[pkg-nagios-changes] [Git][nagios-team/pkg-nagios-plugins-contrib][master] check_ssl_cert: Update to 2.26.0
Jan Wagner (@waja)
gitlab at salsa.debian.org
Thu Apr 28 12:03:40 BST 2022
Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / pkg-nagios-plugins-contrib
Commits:
6b707211 by Jan Wagner at 2022-04-28T13:00:28+02:00
check_ssl_cert: Update to 2.26.0
- - - - -
16 changed files:
- − check_ssl_cert/check_ssl_cert_2.25.0/VERSION
- check_ssl_cert/check_ssl_cert_2.25.0/AUTHORS.md → check_ssl_cert/check_ssl_cert_2.26.0/AUTHORS.md
- check_ssl_cert/check_ssl_cert_2.25.0/CITATION.cff → check_ssl_cert/check_ssl_cert_2.26.0/CITATION.cff
- check_ssl_cert/check_ssl_cert_2.25.0/COPYING.md → check_ssl_cert/check_ssl_cert_2.26.0/COPYING.md
- check_ssl_cert/check_ssl_cert_2.25.0/COPYRIGHT.md → check_ssl_cert/check_ssl_cert_2.26.0/COPYRIGHT.md
- check_ssl_cert/check_ssl_cert_2.25.0/ChangeLog → check_ssl_cert/check_ssl_cert_2.26.0/ChangeLog
- check_ssl_cert/check_ssl_cert_2.25.0/INSTALL.md → check_ssl_cert/check_ssl_cert_2.26.0/INSTALL.md
- check_ssl_cert/check_ssl_cert_2.25.0/Makefile → check_ssl_cert/check_ssl_cert_2.26.0/Makefile
- check_ssl_cert/check_ssl_cert_2.25.0/NEWS.md → check_ssl_cert/check_ssl_cert_2.26.0/NEWS.md
- check_ssl_cert/check_ssl_cert_2.25.0/README.md → check_ssl_cert/check_ssl_cert_2.26.0/README.md
- + check_ssl_cert/check_ssl_cert_2.26.0/VERSION
- check_ssl_cert/check_ssl_cert_2.25.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_2.26.0/check_ssl_cert
- check_ssl_cert/check_ssl_cert_2.25.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_2.26.0/check_ssl_cert.1
- check_ssl_cert/check_ssl_cert_2.25.0/check_ssl_cert.completion → check_ssl_cert/check_ssl_cert_2.26.0/check_ssl_cert.completion
- check_ssl_cert/check_ssl_cert_2.25.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_2.26.0/check_ssl_cert.spec
- check_ssl_cert/src
Changes:
=====================================
check_ssl_cert/check_ssl_cert_2.25.0/VERSION deleted
=====================================
@@ -1 +0,0 @@
-2.25.0
=====================================
check_ssl_cert/check_ssl_cert_2.25.0/AUTHORS.md → check_ssl_cert/check_ssl_cert_2.26.0/AUTHORS.md
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.25.0/CITATION.cff → check_ssl_cert/check_ssl_cert_2.26.0/CITATION.cff
=====================================
@@ -230,8 +230,8 @@ authors:
given-names: "Дилян"
website: https://github.com/dilyanpalauzov
title: "check_ssl_cert"
-version: 2.25.0
-date-released: 2022-04-06
+version: 2.26.0
+date-released: 2022-04-28
url: "https://github.com/matteocorti/check_ssl_cert"
repository-code: "https://github.com/matteocorti/check_ssl_cert"
keywords:
=====================================
check_ssl_cert/check_ssl_cert_2.25.0/COPYING.md → check_ssl_cert/check_ssl_cert_2.26.0/COPYING.md
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.25.0/COPYRIGHT.md → check_ssl_cert/check_ssl_cert_2.26.0/COPYRIGHT.md
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.25.0/ChangeLog → check_ssl_cert/check_ssl_cert_2.26.0/ChangeLog
