/.*"statusMessage":[ ]*"\([^"]*\)".*/\1/')
prepend_critical_message "SSL Labs error: ${SSL_LABS_STATUS_MESSAGE}"
+ break
else
@@ -3876,10 +3916,13 @@ main() {
fi
fi
- if [ -n "${TERSE}" ]; then
- EXTRA_OUTPUT="${PERFORMANCE_DATA}"
- else
- EXTRA_OUTPUT="${LONG_OUTPUT}${PERFORMANCE_DATA}"
+ # long output
+ if [ -z "${TERSE}" ] ; then
+ EXTRA_OUTPUT="${LONG_OUTPUT}"
+ fi
+ # performance
+ if [ -z "${NO_PERF}" ] ; then
+ EXTRA_OUTPUT="${EXTRA_OUTPUT}${PERFORMANCE_DATA}"
fi
debuglog "output parameters: CA_ISSUER_MATCHED = ${CA_ISSUER_MATCHED}"
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_2.2.0/check_ssl_cert.1
=====================================
@@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii check_ssl_cert.1
.\"
-.TH "check_ssl_cert" 1 "April, 2021" "2.0.1" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "May, 2021" "2.2.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
@@ -75,6 +75,9 @@ path of the date binary to be used
.BR "-d,--debug"
produces debugging output (can be specified more than once)
.TP
+.BR " --debug-cert"
+stores the retrieved certificates in the current directory
+.TP
.BR " --dig-bin" " path"
path of the dig binary to be used
.TP
@@ -166,6 +169,9 @@ pattern to match the CN of the certificate (can be specified multiple times)
.BR " --nmap-bin" " path"
path of the nmap binary to be used
.TP
+.BR " --no-perf"
+do not show performance data
+.TP
.BR " --no-proxy"
ignores the http_proxy and https_proxy environment variables
.TP
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_2.2.0/check_ssl_cert.spec
=====================================
@@ -1,4 +1,4 @@
-%define version 2.0.1
+%define version 2.2.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
@@ -22,10 +22,7 @@ Source: https://github.com/matteocorti/check_ssl_cert/releases/download/v%{ve
Requires: nagios-plugins expect perl(Date::Parse)
%description
-Checks an X.509 certificate:
- - checks if the server is running and delivers a valid certificate
- - checks if the CA matches a given pattern
- - checks the validity
+A shell script (that can be used as a Nagios plugin) to check an SSL/TLS connection
%prep
%setup -q -n %{sourcename}-%{version}
@@ -45,6 +42,24 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/%{sourcename}.1*
%changelog
+* Fri May 7 2021 Matteo Corti <matteo at corti.li> - 2.2.0-0
+- Updated to 2.2.0
+
+* Thu May 6 2021 Matteo Corti <matteo at corti.li> - 2.1.4-0
+- Updated to 2.1.4
+
+* Wed May 5 2021 Matteo Corti <matteo at corti.li> - 2.1.3-0
+- Updated to 2.1.3
+
+* Fri Apr 30 2021 Matteo Corti <matteo at corti.li> - 2.1.2-0
+- Updated to 2.1.2
+
+* Thu Apr 29 2021 Matteo Corti <matteo at corti.li> - 2.1.1-0
+- Updated to 2.1.1
+
+* Wed Apr 28 2021 Matteo Corti <matteo at corti.li> - 2.1.0-0
+- Updated to 2.1.0
+
* Wed Apr 7 2021 Matteo Corti <matteo at corti.li> - 2.0.1-0
- Updated to 2.0.1
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/test/cabundle.crt → check_ssl_cert/check_ssl_cert_2.2.0/test/cabundle.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/test/cacert.crt → check_ssl_cert/check_ssl_cert_2.2.0/test/cacert.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/test/cert_with_empty_subject.crt → check_ssl_cert/check_ssl_cert_2.2.0/test/cert_with_empty_subject.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/test/cert_with_subject_without_cn.crt → check_ssl_cert/check_ssl_cert_2.2.0/test/cert_with_subject_without_cn.crt
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/test/client.p12 → check_ssl_cert/check_ssl_cert_2.2.0/test/client.p12
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/test/der.cer → check_ssl_cert/check_ssl_cert_2.2.0/test/der.cer
