[pkg-nagios-changes] [Git][nagios-team/nagios-plugins-contrib][master] check_ssl_cert: Update to 2.58.0
Jan Wagner (@waja)
gitlab at salsa.debian.org
Thu Jan 19 10:17:34 GMT 2023
Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / nagios-plugins-contrib
Commits:
7206c6d3 by Jan Wagner at 2023-01-19T10:11:31+00:00
check_ssl_cert: Update to 2.58.0
- - - - -
18 changed files:
- − check_ssl_cert/check_ssl_cert_2.57.0/VERSION
- check_ssl_cert/check_ssl_cert_2.57.0/AUTHORS.md → check_ssl_cert/check_ssl_cert_2.58.0/AUTHORS.md
- check_ssl_cert/check_ssl_cert_2.57.0/CITATION.cff → check_ssl_cert/check_ssl_cert_2.58.0/CITATION.cff
- check_ssl_cert/check_ssl_cert_2.57.0/COPYING.md → check_ssl_cert/check_ssl_cert_2.58.0/COPYING.md
- check_ssl_cert/check_ssl_cert_2.57.0/COPYRIGHT.md → check_ssl_cert/check_ssl_cert_2.58.0/COPYRIGHT.md
- check_ssl_cert/check_ssl_cert_2.57.0/ChangeLog → check_ssl_cert/check_ssl_cert_2.58.0/ChangeLog
- check_ssl_cert/check_ssl_cert_2.57.0/GNUmakefile → check_ssl_cert/check_ssl_cert_2.58.0/GNUmakefile
- check_ssl_cert/check_ssl_cert_2.57.0/INSTALL.md → check_ssl_cert/check_ssl_cert_2.58.0/INSTALL.md
- check_ssl_cert/check_ssl_cert_2.57.0/Makefile → check_ssl_cert/check_ssl_cert_2.58.0/Makefile
- check_ssl_cert/check_ssl_cert_2.57.0/NEWS.md → check_ssl_cert/check_ssl_cert_2.58.0/NEWS.md
- check_ssl_cert/check_ssl_cert_2.57.0/README.md → check_ssl_cert/check_ssl_cert_2.58.0/README.md
- + check_ssl_cert/check_ssl_cert_2.58.0/VERSION
- check_ssl_cert/check_ssl_cert_2.57.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_2.58.0/check_ssl_cert
- check_ssl_cert/check_ssl_cert_2.57.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_2.58.0/check_ssl_cert.1
- check_ssl_cert/check_ssl_cert_2.57.0/check_ssl_cert.completion → check_ssl_cert/check_ssl_cert_2.58.0/check_ssl_cert.completion
- check_ssl_cert/check_ssl_cert_2.57.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_2.58.0/check_ssl_cert.spec
- check_ssl_cert/control
- check_ssl_cert/src
Changes:
=====================================
check_ssl_cert/check_ssl_cert_2.57.0/VERSION deleted
=====================================
@@ -1 +0,0 @@
-2.57.0
=====================================
check_ssl_cert/check_ssl_cert_2.57.0/AUTHORS.md → check_ssl_cert/check_ssl_cert_2.58.0/AUTHORS.md
=====================================
@@ -115,7 +115,8 @@ Maintainer: [Matteo Corti](https://github.com/matteocorti) <[matteo at corti.li](ma
* Many thanks to [Christoph Moench-Tegeder](https://github.com/moench-tegeder) for the [OpenSSL](https://www.openssl.org) version patch
* Many thanks to [waja](https://github.com/waja) for
* the [GitHub](https://www.github.com) workflows and
- * the chain checks with STARTTLS
+ * the chain checks with STARTTLS and
+ * the trailing backslash patch
* Many thanks to [Tobias Grünewald](https://github.com/tobias-gruenewald) for the client certificate patch
* Many thanks to [chornberger-c2c](https://github.com/chornberger-c2c) for the critical and warning output fix
* Many thanks to [Claus-Theodor Riegg](https://github.com/ctriegg-mak) for
=====================================
check_ssl_cert/check_ssl_cert_2.57.0/CITATION.cff → check_ssl_cert/check_ssl_cert_2.58.0/CITATION.cff
=====================================
@@ -246,8 +246,8 @@ authors:
given-names: "Дилян"
website: https://github.com/dilyanpalauzov
title: "check_ssl_cert"
-version: 2.57.0
-date-released: 2022-12-04
+version: 2.58.0
+date-released: 2023-01-16
url: "https://github.com/matteocorti/check_ssl_cert"
repository-code: "https://github.com/matteocorti/check_ssl_cert"
keywords:
=====================================
check_ssl_cert/check_ssl_cert_2.57.0/COPYING.md → check_ssl_cert/check_ssl_cert_2.58.0/COPYING.md
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.57.0/COPYRIGHT.md → check_ssl_cert/check_ssl_cert_2.58.0/COPYRIGHT.md
=====================================
@@ -2,7 +2,7 @@
# Copyright
* Copyright © 2007-2013 ETH Zurich
-* Copyright © 2007-2022 Matteo Corti
+* Copyright © 2007-2023 Matteo Corti
with the following individuals added to the list of contributing authors
=====================================
check_ssl_cert/check_ssl_cert_2.57.0/ChangeLog → check_ssl_cert/check_ssl_cert_2.58.0/ChangeLog
=====================================
@@ -1,3 +1,12 @@
+2023-01-16 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: Added an option to set the security level (see help)
+ * check_ssl_cert (fetch_certificate): better error handling
+
+2023-01-05 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (usage): Added an option to ignore header problems with --all and --all-local
+
2022-11-30 Marcel Burkhalter <marcel.burkhalter at weareplanet.com>
* check_ssl_cert (main): Add command line argument to set the PATH variable
=====================================
check_ssl_cert/check_ssl_cert_2.57.0/GNUmakefile → check_ssl_cert/check_ssl_cert_2.58.0/GNUmakefile
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.57.0/INSTALL.md → check_ssl_cert/check_ssl_cert_2.58.0/INSTALL.md
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.57.0/Makefile → check_ssl_cert/check_ssl_cert_2.58.0/Makefile
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.57.0/NEWS.md → check_ssl_cert/check_ssl_cert_2.58.0/NEWS.md
=====================================
@@ -1,5 +1,8 @@
# News
+* 2023-01-16 Version 2.58.0
+ * Added the option ```--security-level```
+ * Added an option to ignore header problems with --all and --all-local (```--ignore-http-headers```)
* 2022-12-04 Version 2.57.0
* Support for DNS over TLS
* 2022-11-30 Version 2.56.0
=====================================
check_ssl_cert/check_ssl_cert_2.57.0/README.md → check_ssl_cert/check_ssl_cert_2.58.0/README.md
=====================================
@@ -1,7 +1,7 @@
# check\_ssl\_cert
© Matteo Corti, ETH Zurich, 2007-2012.
- © Matteo Corti, 2007-2022.
+ © Matteo Corti, 2007-2023.
see [AUTHORS.md](AUTHORS.md) for the complete list of contributors
@@ -122,6 +122,8 @@ Options:
--ignore-connection-problems [state] In case of connection problems
returns OK or the optional state
--ignore-exp Ignore expiration date
+ --ignore-http-headers Ignore checks on HTTP headers with --all
+ and --all-local
--ignore-host-cn Do not complain if the CN does not match
the host name
--ignore-incomplete-chain Do not check chain integrity
@@ -234,6 +236,9 @@ Options:
certificate validation
--rsa Signature algorithm selection: force RSA
certificate
+ --security-level number Set the security level to specified value
+ See SSL_CTX_set_security_level(3) for a
+ description of what each level means
-s,--selfsigned Allow self-signed certificates
--serial serialnum Pattern to match the serial number
--skip-element number Skip checks on the Nth cert element (can
@@ -319,6 +324,7 @@ Deprecated options:
(see: --ssl2 or --ssl3)
Report bugs to https://github.com/matteocorti/check_ssl_cert/issues
+
```
## Configuration
=====================================
check_ssl_cert/check_ssl_cert_2.58.0/VERSION
=====================================
@@ -0,0 +1 @@
+2.58.0
=====================================
check_ssl_cert/check_ssl_cert_2.57.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_2.58.0/check_ssl_cert