=====================================
@@ -1,7 +1,22 @@
+2022-04-28 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): Using --script +ssl-enum-ciphers for older versions of nmap
+
+2022-04-26 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (check_ocsp): Updating the timeout when using the timeout option of 'ocsp'
+
+2022-04-25 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (check_ocsp): Better error message in case of OCSP problems
+
2022-04-13 Matteo Corti <matteo at corti.li>
+ * check_ssl_cert (main): Allows to run with the --init-host-cache option only
+ * check_ssl_cert.completion (_check_ssl_cert): check if the host cache exists
* check_ssl_cert (main): Added a cache for checked hosts (to be used with bash completion)
* check_ssl_cert (usage): Fixed the capitalization of the help messages
+ * check_ssl_cert (usage): Usage errors should trigger an unknown status
2022-04-06 Matteo Corti <matteo at corti.li>
=====================================
check_ssl_cert/check_ssl_cert_2.25.0/INSTALL.md → check_ssl_cert/check_ssl_cert_2.26.0/INSTALL.md
=====================================
@@ -29,3 +29,4 @@ Following tools are required for development:
* Simply copy the plugin to your Nagios/Icinga plugin directory
* Use ```make install``` by defining the ```DESTDIR``` and ```MANDIR``` variables with the installation targets. E.g, ```make DESTDIR=/nagios/plugins/dir MANDIR=/nagios/plugins/man/dir install```
+* To install the bash completion script run ```sudo make install_bash_completion``` (it will install the completion script in the directory defined by ```pkg-config --variable=completionsdir bash-completion```
=====================================
check_ssl_cert/check_ssl_cert_2.25.0/Makefile → check_ssl_cert/check_ssl_cert_2.26.0/Makefile
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.25.0/NEWS.md → check_ssl_cert/check_ssl_cert_2.26.0/NEWS.md
=====================================
@@ -1,3 +1,6 @@
+* 2022-04-28 Version 2.26.0
+ * Fixed a bug with the ciphers check with older nmap versions
+ * Fixed a bug in the display of the expiration date
* 2022-04-13 Version 2.25.0
* Caching of the host names to be used with bash completion
* 2022-04-06 Version 2.24.0
=====================================
check_ssl_cert/check_ssl_cert_2.25.0/README.md → check_ssl_cert/check_ssl_cert_2.26.0/README.md
=====================================
@@ -321,6 +321,8 @@ An asterisk ```*``` is automatically escaped by nagios. If you need to specify a
Once the host name cache (```${HOME}/.check_ssl_cert-cache```) is initialized (with the ```--init-host-cache``` option), every specified host is cached.
+The host name cache is a plain text file which contains an host name per line. Each time a new host is specified, it is automatically added to the cache. The file can be edited with a text editor (to delete or edit entries).
+
When using bash completion with the ```--host``` command line option the cache is then read and used as a suggestion.