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.0.1/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_2.2.0/test/unit_tests.sh
=====================================
@@ -168,25 +168,25 @@ testGroupedVariablesError() {
}
testETHZ() {
- ${SCRIPT} --rootcert-file cabundle.crt -H ethz.ch --cn ethz.ch
+ ${SCRIPT} --rootcert-file cabundle.crt -H ethz.ch --cn ethz.ch --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testLetsEncrypt() {
- ${SCRIPT} --rootcert-file cabundle.crt -H helloworld.letsencrypt.org
+ ${SCRIPT} --rootcert-file cabundle.crt -H helloworld.letsencrypt.org --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testGoDaddy() {
- ${SCRIPT} --rootcert-file cabundle.crt -H www.godaddy.com --cn www.godaddy.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.godaddy.com --cn www.godaddy.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testETHZCaseInsensitive() {
- ${SCRIPT} --rootcert-file cabundle.crt -H ethz.ch --cn ETHZ.CH
+ ${SCRIPT} --rootcert-file cabundle.crt -H ethz.ch --cn ETHZ.CH --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
@@ -194,7 +194,7 @@ testETHZCaseInsensitive() {
testETHZWildCard() {
# * should not match, see https://serverfault.com/questions/310530/should-a-wildcard-ssl-certificate-secure-both-the-root-domain-as-well-as-the-sub
# we ignore the altnames as sp.ethz.ch is listed
- ${SCRIPT} --rootcert-file cabundle.crt -H sherlock.sp.ethz.ch --cn sp.ethz.ch --ignore-altnames
+ ${SCRIPT} --rootcert-file cabundle.crt -H sherlock.sp.ethz.ch --cn sp.ethz.ch --ignore-altnames --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
@@ -202,25 +202,25 @@ testETHZWildCard() {
testETHZWildCardCaseInsensitive() {
# * should not match, see https://serverfault.com/questions/310530/should-a-wildcard-ssl-certificate-secure-both-the-root-domain-as-well-as-the-sub
# we ignore the altnames as sp.ethz.ch is listed
- ${SCRIPT} --rootcert-file cabundle.crt -H sherlock.sp.ethz.ch --cn SP.ETHZ.CH --ignore-altnames
+ ${SCRIPT} --rootcert-file cabundle.crt -H sherlock.sp.ethz.ch --cn SP.ETHZ.CH --ignore-altnames --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testETHZWildCardSub() {
- ${SCRIPT} --rootcert-file cabundle.crt -H sherlock.sp.ethz.ch --cn sub.sp.ethz.ch
+ ${SCRIPT} --rootcert-file cabundle.crt -H sherlock.sp.ethz.ch --cn sub.sp.ethz.ch --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testETHZWildCardSubCaseInsensitive() {
- ${SCRIPT} --rootcert-file cabundle.crt -H sherlock.sp.ethz.ch --cn SUB.SP.ETHZ.CH
+ ${SCRIPT} --rootcert-file cabundle.crt -H sherlock.sp.ethz.ch --cn SUB.SP.ETHZ.CH --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testRootIssuer() {
- ${SCRIPT} --rootcert-file cabundle.crt -H google.com --issuer 'GlobalSign'
+ ${SCRIPT} --rootcert-file cabundle.crt -H google.com --issuer 'GlobalSign' --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
@@ -239,14 +239,14 @@ testValidityWithPerl() {
}
testAltNames() {
- ${SCRIPT} --rootcert-file cabundle.crt -H www.inf.ethz.ch --cn www.inf.ethz.ch --altnames
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.inf.ethz.ch --cn www.inf.ethz.ch --altnames --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
#Do not require to match Alternative Name if CN already matched
testWildcardAltNames1() {
- ${SCRIPT} --rootcert-file cabundle.crt -H sherlock.sp.ethz.ch --altnames
+ ${SCRIPT} --rootcert-file cabundle.crt -H sherlock.sp.ethz.ch --altnames --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
@@ -257,6 +257,7 @@ testWildcardAltNames2() {
--cn somehost.spapps.ethz.ch \
--cn otherhost.sPaPPs.ethz.ch \
--cn spapps.ethz.ch \
+ --critical 1 --warning 2 \
--altnames \
EXIT_CODE=$?