=====================================
@@ -10,7 +10,7 @@
# See the INSTALL.md file for installation instructions
#
# Copyright (c) 2007-2012 ETH Zurich.
-# Copyright (c) 2007-2022 Matteo Corti <matteo at corti.li>
+# Copyright (c) 2007-2023 Matteo Corti <matteo at corti.li>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -31,7 +31,7 @@
################################################################################
# Constants
-VERSION=2.57.0
+VERSION=2.58.0
SHORTNAME="SSL_CERT"
VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -79,7 +79,7 @@ SCALE=""
add_required_header() {
header=$1
debuglog "Adding ${header} to the list of required HTTP headers: ${REQUIRED_HTTP_HEADERS}"
- if [ -z "${REQUIRED_HTTP_HEADERS}" ] ; then
+ if [ -z "${REQUIRED_HTTP_HEADERS}" ]; then
REQUIRED_HTTP_HEADERS="${header}"
else
REQUIRED_HTTP_HEADERS="${REQUIRED_HTTP_HEADERS},${header}"
@@ -93,19 +93,18 @@ add_required_header() {
add_unrequired_header() {
header=$1
debuglog "Adding ${header} to the list of unrequired HTTP headers: ${UNREQUIRED_HTTP_HEADERS}"
- if [ -z "${UNREQUIRED_HTTP_HEADERS}" ] ; then
+ if [ -z "${UNREQUIRED_HTTP_HEADERS}" ]; then
UNREQUIRED_HTTP_HEADERS="${header}"
else
UNREQUIRED_HTTP_HEADERS="${UNREQUIRED_HTTP_HEADERS},${header}"
fi
}
-
CACHED_HEADERS=
fetch_http_headers() {
- if [ -z "${CACHED_HEADERS}" ] ; then
+ if [ -z "${CACHED_HEADERS}" ]; then
debuglog "Fetching headers"
@@ -113,7 +112,7 @@ fetch_http_headers() {
CACHED_HEADERS=${TEMPFILE}
CURL_RESOLVE=''
- if [ -n "${RESOLVE}" ] ; then
+ if [ -n "${RESOLVE}" ]; then
CURL_RESOLVE="--resolve ${HOST}:${PORT}:${RESOLVE}"
fi
@@ -127,18 +126,18 @@ fetch_http_headers() {
exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_RESOLVE} ${CURL_PROXY_ARGUMENT} ${INETPROTO} -k -s -D- -A '${HTTP_USER_AGENT}' -o /dev/null -L https://${HOST}${path}" "${CACHED_HEADERS}"
RET=$?
- if [ "${RET}" -ne 0 ] ; then
+ if [ "${RET}" -ne 0 ]; then
debuglog "Cannot retrieve HTTP headers (curl error code: ${RET})"
prepend_critical_message "Cannot retrieve HTTP headers"
fi
if [ "${DEBUG}" -gt 1 ]; then
- ESCAPED_PATH=$( echo "${path}" | sed 's/\//\\\//g' )
+ ESCAPED_PATH=$(echo "${path}" | sed 's/\//\\\//g')
# there might be empty lines
"${GREP_BIN}" '[[:alpha:]]' "${CACHED_HEADERS}" | sed "s/^/[DBG] HTTP headers for https:\\/\\/${HOST}${ESCAPED_PATH}: /" 1>&2
fi
- if [ -n "${DEBUG_HEADERS}" ] ; then
+ if [ -n "${DEBUG_HEADERS}" ]; then
cp "${CACHED_HEADERS}" headers.txt
fi
@@ -155,11 +154,11 @@ check_required_http_header() {
debuglog "Checking required header '${header}' with path '${path}'"
- if ! "${GREP_BIN}" -q -i "^${header}:" "${CACHED_HEADERS}" ; then
+ if ! "${GREP_BIN}" -q -i "^${header}:" "${CACHED_HEADERS}"; then
debuglog "Required header '${header}' not found"
prepend_critical_message "HTTP header '${header}' is not supported"
else
- HEADER_VALUE=$( "${GREP_BIN}" -i "^${header}:" "${CACHED_HEADERS}" | sed 's/[^:]*: //' | tr -d '\n' | tr -d '\r' )
+ HEADER_VALUE=$("${GREP_BIN}" -i "^${header}:" "${CACHED_HEADERS}" | sed 's/[^:]*: //' | tr -d '\n' | tr -d '\r')
debuglog "Required header '${header}' found (${HEADER_VALUE})"
verboselog "Required header '${header}' is supported (${HEADER_VALUE})"
fi
@@ -175,8 +174,8 @@ check_unrequired_http_header() {
debuglog "Checking unrequired header '${header}' with path '${path}'"
- if "${GREP_BIN}" -q -i "^${header}:" "${CACHED_HEADERS}" ; then
- HEADER_VALUE=$( "${GREP_BIN}" -i "^${header}:" "${CACHED_HEADERS}" | sed 's/[^:]*: //' | tr -d '\n' | tr -d '\r' )
+ if "${GREP_BIN}" -q -i "^${header}:" "${CACHED_HEADERS}"; then
+ HEADER_VALUE=$("${GREP_BIN}" -i "^${header}:" "${CACHED_HEADERS}" | sed 's/[^:]*: //' | tr -d '\n' | tr -d '\r')
debuglog "Unwanted header '${header}' found (${HEADER_VALUE})"
prepend_critical_message "HTTP header '${header}' is supported (${HEADER_VALUE})"
else
@@ -324,6 +323,8 @@ usage() {
echo " --ignore-connection-problems [state] In case of connection problems"
echo " returns OK or the optional state"
echo " --ignore-exp Ignore expiration date"
+ echo " --ignore-http-headers Ignore checks on HTTP headers with --all"
+ echo " and --all-local"
echo " --ignore-host-cn Do not complain if the CN does not match"
echo " the host name"
echo " --ignore-incomplete-chain Do not check chain integrity"
@@ -446,6 +447,9 @@ usage() {
echo " --rsa Signature algorithm selection: force RSA"
echo " certificate"
# Delimiter at 78 chars ############################################################
+ echo " --security-level number Set the security level to specified value"
+ echo " See SSL_CTX_set_security_level(3) for a"
+ echo " description of what each level means"
echo " -s,--selfsigned Allow self-signed certificates"
echo " --serial serialnum Pattern to match the serial number"
echo " --skip-element number Skip checks on the Nth cert element (can"
@@ -716,7 +720,7 @@ remove_temporary_files() {
debuglog "cleaning up temporary files"
# shellcheck disable=SC2086
if [ -n "${TEMPORARY_FILES}" ]; then
- TEMPORARY_FILES_TMP="$(echo "${TEMPORARY_FILES}" | tr '\ ' '\n')"
+ TEMPORARY_FILES_TMP="$(echo "${TEMPORARY_FILES}" | tr '\s' '\n')"
debuglog "${TEMPORARY_FILES_TMP}"
rm -f ${TEMPORARY_FILES}
fi
@@ -1013,7 +1017,7 @@ prepend_critical_message() {
tmp=" ${SNI}"
elif [ -n "${FILE_URI}" ]; then
tmp=" ${FILE_URI}"
- elif [ -n "${FILE}" ] && [ "${HOST}" = 'localhost' ] ; then
+ elif [ -n "${FILE}" ] && [ "${HOST}" = 'localhost' ]; then
tmp=" ${FILE}"
else
tmp=" ${HOST_NAME}"
@@ -1333,7 +1337,7 @@ compare() {
# Returns the result
compute() {
expression="$1"
- if [ -n "$2" ] ; then
+ if [ -n "$2" ]; then
# custom scale
local_scale=$2
else
@@ -1412,7 +1416,6 @@ check_x509_option() {
return $?