## Development
=====================================
check_ssl_cert/check_ssl_cert_2.26.0/VERSION
=====================================
@@ -0,0 +1 @@
+2.26.0
=====================================
check_ssl_cert/check_ssl_cert_2.25.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_2.26.0/check_ssl_cert
=====================================
@@ -28,7 +28,7 @@
################################################################################
# Constants
-VERSION=2.25.0
+VERSION=2.26.0
SHORTNAME="SSL_CERT"
VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -80,10 +80,6 @@ set_variable() {
# $1 error message (optional)
usage() {
- if [ -n "$1" ]; then
- echo "Error: $1" 1>&2
- fi
-
echo
echo "Usage: check_ssl_cert -H host [OPTIONS]"
echo " check_ssl_cert -f file [OPTIONS]"
@@ -1728,6 +1724,9 @@ check_ocsp() {
debuglog "OCSP: host = ${OCSP_HOST}"
+ # ocsp has an own timeout option
+ start_time=$(date +%s)
+
if [ -n "${OCSP_HOST}" ]; then
# check if -header is supported
@@ -1821,7 +1820,9 @@ check_ocsp() {
fi
- prepend_critical_message "OCSP error (-v for details)"
+ debuglog "${OCSP_RESP}"
+ OCSP_ERROR_MESSAGE=$( echo "${OCSP_RESP}" | head -n 1 )
+ prepend_critical_message "OCSP error (${OCSP_ERROR_MESSAGE})"
fi
@@ -1837,6 +1838,12 @@ check_ocsp() {
fi
+ # update the timeout
+ debuglog "Timeout before OCSP check: ${TIMEOUT}"
+ end_time=$(date +%s)
+ TIMEOUT=$((TIMEOUT - end_time + start_time))
+ debuglog "Timeout after OCSP check: ${TIMEOUT}"
+
done
verboselog "OCSP check for element ${el_number} OK"
@@ -1895,10 +1902,8 @@ check_cert_end_date() {
# We always check expired certificates
debuglog "executing: ${OPENSSL} x509 -noout -checkend 0 on cert element ${el_number} (${element_cn})"
if ! echo "${1}" | ${OPENSSL} x509 -noout -checkend 0 >/dev/null; then
- if compare "${ELEM_DAYS_VALID}" "<" 1; then
- DAYS_AGO='today'
- elif compare "${ELEM_DAYS_VALID}" "<" 2; then
- DAYS_AGO='yesterday'
+ if compare "${ELEM_DAYS_VALID}" ">=" 0 && compare "${ELEM_DAYS_VALID}" "<" 1; then
+ DAYS_AGO='less than a day ago'
else
DAYS_AGO="$((-ELEM_DAYS_VALID)) days ago"
fi
@@ -2602,6 +2607,7 @@ parse_command_line_options() {
shift
;;
--init-host-cache)
+ INIT_HOST_CACHE=1
if ! [ -f "${HOST_CACHE}" ]; then
debuglog "Initializing host cache"
if ! touch "${HOST_CACHE}"; then
@@ -3355,7 +3361,11 @@ main() {
# Check options: sanity checks
if [ -z "${HOST}" ] && [ -z "${FILE}" ]; then
- usage "No host specified"
+ if [ -z "${INIT_HOST_CACHE}" ]; then
+ unknown "No host specified"
+ else
+ exit
+ fi
elif [ -z "${HOST}" ] && [ -n "${FILE}" ]; then
HOST='localhost'
fi
@@ -3384,12 +3394,13 @@ main() {
fi
debuglog "HOST = ${HOST}"
+ info Host "${HOST}"
if [ -r "${HOST_CACHE}" ]; then
debuglog "Host cache ${HOST_CACHE} is present"
if ! grep -q "^${HOST}$" "${HOST_CACHE}"; then
debuglog "Adding ${HOST} to the host cache"
- echo "${HOST}" >> "${HOST_CACHE}"
+ echo "${HOST}" >>"${HOST_CACHE}"
else
debuglog "${HOST} is already cached"
fi
@@ -4216,9 +4227,11 @@ main() {
NMAP_INETPROTO='-6'
fi
- debuglog "Executing ${NMAP_BIN} -Pn -p \"${PORT}\" \"${NMAP_INETPROTO}\" --script ssl-enum-ciphers \"${HOST_ADDR}\" 2>&1 | grep '^|'"