@@ -264,27 +265,27 @@ testWildcardAltNames2() {
}
testAltNamesCaseInsensitve() {
- ${SCRIPT} --rootcert-file cabundle.crt -H www.inf.ethz.ch --cn WWW.INF.ETHZ.CH --altnames
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.inf.ethz.ch --cn WWW.INF.ETHZ.CH --altnames --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testMultipleAltNamesFailOne() {
# Test with wiltiple CN's but last one is wrong
- ${SCRIPT} --rootcert-file cabundle.crt -H inf.ethz.ch -n www.ethz.ch -n wrong.ch --altnames
+ ${SCRIPT} --rootcert-file cabundle.crt -H inf.ethz.ch -n www.ethz.ch -n wrong.ch --altnames --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testMultipleAltNamesFailTwo() {
# Test with multiple CN's but first one is wrong
- ${SCRIPT} --rootcert-file cabundle.crt -H inf.ethz.ch -n wrong.ch -n www.ethz.ch --altnames
+ ${SCRIPT} --rootcert-file cabundle.crt -H inf.ethz.ch -n wrong.ch -n www.ethz.ch --altnames --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testXMPPHost() {
- out=$(${SCRIPT} --rootcert-file cabundle.crt -H prosody.xmpp.is --port 5222 --protocol xmpp --xmpphost xmpp.is )
+ out=$(${SCRIPT} --rootcert-file cabundle.crt -H prosody.xmpp.is --port 5222 --protocol xmpp --xmpphost xmpp.is --critical 1 --warning 2)
EXIT_CODE=$?
if echo "${out}" | grep -q "s_client' does not support '-xmpphost'" ; then
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
@@ -294,7 +295,7 @@ testXMPPHost() {
}
testTimeOut() {
- ${SCRIPT} --rootcert-file cabundle.crt -H gmail.com --protocol imap --port 993 --timeout 1
+ ${SCRIPT} --rootcert-file cabundle.crt -H gmail.com --protocol imap --port 993 --timeout 1 --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
@@ -307,32 +308,32 @@ testIMAP() {
}
testIMAPS() {
- ${SCRIPT} --rootcert-file cabundle.crt -H imap.gmail.com --port 993 --timeout 30 --protocol imaps
+ ${SCRIPT} --rootcert-file cabundle.crt -H imap.gmail.com --port 993 --timeout 30 --protocol imaps --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testPOP3S() {
- ${SCRIPT} --rootcert-file cabundle.crt -H pop.gmail.com --port 995 --timeout 30 --protocol pop3s
+ ${SCRIPT} --rootcert-file cabundle.crt -H pop.gmail.com --port 995 --timeout 30 --protocol pop3s --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testSMTP() {
- ${SCRIPT} --rootcert-file cabundle.crt -H smtp.gmail.com --protocol smtp --port 25 --timeout 60
+ ${SCRIPT} --rootcert-file cabundle.crt -H smtp.gmail.com --protocol smtp --port 25 --timeout 60 --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testSMTPSubmbission() {
- ${SCRIPT} --rootcert-file cabundle.crt -H smtp.gmail.com --protocol smtp --port 587 --timeout 60
+ ${SCRIPT} --rootcert-file cabundle.crt -H smtp.gmail.com --protocol smtp --port 587 --timeout 60 --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testSMTPS() {
- ${SCRIPT} --rootcert-file cabundle.crt -H smtp.gmail.com --protocol smtps --port 465 --timeout 60
+ ${SCRIPT} --rootcert-file cabundle.crt -H smtp.gmail.com --protocol smtps --port 465 --timeout 60 --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
@@ -354,7 +355,7 @@ testSMTPS() {
# From https://badssl.com
testBadSSLExpired() {
- ${SCRIPT} --rootcert-file cabundle.crt -H expired.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H expired.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
@@ -366,55 +367,55 @@ testBadSSLExpiredAndWarnThreshold() {
}
testBadSSLWrongHost() {
- ${SCRIPT} --rootcert-file cabundle.crt -H wrong.host.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H wrong.host.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLSelfSigned() {
- ${SCRIPT} --rootcert-file cabundle.crt -H self-signed.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H self-signed.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLUntrustedRoot() {
- ${SCRIPT} --rootcert-file cabundle.crt -H untrusted-root.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H untrusted-root.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLRevoked() {
- ${SCRIPT} --rootcert-file cabundle.crt -H revoked.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H revoked.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLRevokedCRL() {
- ${SCRIPT} --rootcert-file cabundle.crt -H revoked.badssl.com --crl --ignore-ocsp
+ ${SCRIPT} --rootcert-file cabundle.crt -H revoked.badssl.com --crl --ignore-ocsp --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testGRCRevoked() {
- ${SCRIPT} --rootcert-file cabundle.crt -H revoked.grc.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H revoked.grc.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLIncompleteChain() {
- ${SCRIPT} --rootcert-file cabundle.crt -H incomplete-chain.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H incomplete-chain.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLDH480(){