}
-
################################################################################
# Extract specific field from a subject
# $1 field
@@ -1436,7 +1439,7 @@ parse_subject() {
# old format
debuglog " old format separated by /"
- if echo "${SUBJECT}" | "${GREP_BIN}" -q "${FIELD}=" ; then
+ if echo "${SUBJECT}" | "${GREP_BIN}" -q "${FIELD}="; then
echo "${SUBJECT}" | sed -e "s/.*\\/${FIELD}=//" -e 's/\/.*//'
fi
@@ -1445,7 +1448,7 @@ parse_subject() {
# new format
debuglog " new format separated by ,"
- if echo "${SUBJECT}" | "${GREP_BIN}" -q "${FIELD}[ ]*=" ; then
+ if echo "${SUBJECT}" | "${GREP_BIN}" -q "${FIELD}[ ]*="; then
if echo "${SUBJECT}" | "${GREP_BIN}" -q "${FIELD}[ ]*=[ ]*\""; then
# quotes
@@ -1463,7 +1466,6 @@ parse_subject() {
}
-
################################################################################
# Extract specific attributes from a certificate
# $1 attribute name
@@ -1569,9 +1571,9 @@ extract_cert_attribute() {
#
# see https://security.stackexchange.com/questions/141661/whats-the-difference-between-public-key-algorithm-and-signature-algorithm-i
- ALGORITHM=$( echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} -text | "${GREP_BIN}" -m 1 -F 'Public Key Algorithm' | sed -e 's/.*: //')
+ ALGORITHM=$(echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} -text | "${GREP_BIN}" -m 1 -F 'Public Key Algorithm' | sed -e 's/.*: //')
- PUBLIC_KEY=$( echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} -text | "${GREP_BIN}" -m 1 -F 'Public-Key' | sed 's/.*: //' )
+ PUBLIC_KEY=$(echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} -text | "${GREP_BIN}" -m 1 -F 'Public-Key' | sed 's/.*: //')
echo "${ALGORITHM} ${PUBLIC_KEY}"
;;
@@ -1595,15 +1597,15 @@ extract_cert_attribute() {
sed -e 's/^ *//'
;;
keyUsage)
- KEY_USAGE_TMP=$( echo "${cert_content}" | "${OPENSSL}" x509 -noout -ext keyUsage 2>&1 )
- if echo "${KEY_USAGE_TMP}" | "${GREP_BIN}" -q 'No extensions in certificate' ; then
+ KEY_USAGE_TMP=$(echo "${cert_content}" | "${OPENSSL}" x509 -noout -ext keyUsage 2>&1)
+ if echo "${KEY_USAGE_TMP}" | "${GREP_BIN}" -q 'No extensions in certificate'; then
echo
else
- if echo "${KEY_USAGE_TMP}" | "${GREP_BIN}" -q critical ; then
+ if echo "${KEY_USAGE_TMP}" | "${GREP_BIN}" -q critical; then
PURPOSE_CRITICAL=1
fi
- PURPOSE=$( echo "${KEY_USAGE_TMP}" | tail -n 1 | sed 's/^[[:blank:]]*//')
+ PURPOSE=$(echo "${KEY_USAGE_TMP}" | tail -n 1 | sed 's/^[[:blank:]]*//')
echo "${PURPOSE}"
fi
@@ -1643,7 +1645,7 @@ exec_with_timeout() {
debuglog "exec_with_timeout $1 $2 $3"
debuglog " TIMEOUT_REASON = ${TIMEOUT_REASON}"
- if [ -n "${TIMEOUT_REASON}" ] ; then
+ if [ -n "${TIMEOUT_REASON}" ]; then
if ! echo "${TIMEOUT_REASON}" | "${GREP_BIN}" -q '^ '; then
# add a blank before the reason in parenthesis
TIMEOUT_REASON=" (${TIMEOUT_REASON})"
@@ -2133,8 +2135,8 @@ check_ocsp() {
fi
debuglog "${OCSP_RESP}"
- OCSP_ERROR_MESSAGE=$( echo "${OCSP_RESP}" | head -n 1 )
- if [ -z "${OCSP_IGNORE_ERRORS}" ] ; then
+ OCSP_ERROR_MESSAGE=$(echo "${OCSP_RESP}" | head -n 1)
+ if [ -z "${OCSP_IGNORE_ERRORS}" ]; then
prepend_critical_message "OCSP error (${OCSP_ERROR_MESSAGE})"
else
debuglog "Ignoring OCSP error (${OCSP_ERROR_MESSAGE})"
@@ -2227,7 +2229,7 @@ check_cert_end_date() {
fi
debuglog "CRITICAL: certificate element ${el_number} (${element_cn}) is expired (was valid until ${ELEM_END_DATE}, ${DAYS_AGO})"
CN_EXPIRED_TMP="${element_cn}:${replace_current_message}:${OPENSSL_COMMAND} certificate element ${el_number} (${element_cn}) is expired (was valid until ${ELEM_END_DATE}, ${DAYS_AGO})"
- if [ -z "${CN_EXPIRED_CRITICAL}" ] ; then
+ if [ -z "${CN_EXPIRED_CRITICAL}" ]; then
CN_EXPIRED_CRITICAL="${CN_EXPIRED_TMP}"
else
CN_EXPIRED_CRITICAL="${CN_EXPIRED_CRITICAL}
@@ -2247,7 +2249,7 @@ ${CN_EXPIRED_TMP}"
if ! echo "${1}" | ${OPENSSL} x509 -noout -checkend "${CRITICAL_SECONDS}" >/dev/null; then
debuglog "CRITICAL: certificate element ${el_number} (${element_cn}) will expire in ${ELEM_DAYS_VALID} day(s) on ${ELEM_END_DATE}"
CN_EXPIRED_TMP="${element_cn}:${replace_current_message}:${OPENSSL_COMMAND} certificate element ${el_number} (${element_cn}) will expire in ${ELEM_DAYS_VALID} day(s) on ${ELEM_END_DATE}"
- if [ -z "${CN_EXPIRED_CRITICAL}" ] ; then
+ if [ -z "${CN_EXPIRED_CRITICAL}" ]; then
CN_EXPIRED_CRITICAL="${CN_EXPIRED_TMP}"
else
CN_EXPIRED_CRITICAL="${CN_EXPIRED_CRITICAL}
@@ -2269,7 +2271,7 @@ ${CN_EXPIRED_TMP}"
if ! echo "${1}" | ${OPENSSL} x509 -noout -checkend "${WARNING_SECONDS}" >/dev/null; then
debuglog "WARNING: certificate element ${el_number} (${element_cn}) will expire in ${ELEM_DAYS_VALID} day(s) on ${ELEM_END_DATE}"
CN_EXPIRED_TMP="${element_cn}:${replace_current_message}:${OPENSSL_COMMAND} certificate element ${el_number} (${element_cn}) will expire in ${ELEM_DAYS_VALID} day(s) on ${ELEM_END_DATE}"
- if [ -z "${CN_EXPIRED_WARNING}" ] ; then
+ if [ -z "${CN_EXPIRED_WARNING}" ]; then
CN_EXPIRED_WARNING="${CN_EXPIRED_TMP}"
else
CN_EXPIRED_WARNING="${CN_EXPIRED_WARNING}
@@ -2338,7 +2340,7 @@ ${CN_EXPIRED_TMP}"
fi
# the element is valid: add to the list of valid CNs
- if [ -z "${CN_OK}" ] ; then
+ if [ -z "${CN_OK}" ]; then
CN_OK="${element_cn}"
else
CN_OK="${CN_OK}
@@ -2477,51 +2479,51 @@ fetch_certificate() {
case "${PROTOCOL}" in
pop3 | ftp)
- exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
pop3s | ftps)
- exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
smtp)
- exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} ${S_CLIENT_NAME} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} ${S_CLIENT_NAME} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
smtps)
- exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} ${S_CLIENT_NAME} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} ${S_CLIENT_NAME} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
- irc | ldap )
- exec_with_timeout "echo | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+ irc | ldap)
+ exec_with_timeout "echo | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
- ircs | ldaps | dns )
- exec_with_timeout "echo | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+ ircs | ldaps | dns)
+ exec_with_timeout "echo | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
imap)
- exec_with_timeout "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
imaps)
- exec_with_timeout "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
postgres | postgresql)
- exec_with_timeout "printf 'X\\0\\0\\0\\4' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "printf 'X\\0\\0\\0\\4' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
sieve)
- exec_with_timeout "echo 'LOGOUT' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "echo 'LOGOUT' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
xmpp | xmpp-server)
- exec_with_timeout "echo 'Q' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${XMPPHOST} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "echo 'Q' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${XMPPHOST} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
mysql)
- exec_with_timeout "echo | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "echo | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
*)
@@ -2567,11 +2569,11 @@ fetch_certificate() {
debuglog "Executing ${KEYTOOLBIN} -exportcert -rfc -keystore ${FILE} -alias ${JKSALIAS} -file ${CERT} -storepass ${PASSWORD_SOURCE}"
- CONVERSION_ERROR=$( "${KEYTOOLBIN}" -exportcert -rfc -keystore "${FILE}" -alias "${JKSALIAS}" -file "${CERT}" -storepass "${PASSWORD_SOURCE}" 2>&1)
+ CONVERSION_ERROR=$("${KEYTOOLBIN}" -exportcert -rfc -keystore "${FILE}" -alias "${JKSALIAS}" -file "${CERT}" -storepass "${PASSWORD_SOURCE}" 2>&1)
RET=$?