+ # see https://github.com/matteocorti/check_ssl_cert/issues/378
- OFFERED_PROTOCOLS=$(${NMAP_BIN} -Pn -p "${PORT}" "${NMAP_INETPROTO}" --script ssl-enum-ciphers "${HOST_ADDR}" 2>&1 | grep '^|')
+ debuglog "Executing ${NMAP_BIN} -Pn -p \"${PORT}\" \"${NMAP_INETPROTO}\" --script +ssl-enum-ciphers \"${HOST_ADDR}\" 2>&1 | grep '^|'"
+
+ OFFERED_PROTOCOLS=$(${NMAP_BIN} -Pn -p "${PORT}" "${NMAP_INETPROTO}" --script +ssl-enum-ciphers "${HOST_ADDR}" 2>&1 | grep '^|')
debuglog "offered ciphers and protocols:"
debuglog "${OFFERED_PROTOCOLS}" | sed 's/^|/[DBG] /'
@@ -5418,15 +5431,12 @@ ${WARNING}"
if [ -n "${DAYS_VALID}" ]; then
# nicer formatting
- if compare "${DAYS_VALID}" '>=' 2; then
+ if compare "${DAYS_VALID}" '>=' 1; then
DAYS_VALID=" (expires in ${DAYS_VALID} days)"
- elif compare "${DAYS_VALID}" '>=' 1; then
- DAYS_VALID=" (expires tomorrow)"
elif compare "${DAYS_VALID}" '>=' 0; then
- DAYS_VALID=" (expires today)"
+ DAYS_VALID=" (expires in less than a day)"
elif compare "${DAYS_VALID}" '>=' '-1'; then
- DAYS_VALID=" (expired yesterday)"
- else
+ DAYS_VALID=$(( -DAYS_VALID ))
DAYS_VALID=" (expired ${DAYS_VALID} days ago)"
fi
fi
=====================================
check_ssl_cert/check_ssl_cert_2.25.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_2.26.0/check_ssl_cert.1
=====================================
@@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii check_ssl_cert.1
.\"
-.TH "check_ssl_cert" 1 "April, 2022" "2.25.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "April, 2022" "2.26.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
=====================================
check_ssl_cert/check_ssl_cert_2.25.0/check_ssl_cert.completion → check_ssl_cert/check_ssl_cert_2.26.0/check_ssl_cert.completion
=====================================
@@ -2,8 +2,6 @@
_check_ssl_cert() {
- HOST_CACHE="${HOME}/.check_ssl_cert-cache"
-
local cur prev opts
COMPREPLY=()
@@ -16,7 +14,8 @@ _check_ssl_cert() {
opts="--file --host --noauth --all --all-local --allow-empty-san --clientcert --critical --check-ciphers --check-ciphers-warnings --check-ssl-labs-warn --clientpass --crl --curl-bin --curl-user-agent --custom-http-header --dane --date --debug-cert --debug-file --debug-time --dig-bin --ecdsa --element --file-bin --fingerprint --first-element-only --force-dconv-date --force-perl-date --format --http-use-get --ignore-altnames --ignore-connection-problems --ignore-exp --ignore-host-cn --ignore-incomplete-chain --ignore-ocsp --ignore-ocsp-errors --ignore-ocsp-timeout --ignore-sct --ignore-sig-alg --ignore-ssl-labs-cache --ignore-tls-renegotiation --inetproto protocol --info --init-host-cache --issuer-cert-cache --long-output --match --nmap-bin --no-perf --no-proxy --no-proxy-curl --no-proxy-s_client --no-ssl2 --no-ssl3 --no-tls1 --no-tls1_1 --no-tls1_2 --no-tls1_3 --not-issued-by --not-valid-longer-than --ocsp-critical --ocsp-warning --openssl --password --precision --prometheus --proxy --require-client-cert --require-no-ssl2 --require-no-ssl3 --require-no-tls1 --require-no-tls1_1 --require-ocsp-stapling --resolve --rootcert-dir --rootcert-file --rsa --serial --skip-element --sni --ssl2 --ssl3 --temp --terse --tls1 --tls1_1 --tls1_2 --tls1_3 --xmpphost -4 -6 --clientkey --protocol --version --debug --email --help --issuer --cn --org --port port --rootcert --quiet --selfsigned --timeout --url --verbose --warning"