- ${SCRIPT} --rootcert-file cabundle.crt -H dh480.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H dh480.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLDH512(){
- ${SCRIPT} --rootcert-file cabundle.crt -H dh512.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H dh512.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
@@ -422,7 +423,7 @@ testBadSSLDH512(){
testBadSSLRC4MD5(){
# older versions of OpenSSL validate RC4-MD5
if ! openssl ciphers RC4-MD5 > /dev/null 2>&1 ; then
- ${SCRIPT} --rootcert-file cabundle.crt -H rc4-md5.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H rc4-md5.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
else
@@ -433,7 +434,7 @@ testBadSSLRC4MD5(){
testBadSSLRC4(){
# older versions of OpenSSL validate RC4
if ! openssl ciphers RC4 > /dev/null 2>&1 ; then
- ${SCRIPT} --rootcert-file cabundle.crt -H rc4.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H rc4.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
else
@@ -444,7 +445,7 @@ testBadSSLRC4(){
testBadSSL3DES(){
# older versions of OpenSSL validate RC4
if ! openssl ciphers 3DES > /dev/null 2>&1 ; then
- ${SCRIPT} --rootcert-file cabundle.crt -H 3des.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H 3des.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
else
@@ -453,61 +454,61 @@ testBadSSL3DES(){
}
testBadSSLNULL(){
- ${SCRIPT} --rootcert-file cabundle.crt -H null.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H null.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLSHA256() {
- ${SCRIPT} --rootcert-file cabundle.crt -H sha256.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H sha256.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testBadSSLEcc256() {
- ${SCRIPT} --rootcert-file cabundle.crt -H ecc256.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H ecc256.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testBadSSLEcc384() {
- ${SCRIPT} --rootcert-file cabundle.crt -H ecc384.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H ecc384.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testBadSSLRSA8192() {
- ${SCRIPT} --rootcert-file cabundle.crt -H rsa8192.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H rsa8192.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testBadSSLLongSubdomainWithDashes() {
- ${SCRIPT} --rootcert-file cabundle.crt -H long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testBadSSLLongSubdomain() {
- ${SCRIPT} --rootcert-file cabundle.crt -H longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testBadSSLSHA12016() {
- ${SCRIPT} --rootcert-file cabundle.crt -H sha1-2016.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H sha1-2016.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testBadSSLSHA12017() {
- ${SCRIPT} --rootcert-file cabundle.crt -H sha1-2017.badssl.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H sha1-2017.badssl.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testMultipleOCSPHosts() {
- ${SCRIPT} --rootcert-file cabundle.crt -H netlock.hu
+ ${SCRIPT} --rootcert-file cabundle.crt -H netlock.hu --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
@@ -521,7 +522,7 @@ testRequireOCSP() {
# tests for -4 and -6
testIPv4() {
if openssl s_client -help 2>&1 | grep -q -- -4 ; then
- ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com -4
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com -4 --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
@@ -545,7 +546,7 @@ testIPv6() {
if ping -6 www.google.com > /dev/null 2>&1 ; then
- ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com -6
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com -6 --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
@@ -563,7 +564,7 @@ testIPv6() {
}
testFormatShort() {
- OUTPUT=$( ${SCRIPT} --rootcert-file cabundle.crt -H ethz.ch --cn ethz.ch --format "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'" | cut '-d|' -f 1 )
+ OUTPUT=$( ${SCRIPT} --rootcert-file cabundle.crt -H ethz.ch --cn ethz.ch --critical 1 --warning 2 --format "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'" | cut '-d|' -f 1 )
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
assertEquals "wrong output" "SSL_CERT OK ethz.ch from 'QuoVadis Global SSL ICA G2'" "${OUTPUT}"
@@ -596,7 +597,7 @@ testDANE211() {
# check if a connection is possible
if printf 'QUIT\\n' | openssl s_client -connect hummus.csx.cam.ac.uk:25 -starttls smtp > /dev/null 2>&1 ; then
- ${SCRIPT} --rootcert-file cabundle.crt --dane 211 --port 25 -P smtp -H hummus.csx.cam.ac.uk
+ ${SCRIPT} --rootcert-file cabundle.crt --dane 211 --port 25 -P smtp -H hummus.csx.cam.ac.uk --critical 1 --warning 2
EXIT_CODE=$?