if [ "${RET}" -eq 1 ]; then
- CONVERSION_ERROR_TMP="$( echo "${CONVERSION_ERROR}" | head -n 1)"
+ CONVERSION_ERROR_TMP="$(echo "${CONVERSION_ERROR}" | head -n 1)"
unknown "Error converting JKS to PEM: ${CONVERSION_ERROR_TMP}"
fi
@@ -2591,16 +2593,16 @@ fetch_certificate() {
debuglog "The input file is a CRL in DER format: converting to PEM"
debuglog "Executing ${OPENSSL} crl -inform der -in ${FILE} -out ${CERT} 2> /dev/null"
- "${OPENSSL}" crl -inform der -in "${FILE}" -out "${CERT}" 2>"${CONVERSION_ERROR}"
+ "${OPENSSL}" crl -inform der -in "${FILE}" -out "${CERT}" 2>"${CONVERSION_ERROR}"
- if [ $? -eq 1 ]; then
- CONVERSION_ERROR_TMP="$(head -n 1 "${CONVERSION_ERROR}")"
- unknown "Error converting CRL ${FILE}: ${CONVERSION_ERROR_TMP}"
- fi
-
- else
+ if [ $? -eq 1 ]; then
CONVERSION_ERROR_TMP="$(head -n 1 "${CONVERSION_ERROR}")"
- unknown "Error converting ${FILE}: ${CONVERSION_ERROR_TMP}"
+ unknown "Error converting CRL ${FILE}: ${CONVERSION_ERROR_TMP}"
+ fi
+
+ else
+ CONVERSION_ERROR_TMP="$(head -n 1 "${CONVERSION_ERROR}")"
+ unknown "Error converting ${FILE}: ${CONVERSION_ERROR_TMP}"
fi
fi
@@ -2660,7 +2662,7 @@ fetch_certificate() {
ALPN="-alpn h2"
fi
- exec_with_timeout "printf '${HTTP_REQUEST}' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${ALPN} -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -showcerts -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "printf '${HTTP_REQUEST}' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${ALPN} -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -showcerts -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
RET=$?
fi
@@ -2802,7 +2804,7 @@ fetch_certificate() {
elif ascii_grep "Unable to load certificate file" "${ERROR}"; then
# we handle TDS retried certs differently
- if [ "${HOST}" = 'localhost' ] ; then
+ if [ "${HOST}" = 'localhost' ]; then
ERROR="Cannot read certificate file"
prepend_critical_message "${ERROR}"
critical "SSL_CERT_CRITICAL ${FILE}: ${ERROR}"
@@ -2818,8 +2820,20 @@ fetch_certificate() {
prepend_critical_message "${ERROR}"
critical "SSL_CERT_CRITICAL ${FILE}: ${ERROR}"
+ elif ascii_grep ":error:0A0C0103:SSL" "${ERROR}"; then
+
+ ERROR="Legacy signature algorithm unsupported or disallowed"
+ prepend_critical_message "${ERROR}"
+ critical "SSL_CERT_CRITICAL ${HOST}: ${ERROR}"
+
+ elif ascii_grep ":ssl_choose_client_version:unsupported" "${ERROR}"; then
+
+ ERROR="Unsupported TLS protocol version"
+ prepend_critical_message "${ERROR}"
+ critical "SSL_CERT_CRITICAL ${HOST}: ${ERROR}"
+
elif ascii_grep "unexpected eof while reading" "${ERROR}" ||
- ascii_grep "ssl handshake failure" "${ERROR}"; then
+ ascii_grep "ssl handshake failure" "${ERROR}"; then
ERROR="TLS handshake error"
prepend_critical_message "${ERROR}"
@@ -2996,7 +3010,7 @@ parse_command_line_options() {
# DTLS
--dtls)
- if [ -n "${SSL_VERSION}" ] ; then
+ if [ -n "${SSL_VERSION}" ]; then
unknown "--dtls: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
fi
require_s_client_option '-dtls'
@@ -3004,7 +3018,7 @@ parse_command_line_options() {
shift
;;
--dtls1)
- if [ -n "${SSL_VERSION}" ] ; then
+ if [ -n "${SSL_VERSION}" ]; then
unknown "--dtls1: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
fi
require_s_client_option '-dtls1'
@@ -3012,7 +3026,7 @@ parse_command_line_options() {
shift
;;
--dtls1_2)
- if [ -n "${SSL_VERSION}" ] ; then
+ if [ -n "${SSL_VERSION}" ]; then
unknown "--dtls1_2: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
fi
require_s_client_option '-dtls1_2'
@@ -3047,6 +3061,10 @@ parse_command_line_options() {
ALTNAMES=
shift
;;
+ --ignore-http-headers)
+ IGNORE_HTTP_HEADERS=1
+ shift
+ ;;
--ignore-host-cn)
NAMES_TO_BE_CHECKED=
ALTNAMES=
@@ -3099,7 +3117,7 @@ parse_command_line_options() {
shift
;;
--no-ssl2 | --no_ssl2)
- if [ "$1" = '--no_ssl2' ] ; then
+ if [ "$1" = '--no_ssl2' ]; then
deprecated "$1" "Use '--no-ssl2'"
fi
# we keep the old variant for compatibility
@@ -3107,7 +3125,7 @@ parse_command_line_options() {
shift
;;
--no-ssl3 | --no_ssl3)
- if [ "$1" = '--no_ssl3' ] ; then
+ if [ "$1" = '--no_ssl3' ]; then
deprecated "$1" "Use '--no-ssl3'"
fi
# we keep the old variant for compatibility
@@ -3115,7 +3133,7 @@ parse_command_line_options() {
shift
;;
--no-tls1 | --no_tls1)
- if [ "$1" = '--no_tls1' ] ; then
+ if [ "$1" = '--no_tls1' ]; then
deprecated "$1" "Use '--no-tls1'"
fi
# we keep the old variant for compatibility
@@ -3123,7 +3141,7 @@ parse_command_line_options() {
shift
;;
--no-tls1_1 | --no_tls1_1)
- if [ "$1" = '--no_tls1_1' ] ; then
+ if [ "$1" = '--no_tls1_1' ]; then
deprecated "$1" "Use '--no-tls1_1'"
fi
# we keep the old variant for compatibility
@@ -3131,7 +3149,7 @@ parse_command_line_options() {
shift
;;
--no-tls1_2 | --no_tls1_2)
- if [ "$1" = '--no_tls1_2' ] ; then
+ if [ "$1" = '--no_tls1_2' ]; then
deprecated "$1" "Use '--no-tls1_2'"
fi
# we keep the old variant for compatibility
@@ -3139,7 +3157,7 @@ parse_command_line_options() {
shift
;;
--no-tls1_3 | --no_tls1_3)
- if [ "$1" = '--no_tls1_3' ] ; then
+ if [ "$1" = '--no_tls1_3' ]; then
deprecated "$1" "Use '--no-tls1_3'"
fi
# we keep the old variant for compatibility
@@ -3219,42 +3237,42 @@ parse_command_line_options() {
shift
;;
--ssl2)
- if [ -n "${SSL_VERSION}" ] ; then
+ if [ -n "${SSL_VERSION}" ]; then
unknown "--ssl2: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
fi
SSL_VERSION="-ssl2"
shift
;;
--ssl3)
- if [ -n "${SSL_VERSION}" ] ; then
+ if [ -n "${SSL_VERSION}" ]; then
unknown "--ssl3: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
fi
SSL_VERSION="-ssl3"
shift
;;
--tls1)
- if [ -n "${SSL_VERSION}" ] ; then
+ if [ -n "${SSL_VERSION}" ]; then
unknown "--tls1: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
fi
SSL_VERSION="-tls1"
shift
;;
--tls1_1)
- if [ -n "${SSL_VERSION}" ] ; then
+ if [ -n "${SSL_VERSION}" ]; then
unknown "--tls1_1: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
fi
SSL_VERSION="-tls1_1"
shift
;;
--tls1_2)
- if [ -n "${SSL_VERSION}" ] ; then
+ if [ -n "${SSL_VERSION}" ]; then
unknown "--tls1_2: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
fi
SSL_VERSION="-tls1_2"
shift
;;
--tls1_3)
- if [ -n "${SSL_VERSION}" ] ; then
+ if [ -n "${SSL_VERSION}" ]; then
unknown "--tls1_3: only one protocol can be specified at the same time (${SSL_VERSION} is already specified)"
fi
SSL_VERSION="-tls1_3"
@@ -3324,12 +3342,12 @@ parse_command_line_options() {
--configuration)
check_option_argument '--configuration' "$2"
- if [ -r "$2" ] ; then
+ if [ -r "$2" ]; then
# custom configuration file
while IFS= read -r line; do
# shellcheck disable=SC2086
set -- "$@" ${line}
- done < "$2"
+ done <"$2"
else
unknown "Cannot read $2"
fi
@@ -3467,6 +3485,15 @@ parse_command_line_options() {
PYTHON_BIN="$2"
shift 2
;;
+ --security-level)
+ check_option_argument '--security-level' "$2"
+ if ! echo "$2" | grep -q '^[0-5]$' ; then
+ unknown 'Invalid secuirity level'
+ fi
+ SECURITY_LEVEL="-cipher DEFAULT at SECLEVEL=$2"
+ shift 2
+ ;;
+
--serial)
check_option_argument '--serial' "$2"
SERIAL_LOCK="$2"
@@ -3534,10 +3561,10 @@ $2"
shift 2
;;
-n | --cn | -m | --match)
- if [ "$1" = '-n' ] ; then
+ if [ "$1" = '-n' ]; then
deprecated '-n' "Use '-m'"
fi
- if [ "$1" = '--cn' ] ; then
+ if [ "$1" = '--cn' ]; then
deprecated '--cn' "Use '--match'"
fi
check_option_argument ' -n|--cn|-m|--match' "$2"
@@ -3765,7 +3792,7 @@ $2"
add_required_header X-Frame-Options
# default path
- if [ -z "${HTTP_HEADERS_PATH}" ] ; then
+ if [ -z "${HTTP_HEADERS_PATH}" ]; then
HTTP_HEADERS_PATH='/'