if [[ ${cur} == -* || ${COMP_CWORD} -eq 1 ]]; then
- COMPREPLY=($(compgen -W "${opts}" -- ${cur}))
+ # shellcheck disable=2207
+ COMPREPLY=($(compgen -W "${opts}" -- "${cur}"))
return 0
fi
@@ -29,21 +28,28 @@ _check_ssl_cert() {
# optios with hosts as argument
-H | --host | --resolve)
_known_hosts_real "${cur}"
- # concatenate the array with the cached hosts: https://stackoverflow.com/questions/31143874/how-to-concatenate-arrays-in-bash
- COMPREPLY+=($(compgen -W "$(cat ~/.check_ssl_cert-cache | tr "\n" ' ' )" -- ${cur}))
+ if [ -r ~/.check_ssl_cert-cache ]; then
+ # concatenate the array with the cached hosts: https://stackoverflow.com/questions/31143874/how-to-concatenate-arrays-in-bash
+ # shellcheck disable=2207
+ COMPREPLY+=($(compgen -W "$( < ~/.check_ssl_cert-cache tr "\n" ' ' )" -- "${cur}" ))
+ fi
;;
# grades
--check-ciphers | --check-ssl-labs-warn)
- COMPREPLY=($(compgen -W "A B C D E F" -- ${cur}))
+ # shellcheck disable=2207
+ COMPREPLY=($(compgen -W "A B C D E F" -- "${cur}" ))
;;
--dane)
- COMPREPLY=($(compgen -W "211 301 302 311 312" -- ${cur}))
+ # shellcheck disable=2207
+ COMPREPLY=($(compgen -W "211 301 302 311 312" -- "${cur}" ))
;;
--port | -p)
- COMPREPLY=($(compgen -W "21 22 80 443 143 993 194 994 389 636 3306 110 995 5432 4190 25 465 5222 5269" -- ${cur}))
+ # shellcheck disable=2207
+ COMPREPLY=($(compgen -W "21 22 80 443 143 993 194 994 389 636 3306 110 995 5432 4190 25 465 5222 5269" -- "${cur}" ))
;;
--protocol | -P)
- COMPREPLY=($(compgen -W "ftp ftps http https h2 imap imaps irc ircs ldap ldaps mysql pop3 pop3s postgres sieve smtp smtps xmpp xmpp-server ftp" -- ${cur}))
+ # shellcheck disable=2207
+ COMPREPLY=($(compgen -W "ftp ftps http https h2 imap imaps irc ircs ldap ldaps mysql pop3 pop3s postgres sieve smtp smtps xmpp xmpp-server ftp" -- "${cur}" ))
;;
*) ;;
=====================================
check_ssl_cert/check_ssl_cert_2.25.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_2.26.0/check_ssl_cert.spec
=====================================
@@ -1,4 +1,4 @@
-%global version 2.25.0
+%global version 2.26.0
%global release 0
%global sourcename check_ssl_cert
%global packagename nagios-plugins-check_ssl_cert
@@ -54,6 +54,9 @@ rm -rf $RPM_BUILD_ROOT
%endif
%changelog
+* Thu Apr 28 2022 Matteo Corti <matteo at corti.li> - 2.26.0-0
+- Updated to 2.26.0
+
* Wed Apr 13 2022 Matteo Corti <matteo at corti.li> - 2.25.0-0
- Updated to 2.25.0
=====================================
check_ssl_cert/src
=====================================
@@ -1 +1 @@
-check_ssl_cert_2.25.0/
\ No newline at end of file
+check_ssl_cert_2.26.0/
\ No newline at end of file
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/commit/6b7072116aabc3cb0894dd27b30e0d8edcaaa512
--
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nagios-plugins-contrib/-/commit/6b7072116aabc3cb0894dd27b30e0d8edcaaa512
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20220428/cdd2925a/attachment-0001.htm>
More information about the pkg-nagios-changes
mailing list