if [ -n "${DANE}" ] ; then
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
@@ -637,7 +638,7 @@ testDANE211() {
testDANE301ECDSA() {
if command -v dig > /dev/null ; then
- ${SCRIPT} --rootcert-file cabundle.crt --dane 301 --ecdsa -H mail.aegee.org
+ ${SCRIPT} --rootcert-file cabundle.crt --dane 301 --ecdsa -H mail.aegee.org --critical 1 --warning 2
EXIT_CODE=$?
if [ -n "${DANE}" ] ; then
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
@@ -650,20 +651,20 @@ testDANE301ECDSA() {
}
testRequiredProgramFile() {
- ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com --file-bin /doesnotexist
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com --file-bin /doesnotexist --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
}
testRequiredProgramPermissions() {
- ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com --file-bin /etc/hosts
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.google.com --file-bin /etc/hosts --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
}
testSieveECDSA() {
if ! { openssl s_client -starttls sieve 2>&1 | grep -F -q 'Value must be one of:' || openssl s_client -starttls sieve 2>&1 | grep -F -q 'usage:' ; } ; then
- ${SCRIPT} --rootcert-file cabundle.crt -P sieve -p 4190 -H mail.aegee.org --ecdsa
+ ${SCRIPT} --rootcert-file cabundle.crt -P sieve -p 4190 -H mail.aegee.org --ecdsa --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
@@ -679,7 +680,7 @@ testHTTP2() {
testForceHTTP2() {
if openssl s_client -help 2>&1 | grep -q -F alpn ; then
- ${SCRIPT} --rootcert-file cabundle.crt -H www.ethz.ch --protocol h2
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.ethz.ch --protocol h2 --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
@@ -688,56 +689,56 @@ testForceHTTP2() {
}
testNotLongerValidThan() {
- ${SCRIPT} --rootcert-file cabundle.crt -H www.ethz.ch --not-valid-longer-than 2
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.ethz.ch --not-valid-longer-than 2 --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testDERCert() {
- ${SCRIPT} --rootcert-file cabundle.crt -H localhost -f ./der.cer --ignore-sct
+ ${SCRIPT} --rootcert-file cabundle.crt -H localhost -f ./der.cer --ignore-sct --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testPKCS12Cert() {
export PASS=
- ${SCRIPT} --rootcert-file cabundle.crt -H localhost -f ./client.p12 --ignore-sct --password env:PASS
+ ${SCRIPT} --rootcert-file cabundle.crt -H localhost -f ./client.p12 --ignore-sct --password env:PASS --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testCertificsteWithoutCN() {
- ${SCRIPT} --rootcert-file cabundle.crt -H localhost -n www.uue.org -f ./cert_with_subject_without_cn.crt --force-perl-date --ignore-sig-alg --ignore-sct
+ ${SCRIPT} --rootcert-file cabundle.crt -H localhost -n www.uue.org -f ./cert_with_subject_without_cn.crt --force-perl-date --ignore-sig-alg --ignore-sct --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testCertificsteWithEmptySubject() {
- ${SCRIPT} --rootcert-file cabundle.crt -H localhost -n www.uue.org -f ./cert_with_empty_subject.crt --force-perl-date --ignore-sig-alg --ignore-sct
+ ${SCRIPT} --rootcert-file cabundle.crt -H localhost -n www.uue.org -f ./cert_with_empty_subject.crt --force-perl-date --ignore-sig-alg --ignore-sct --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testResolveSameName() {
- ${SCRIPT} --rootcert-file cabundle.crt -H corti.li --resolve corti.li
+ ${SCRIPT} --rootcert-file cabundle.crt -H www.ethz.ch --resolve www.ethz.ch --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testResolveDifferentName() {
- ${SCRIPT} --rootcert-file cabundle.crt -H corti.li --resolve www.google.com