fi
@@ -3919,11 +3946,11 @@ main() {
# Bash specific.
# read additional options from the configuration file
- if [ -r "${CONFIGURATION_FILE}" ] ; then
+ if [ -r "${CONFIGURATION_FILE}" ]; then
while IFS= read -r line; do
# shellcheck disable=SC2086
set -- "$@" ${line}
- done < "${CONFIGURATION_FILE}"
+ done <"${CONFIGURATION_FILE}"
fi
parse_command_line_options "$@"
@@ -4011,20 +4038,24 @@ main() {
date >>"${DEBUG_FILE}"
fi
- if [ "${DEBUG}" -gt 0 ] ; then
+ if [ "${DEBUG}" -gt 0 ]; then
debuglog "Shell: ${SHELL}"
- SHELL_VERSION=$( "${SHELL}" --version)
+ SHELL_VERSION=$("${SHELL}" --version)
echo "${SHELL_VERSION}" | sed 's/^/[DBG] /' 1>&2
# should take a look at
# https://github.com/stephane-chazelas/misc-scripts/blob/master/which_interpreter
debuglog "grep: ${GREP_BIN}"
- GREP_VERSION=$( ${GREP_BIN} --version)
+ GREP_VERSION=$(${GREP_BIN} --version 2>&1)
+ if echo "${GREP_VERSION}" | grep -q BusyBox ; then
+ # BusyBox grep does not have a -version option
+ GREP_VERSION=$( echo "${GREP_VERSION}" | sed -e 's/.*BusyBox/BusyBox/' -e 's/\. Usage.*//' )
+ fi
echo "${GREP_VERSION}" | sed 's/^/[DBG] /' 1>&2
- HOSTNAME_BIN=$( command -v hostname )
+ HOSTNAME_BIN=$(command -v hostname)
debuglog "hostname: ${HOSTNAME_BIN}"
debuglog "\$PATH: ${PATH}"
@@ -4059,9 +4090,11 @@ main() {
fi
# we check HTTP headers only with HTTP/HTTPS
- if [ -z "${PROTOCOL}" ] || [ "${PROTOCOL}" = 'http' ] || [ "${PROTOCOL}" = 'https' ] || [ "${PROTOCOL}" = 'h2' ] ; then
- REQUIRED_HTTP_HEADERS="${DEFAULT_REQUIRED_HTTP_HEADERS}"
- UNREQUIRED_HTTP_HEADERS="${DEFAULT_UNREQUIRED_HTTP_HEADERS}"
+ if [ -z "${IGNORE_HTTP_HEADERS}" ] ; then
+ if [ -z "${PROTOCOL}" ] || [ "${PROTOCOL}" = 'http' ] || [ "${PROTOCOL}" = 'https' ] || [ "${PROTOCOL}" = 'h2' ]; then
+ REQUIRED_HTTP_HEADERS="${DEFAULT_REQUIRED_HTTP_HEADERS}"
+ UNREQUIRED_HTTP_HEADERS="${DEFAULT_UNREQUIRED_HTTP_HEADERS}"
+ fi
fi
fi
@@ -4085,13 +4118,12 @@ main() {
# HTTP checks do only make sense with HTTP
# do not split the next line otherwise ShellCheck will fail to parse it
# see https://www.shellcheck.net/wiki/SC2235 for the { ; } syntax
- if [ -n "${FILE}" ] || { [ -n "${PROTOCOL}" ] && [ "${PROTOCOL}" != 'http' ] && [ "${PROTOCOL}" != 'https' ] && [ "${PROTOCOL}" != 'h2' ]; } ; then
- if [ -n "${REQUIRED_HTTP_HEADERS}" ] || [ -n "${UNREQUIRED_HTTP_HEADERS}" ] ; then
+ if [ -n "${FILE}" ] || { [ -n "${PROTOCOL}" ] && [ "${PROTOCOL}" != 'http' ] && [ "${PROTOCOL}" != 'https' ] && [ "${PROTOCOL}" != 'h2' ]; }; then
+ if [ -n "${REQUIRED_HTTP_HEADERS}" ] || [ -n "${UNREQUIRED_HTTP_HEADERS}" ]; then
unknown "HTTP headers can only be checked with HTTP[S]"
fi
fi
-
# we need the FQDN of an host to check the CN
debuglog "Adding the domain if missing"