+ ${SCRIPT} --rootcert-file cabundle.crt -H corti.li --resolve www.google.com --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
testResolveCorrectIP() {
- ${SCRIPT} --rootcert-file cabundle.crt -H corti.li --resolve "$( dig +short corti.li )"
+ ${SCRIPT} --rootcert-file cabundle.crt -H corti.li --resolve "$( dig +short corti.li )" --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
testResolveWrongIP() {
- ${SCRIPT} --rootcert-file cabundle.crt -H corti.li --resolve "$( dig +short www.google.com )"
+ ${SCRIPT} --rootcert-file cabundle.crt -H corti.li --resolve "$( dig +short www.google.com )" --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}
@@ -755,7 +756,7 @@ testCiphersOK() {
# check if ssl-enum-ciphers is present
if ! nmap --script ssl-enum-ciphers 2>&1 | grep -q -F 'NSE: failed to initialize the script engine' ; then
- ${SCRIPT} --rootcert-file cabundle.crt -H cloudflare.com --check-ciphers C
+ ${SCRIPT} --rootcert-file cabundle.crt -H cloudflare.com --check-ciphers C --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
@@ -784,7 +785,7 @@ testCiphersError() {
# check if ssl-enum-ciphers is present
if ! nmap --script ssl-enum-ciphers 2>&1 | grep -q -F 'NSE: failed to initialize the script engine' ; then
- ${SCRIPT} --rootcert-file cabundle.crt -H ethz.ch --check-ciphers A --check-ciphers-warnings
+ ${SCRIPT} --rootcert-file cabundle.crt -H ethz.ch --check-ciphers A --check-ciphers-warnings --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
@@ -804,7 +805,7 @@ testCiphersError() {
testETHZWithSSLLabs() {
# we assume www.ethz.ch gets at least a B
- ${SCRIPT} --rootcert-file cabundle.crt -H ethz.ch --cn ethz.ch --check-ssl-labs B
+ ${SCRIPT} --rootcert-file cabundle.crt -H ethz.ch --cn ethz.ch --check-ssl-labs B --critical 1 --warning 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}
=====================================
check_ssl_cert/control
=====================================
@@ -1,7 +1,7 @@
Uploaders: Jan Wagner <waja at cyconet.org>
Recommends: curl, file, openssl
Suggests: expect
-Version: 2.0.1
+Version: 2.2.0
Homepage: https://github.com/matteocorti/check_ssl_cert
Watch: https://github.com/matteocorti/check_ssl_cert/releases check_ssl_cert-([0-9.]+)\.tar\.gz
Description: plugin to check the CA and validity of an
=====================================
check_ssl_cert/src
=====================================
@@ -1 +1 @@
-check_ssl_cert_2.0.1
\ No newline at end of file
+check_ssl_cert_2.2.0/
\ No newline at end of file
=====================================
debian/control
=====================================
@@ -173,7 +173,7 @@ Description: Plugins for nagios compatible monitoring systems
HOST-RESOURCES-MIB::hrSystemDate.0 used here returns 8 or 11 byte octets.
SNMP translation needs to be switched off and to be converted the
received SNMP data into readable strings.
- * check_ssl_cert (2.0.1): plugin to check the CA and validity of an
+ * check_ssl_cert (2.2.0): plugin to check the CA and validity of an
X.509 certificate
* check_uptime (0.521): check_uptime returns uptime of a system
in text (readable) format as well as in minutes for performance graphing.
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/compare/7a532e740a8a161dfcf193533a57259873d7788b...1b7ec4b193406be84c10456ccc87aaf34985afa3
--
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/compare/7a532e740a8a161dfcf193533a57259873d7788b...1b7ec4b193406be84c10456ccc87aaf34985afa3
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20210511/9cbcd922/attachment-0001.htm>
More information about the pkg-nagios-changes
mailing list