# - the domain does not contain a .
@@ -4121,8 +4153,8 @@ main() {
if [ -r "${HOST_CACHE}" ]; then
debuglog "Host cache ${HOST_CACHE} is present"
- if echo "${HOST}" | "${GREP_BIN}" -q -F '[' ; then
- PATTERN=$( echo "${HOST}" | sed -e 's/\[//' -e 's/\]//' )
+ if echo "${HOST}" | "${GREP_BIN}" -q -F '['; then
+ PATTERN=$(echo "${HOST}" | sed -e 's/\[//' -e 's/\]//')
else
PATTERN="^${HOST}$"
fi
@@ -4151,7 +4183,7 @@ main() {
debuglog "Forcing ${HOST} to resolve to ${RESOLVE}"
- if echo "${RESOLVE}" | "${GREP_BIN}" -q '^[a-fA-F0-9].*:' ; then
+ if echo "${RESOLVE}" | "${GREP_BIN}" -q '^[a-fA-F0-9].*:'; then
debuglog "--resolve with an IPv6 (${RESOLVE}) without brackets: adding ([${RESOLVE}])"
RESOLVE="[${RESOLVE}]"
fi
@@ -4241,7 +4273,7 @@ main() {
PYTHON_BIN="${PROG}"
# check Python major version
- if "${PYTHON_BIN}" --version 2>&1 | grep -q '^Python 2' ; then
+ if "${PYTHON_BIN}" --version 2>&1 | grep -q '^Python 2'; then
unknown "Python 2 is not supported"
fi
@@ -4261,7 +4293,7 @@ main() {
##############################################################################
# OpenSSL options
- if [ -n "${REQUIRE_PURPOSE}" ] || [ -n "${REQUIRE_PURPOSE_CRITICAL}" ] ; then
+ if [ -n "${REQUIRE_PURPOSE}" ] || [ -n "${REQUIRE_PURPOSE_CRITICAL}" ]; then
require_x509_option "-ext" " (required for certificate purpose)"
fi
@@ -4620,8 +4652,8 @@ main() {
# nmap does not understand brackets in IPv6 addresses
NMAP_HOST_ADDR="${HOST_ADDR}"
- if echo "${NMAP_HOST_ADDR}" | "${GREP_BIN}" -q '^\[' ; then
- NMAP_HOST_ADDR=$( echo "${NMAP_HOST_ADDR}" | sed -e 's/^\[//' -e 's/\]$//' )
+ if echo "${NMAP_HOST_ADDR}" | "${GREP_BIN}" -q '^\['; then
+ NMAP_HOST_ADDR=$(echo "${NMAP_HOST_ADDR}" | sed -e 's/^\[//' -e 's/\]$//')
fi
# check if the host has an IPv6 address only (as nmap is not able to resolve without the -6 switch)
@@ -4631,7 +4663,7 @@ main() {
NMAP_INETPROTO='-6'
fi
- if echo "${NMAP_HOST_ADDR}" | "${GREP_BIN}" -q ':' ; then
+ if echo "${NMAP_HOST_ADDR}" | "${GREP_BIN}" -q ':'; then
debuglog "host specified as an IPv6 address: forcing IPv6 with nmap"
NMAP_INETPROTO='-6'
fi
@@ -4892,17 +4924,16 @@ main() {
# https://security.stackexchange.com/questions/120708/nmap-through-proxy
#
if [ -n "${http_proxy}" ] ||
- [ -n "${https_proxy}" ] ||
- [ -n "${HTTP_PROXY}" ] ||
- [ -n "${HTTPS_PROXY}" ] ||
- [ -n "${SCLIENT_PROXY}" ] ||
- [ -n "${CURL_PROXY}" ] ; then
+ [ -n "${https_proxy}" ] ||
+ [ -n "${HTTP_PROXY}" ] ||
+ [ -n "${HTTPS_PROXY}" ] ||
+ [ -n "${SCLIENT_PROXY}" ] ||
+ [ -n "${CURL_PROXY}" ]; then
DISABLE_NMAP=1
debuglog "A proxy is specified: nmap disabled"
verboselog "A proxy is specified: nmap checks disabled"
fi
-
################################################################################
# Check if openssl s_client supports the -name option
#
@@ -5002,9 +5033,9 @@ main() {
# - https://dnsinstitute.com/documentation/dnssec-guide/ch03s02.html
# - https://serverfault.com/questions/154016/querying-and-verifying-dnssec
#
- if [ -n "${REQUIRE_DNSSEC}" ] ; then
+ if [ -n "${REQUIRE_DNSSEC}" ]; then
- if [ -n "${FILE}" ] ; then
+ if [ -n "${FILE}" ]; then
unknown "--require-dnssec cannot be used with --file"
fi
@@ -5018,7 +5049,7 @@ main() {
# a lot of DNS servers have no support for DNSSEC: we use Google's public DNS
debuglog "Checking DNSSEC with ${DIG_BIN} +dnssec ${HOST} @8.8.8.8"
- DIG_OUTPUT=$( ${DIG_BIN} +dnssec "${HOST}" @8.8.8.8 )
+ DIG_OUTPUT=$(${DIG_BIN} +dnssec "${HOST}" @8.8.8.8)
if [ "${DEBUG}" -gt 0 ]; then
echo "${DIG_OUTPUT}" | sed 's/^/[DBG] /' 1>&2
@@ -5026,24 +5057,24 @@ main() {
DNSSEC_ERROR=
# check for the presence of the Authenticated Data (ad) flag in the header
- if ! echo "${DIG_OUTPUT}" | "${GREP_BIN}" ';; flags:' | "${GREP_BIN}" -q 'ad[; ]' ; then
+ if ! echo "${DIG_OUTPUT}" | "${GREP_BIN}" ';; flags:' | "${GREP_BIN}" -q 'ad[; ]'; then
prepend_critical_message "DNSSEC: the Authenticated Data (ad) flag is not present"
DNSSEC_ERROR=1
fi
# check the DNSSEC OK (do) flag indicating the recursive server is DNSSEC-aware
- if ! echo "${DIG_OUTPUT}" | "${GREP_BIN}" ', flags:' | "${GREP_BIN}" -q 'do[; ]' ; then
+ if ! echo "${DIG_OUTPUT}" | "${GREP_BIN}" ', flags:' | "${GREP_BIN}" -q 'do[; ]'; then
prepend_critical_message "DNSSEC: the DNSSEC OK (do) flag indicating the recursive server is DNSSEC-aware is not present"
DNSSEC_ERROR=1
fi
# check for the presence of an additional resource record of type RRSIG, with the same name as the A record.
- if ! echo "${DIG_OUTPUT}" | "${GREP_BIN}" -q 'RRSIG' ; then
+ if ! echo "${DIG_OUTPUT}" | "${GREP_BIN}" -q 'RRSIG'; then
prepend_critical_message "DNSSEC: the RRSIG resource record is not present"
DNSSEC_ERROR=1
fi
- if [ -z "${DNSSEC_ERROR}" ] ; then
+ if [ -z "${DNSSEC_ERROR}" ]; then
verboselog "DNSSEC ok"
info "DNSSEC" "ok"
else
@@ -5074,10 +5105,10 @@ main() {
HTTP_VERSION="1.1"
fi
- if [ -n "${IGNORE_MAXIMUM_VALIDITY}" ] && [ -n "${MAXIMUM_VALIDITY}" ] ; then
+ if [ -n "${IGNORE_MAXIMUM_VALIDITY}" ] && [ -n "${MAXIMUM_VALIDITY}" ]; then
unknown "--ignore-maximum-validity and --maximum-validity cannot be specified at the same time"
fi
- if [ -n "${MAXIMUM_VALIDITY}" ] && ! echo "${MAXIMUM_VALIDITY}" | "${GREP_BIN}" -E -q '^[0-9][0-9]*$'; then
+ if [ -n "${MAXIMUM_VALIDITY}" ] && ! echo "${MAXIMUM_VALIDITY}" | "${GREP_BIN}" -E -q '^[0-9][0-9]*$'; then
unknown "invalid number of days '${MAXIMUM_VALIDITY}'"
fi
@@ -5089,7 +5120,7 @@ main() {
# Check for disallowed protocols
if [ -n "${DISALLOWED_PROTOCOLS}" ]; then
- if [ -n "${DISABLE_NMAP}" ] ; then
+ if [ -n "${DISABLE_NMAP}" ]; then
verboselog "Using a proxy: cannot check for disable protocols"
debuglog "Using a proxy: cannot check for disable protocols"
@@ -5192,9 +5223,9 @@ main() {
################################################################################
# Connection check
- if [ -z "${FILE}" ] ; then
+ if [ -z "${FILE}" ]; then
- if [ -n "${DISABLE_NMAP}" ] ; then
+ if [ -n "${DISABLE_NMAP}" ]; then
verboselog "Using a proxy: cannot test connection"
debuglog "Using a proxy: cannot test connection"
@@ -5205,29 +5236,29 @@ main() {
debuglog "Executing: '${NMAP_BIN} ${NMAP_INETPROTO} --unprivileged -Pn -p ${PORT} ${NMAP_HOST_ADDR}'"
- if ! ${NMAP_BIN} "${NMAP_INETPROTO}" --unprivileged -Pn -p "${PORT}" "${NMAP_HOST_ADDR}" 2>&1 | "${GREP_BIN}" -q "${PORT}.*open" ; then
+ if ! ${NMAP_BIN} "${NMAP_INETPROTO}" --unprivileged -Pn -p "${PORT}" "${NMAP_HOST_ADDR}" 2>&1 | "${GREP_BIN}" -q "${PORT}.*open"; then
- if [ -n "${IGNORE_CONNECTION_STATE}" ] ; then
+ if [ -n "${IGNORE_CONNECTION_STATE}" ]; then
case "${IGNORE_CONNECTION_STATE}" in
- "${STATUS_OK}")
- echo "${SHORTNAME} OK: Cannot connect to ${HOST}:${PORT}"
- exit "${STATUS_OK}"
- ;;
- "${STATUS_WARNING}")
- echo "${SHORTNAME} WARNING: Cannot connect to ${HOST}:${PORT}"
- exit "${STATUS_WARNING}"
- ;;
- "${STATUS_CRITICAL}")
- echo "${SHORTNAME} CRITICAL: Cannot connect to ${HOST}:${PORT}"
- exit "${STATUS_CRITICAL}"
- ;;
- "${STATUS_UNKNOWN}")
- critical "Cannot connect to ${HOST}:${PORT}"
- ;;
- *)
- debuglog "Ignoring connection test"
- ;;
+ "${STATUS_OK}")
+ echo "${SHORTNAME} OK: Cannot connect to ${HOST}:${PORT}"
+ exit "${STATUS_OK}"
+ ;;
+ "${STATUS_WARNING}")
+ echo "${SHORTNAME} WARNING: Cannot connect to ${HOST}:${PORT}"
+ exit "${STATUS_WARNING}"
+ ;;
+ "${STATUS_CRITICAL}")
+ echo "${SHORTNAME} CRITICAL: Cannot connect to ${HOST}:${PORT}"
+ exit "${STATUS_CRITICAL}"
+ ;;
+ "${STATUS_UNKNOWN}")
+ critical "Cannot connect to ${HOST}:${PORT}"
+ ;;
+ *)
+ debuglog "Ignoring connection test"
+ ;;
esac
else
@@ -5322,16 +5353,16 @@ main() {
####################
# check HTTP headers
- if [ -n "${REQUIRED_HTTP_HEADERS}" ] ; then
+ if [ -n "${REQUIRED_HTTP_HEADERS}" ]; then
debuglog "Checking required HTTP headers: ${REQUIRED_HTTP_HEADERS}"
- for header in $( echo "${REQUIRED_HTTP_HEADERS}" | tr ',' '\n' ) ; do
+ for header in $(echo "${REQUIRED_HTTP_HEADERS}" | tr ',' '\n'); do
check_required_http_header "${header}" "${HTTP_HEADERS_PATH}"
done
fi
- if [ -n "${UNREQUIRED_HTTP_HEADERS}" ] ; then
+ if [ -n "${UNREQUIRED_HTTP_HEADERS}" ]; then
debuglog "Checking unwanted HTTP headers: ${UNREQUIRED_HTTP_HEADERS}"
- for header in $( echo "${UNREQUIRED_HTTP_HEADERS}" | tr ',' '\n' ) ; do
+ for header in $(echo "${UNREQUIRED_HTTP_HEADERS}" | tr ',' '\n'); do
check_unrequired_http_header "${header}" "${HTTP_HEADERS_PATH}"
done
fi
@@ -5352,11 +5383,11 @@ main() {
TIMEOUT_REASON="checking TLS renegotiation"
case "${PROTOCOL}" in
pop3 | ftp | smtp | irc | ldap | imap | postgres | postgresql | sieve | xmpp | xmpp-server | mysql)
- exec_with_timeout "printf 'R\\n' | ${OPENSSL} s_client ${INETPROTO} -crlf -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -starttls ${PROTOCOL} 2>&1 | ${GREP_BIN} -F -q err"
+ exec_with_timeout "printf 'R\\n' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} -crlf -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -starttls ${PROTOCOL} 2>&1 | ${GREP_BIN} -F -q err"
RET=$?
;;
*)
- exec_with_timeout "printf 'R\\n' | ${OPENSSL} s_client ${INETPROTO} -crlf -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} 2>&1 | ${GREP_BIN} -F -q err"
+ exec_with_timeout "printf 'R\\n' | ${OPENSSL} s_client ${SECURITY_LEVEL} ${INETPROTO} -crlf -connect ${HOST_ADDR}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} 2>&1 | ${GREP_BIN} -F -q err"
RET=$?
;;
esac
@@ -5507,36 +5538,36 @@ main() {
info "Fingerprint" "${FINGERPRINT_INFO}"
# only works with -ext
- if check_x509_option '-ext' ; then
+ if check_x509_option '-ext'; then
KEY_USAGE="$(extract_cert_attribute 'keyUsage' "${CERT}")"
# info
- if [ -n "${PURPOSE_CRITICAL}" ] ; then
+ if [ -n "${PURPOSE_CRITICAL}" ]; then
debuglog "Certificate purpose is defined as critical"
PURPOSE_LABEL="Purpose (critical)"
else
debuglog "Certificate purpose is not defined as critical"
PURPOSE_LABEL="Purpose"
- if [ -n "${REQUIRE_PURPOSE_CRITICAL}" ] ; then
+ if [ -n "${REQUIRE_PURPOSE_CRITICAL}" ]; then
prepend_critical_message "Certificate purpose is not defined as critical (as required)"
fi
fi
info "${PURPOSE_LABEL}" "${KEY_USAGE}"
# check the certificate purpose
- if [ -n "${REQUIRE_PURPOSE}" ] ; then
+ if [ -n "${REQUIRE_PURPOSE}" ]; then
debuglog "Checking certificate purpose(s)"
- while IFS= read -r purpose ; do
+ while IFS= read -r purpose; do
debuglog " Check if '${purpose}' is defined"
# the purposes are in a 'comma space' separated list
if ! echo "${KEY_USAGE}" | "${GREP_BIN}" -q -i "^${purpose}$" &&
- ! echo "${KEY_USAGE}" | "${GREP_BIN}" -q -i "^${purpose}, " &&
- ! echo "${KEY_USAGE}" | "${GREP_BIN}" -q -i ", ${purpose}$" &&
- ! echo "${KEY_USAGE}" | "${GREP_BIN}" -q -i ", ${purpose}, " ; then
+ ! echo "${KEY_USAGE}" | "${GREP_BIN}" -q -i "^${purpose}, " &&
+ ! echo "${KEY_USAGE}" | "${GREP_BIN}" -q -i ", ${purpose}$" &&
+ ! echo "${KEY_USAGE}" | "${GREP_BIN}" -q -i ", ${purpose}, "; then
prepend_critical_message "'${purpose}' is not specified as a certificate purpose"
fi
@@ -5617,12 +5648,12 @@ EOF
# 2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
# i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
- matches=$( grep '^ [0-9 ] [si]:' "${CERT}" | tail -n 2 | sed 's/^[ 0-9]* [si]://' | uniq -c | wc -l )
+ matches=$(grep '^ [0-9 ] [si]:' "${CERT}" | tail -n 2 | sed 's/^[ 0-9]* [si]://' | uniq -c | wc -l)
- if [ "${matches}" -eq 1 ] ; then
+ if [ "${matches}" -eq 1 ]; then
debuglog "The root certificate is present in the chain"
verboselog "The root certificate is unnecessarily present in the delivered certificate chain"
- if [ -n "${CHECK_CHAIN}" ] ; then
+ if [ -n "${CHECK_CHAIN}" ]; then
prepend_critical_message "The root certificate is unnecessarily present in the delivered certificate chain"
fi
fi
@@ -6039,17 +6070,17 @@ EOF
# browsers usually do not complain (see #416)
# loop over the criticals
- if [ -n "${CN_EXPIRED_CRITICAL}" ] ; then
- while IFS= read -r critical ; do
+ if [ -n "${CN_EXPIRED_CRITICAL}" ]; then
+ while IFS= read -r critical; do
- CN_TMP=$( echo "${critical}" | sed 's/:.*//' )
- REPLACE_CURRENT_MESSAGE=$( echo "${critical}" | sed -e 's/^[^:]*://' -e 's/:.*//' )
- MESSAGE_TMP=$( echo "${critical}" | sed 's/^[^:]*:[^:]*://' )
+ CN_TMP=$(echo "${critical}" | sed 's/:.*//')
+ REPLACE_CURRENT_MESSAGE=$(echo "${critical}" | sed -e 's/^[^:]*://' -e 's/:.*//')
+ MESSAGE_TMP=$(echo "${critical}" | sed 's/^[^:]*:[^:]*://')
# check if the warning is overridden by another certificate for the same CN
- if echo "${CN_OK}" | grep -q "${CN_TMP}" ; then
+ if echo "${CN_OK}" | grep -q "${CN_TMP}"; then
verboselog "Both a valid and an expired certificate were found"
- if [ -n "${CHECK_CHAIN}" ] ; then
+ if [ -n "${CHECK_CHAIN}" ]; then
prepend_critical_message "Both a valid and an expired certificate were found"
fi
else
@@ -6062,17 +6093,17 @@ INPUT
fi
# loop over the warnings
- if [ -n "${CN_EXPIRED_WARNING}" ] ; then
- while IFS= read -r warning ; do
+ if [ -n "${CN_EXPIRED_WARNING}" ]; then
+ while IFS= read -r warning; do
- CN_TMP=$( echo "${warning}" | sed 's/:.*//' )
- REPLACE_CURRENT_MESSAGE=$( echo "${warning}" | sed -e 's/^[^:]*://' -e 's/:.*//' )
- MESSAGE_TMP=$( echo "${warning}" | sed 's/^[^:]*:[^:]*://' )
+ CN_TMP=$(echo "${warning}" | sed 's/:.*//')
+ REPLACE_CURRENT_MESSAGE=$(echo "${warning}" | sed -e 's/^[^:]*://' -e 's/:.*//')
+ MESSAGE_TMP=$(echo "${warning}" | sed 's/^[^:]*:[^:]*://')
# check if the warning is overridden by another certificate for the same CN
- if echo "${CN_OK}" | grep -q "${CN_TMP}" ; then
+ if echo "${CN_OK}" | grep -q "${CN_TMP}"; then
verboselog "Both a valid and an expired certificate were found"
- if [ -n "${CHECK_CHAIN}" ] ; then
+ if [ -n "${CHECK_CHAIN}" ]; then
prepend_critical_message "Both a valid and an expired certificate were found"
fi
else
@@ -6090,7 +6121,7 @@ INPUT
# Check nmap
if [ -n "${CHECK_CIPHERS}" ] || [ -n "${CHECK_CIPHERS_WARNINGS}" ]; then
- if [ -n "${DISABLE_NMAP}" ] ; then
+ if [ -n "${DISABLE_NMAP}" ]; then
verboselog "Using a proxy: cannot check ciphers"
debuglog "Using a proxy: cannot check ciphers"
@@ -6350,7 +6381,7 @@ ${WARNING}"
fi
- if [ -n "${INFO}" ] ; then
+ if [ -n "${INFO}" ]; then
# see https://stackoverflow.com/questions/6464129/certificate-subject-x-509 for additional fields that could be implemented
@@ -6369,7 +6400,7 @@ ${WARNING}"
CERT_LOCALITY="$(extract_cert_attribute 'locality' "${CERT}")"
info "Locality" "${CERT_LOCALITY}"
- KEY_LENGTH="$( extract_cert_attribute 'key_length' "${CERT}" )"
+ KEY_LENGTH="$(extract_cert_attribute 'key_length' "${CERT}")"
info "Public key length" "${KEY_LENGTH}"
fi
@@ -6457,28 +6488,28 @@ ${WARNING}"
##############################################################################
# Check total certificate validity
- if [ -z "${IGNORE_MAXIMUM_VALIDITY}" ] ; then
+ if [ -z "${IGNORE_MAXIMUM_VALIDITY}" ]; then
# we check only for HTTP protocols, files or if --maximum-validity was specified
if [ -z "${PROTOCOL}" ] ||
- [ "${PROTOCOL}" = 'https' ] ||
- [ "${PROTOCOL}" = 'h2' ] ||
- [ -n "${MAXIMUM_VALIDITY}" ] ||
- [ -n "${FILE}" ] ; then
+ [ "${PROTOCOL}" = 'https' ] ||
+ [ "${PROTOCOL}" = 'h2' ] ||
+ [ -n "${MAXIMUM_VALIDITY}" ] ||
+ [ -n "${FILE}" ]; then
- HOURS_UNTIL_END_DATE=$( hours_until "${DATE}" )
- HOURS_FROM_START_DATE=$( hours_until "${START_DATE}" )
+ HOURS_UNTIL_END_DATE=$(hours_until "${DATE}")
+ HOURS_FROM_START_DATE=$(hours_until "${START_DATE}")
# no decimals even if --precision was specified
- TOTAL_CERT_VALIDITY=$( compute "(${HOURS_UNTIL_END_DATE} - ${HOURS_FROM_START_DATE})/24" 0 )
+ TOTAL_CERT_VALIDITY=$(compute "(${HOURS_UNTIL_END_DATE} - ${HOURS_FROM_START_DATE})/24" 0)
LIMIT=397
- if [ -n "${MAXIMUM_VALIDITY}" ] ; then
+ if [ -n "${MAXIMUM_VALIDITY}" ]; then
LIMIT="${MAXIMUM_VALIDITY}"
fi
# a certificate cannot be valid for more than 13 months (397 days)
- if [ "${TOTAL_CERT_VALIDITY}" -gt "${LIMIT}" ] ; then
+ if [ "${TOTAL_CERT_VALIDITY}" -gt "${LIMIT}" ]; then
prepend_critical_message "The certificate cannot be valid for more than ${LIMIT} days (${TOTAL_CERT_VALIDITY})"
else
verboselog "The certificate validity (${TOTAL_CERT_VALIDITY}) is shorter then the maximum (${LIMIT})"
@@ -6525,7 +6556,7 @@ ${WARNING}"
elif compare "${DAYS_VALID}" '>=' 0; then
DAYS_VALID=" (expires in less than a day)"
elif compare "${DAYS_VALID}" '>=' '-1'; then
- DAYS_VALID=$(( -DAYS_VALID ))
+ DAYS_VALID=$((-DAYS_VALID))
DAYS_VALID=" (expired ${DAYS_VALID} days ago)"
fi
fi
@@ -6663,7 +6694,7 @@ get_tds_certificate() {
create_temporary_file
PYTHON_SCRIPT=${TEMPFILE}
- cat << ____PYTHON > "${PYTHON_SCRIPT}"
+ cat <<____PYTHON >"${PYTHON_SCRIPT}"
from __future__ import print_function
import sys
import pprint
=====================================
check_ssl_cert/check_ssl_cert_2.57.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_2.58.0/check_ssl_cert.1
=====================================
@@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii check_ssl_cert.1
.\"
-.TH "check_ssl_cert" 1 "December, 2022" "2.57.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "January, 2023" "2.58.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
@@ -202,6 +202,9 @@ In case of connection problems returns OK or the optional state
.BR " --ignore-exp"
Ignore expiration date
.TP
+.BR " --ignore-http-headers"
+Ignore checks on HTTP headers with --all and --all-local
+.TP
.BR " --ignore-host-cn"
Do not complain if the CN does not match the host name
.TP
@@ -405,6 +408,9 @@ overrides option -r,--rootcert
.BR " --rsa"
Signature algorithm selection: force RSA certificate
.TP
+.BR " --security-level" " number"
+Set the security level to specified value. See SSL_CTX_set_security_level(3) for a description of what each level means
+.TP
.BR "-s,--selfsigned"
Allow self-signed certificates
.TP
=====================================
check_ssl_cert/check_ssl_cert_2.57.0/check_ssl_cert.completion → check_ssl_cert/check_ssl_cert_2.58.0/check_ssl_cert.completion
=====================================
@@ -14,7 +14,7 @@ _check_ssl_cert() {
# only the autocompletion with long options is implemented: long options are more readable and quick to enter since we are
# using autocompletion.
#
- opts="--file --host --noauth --all --all-local --allow-empty-san --clientcert --configuration --critical --check-chain --check-ciphers --check-ciphers-warnings --check-http-headers --check-ssl-labs --check-ssl-labs-warn --clientpass --crl --curl-bin --user-agent --custom-http-header --dane --date --debug-cert --debug-file --debug-headers --debug-time --default-format --dig-bin --dtls --dtls1 --dtls1_2 --ecdsa --element --file-bin --fingerprint --first-element-only --force-dconv-date --force-perl-date --format --grep-bin --http-headers-path --http-use-get --ignore-altnames --jks-alias --ignore-connection-problems --ignore-exp --ignore-host-cn --ignore-incomplete-chain --ignore-maximum-validity --ignore-ocsp --ignore-ocsp-errors --ignore-ocsp-timeout --ignore-sct --ignore-sig-alg --ignore-ssl-labs-cache --ignore-tls-renegotiation --inetproto protocol --info --init-host-cache --issuer-cert-cache --long-output --match --maximum-validity --nmap-bin --no-perf --no-proxy --no-proxy-curl --no-proxy-s_client --no-ssl2 --no-ssl3 --no-tls1 --no-tls1_1 --no-tls1_2 --no-tls1_3 --not-issued-by --not-valid-longer-than --ocsp-critical --ocsp-warning --openssl --password --path --precision --prometheus --proxy --require-client-cert --require-dnssec --require-http-header --require-no-http-header --require-no-ssl2 --require-no-ssl3 --require-no-tls1 --require-no-tls1_1 --require-ocsp-stapling --require-purpose --require-purpose-critical --resolve --rootcert-dir --rootcert-file --rsa --serial --skip-element --sni --ssl2 --ssl3 --temp --terse --tls1 --tls1_1 --tls1_2 --tls1_3 --xmpphost -4 -6 --clientkey --protocol --version --debug --email --help --issuer --cn --org --port port --rootcert --quiet --selfsigned --timeout --url --verbose --warning --python-bin"
+ opts="--file --host --noauth --all --all-local --allow-empty-san --clientcert --configuration --critical --check-chain --check-ciphers --check-ciphers-warnings --check-http-headers --check-ssl-labs --check-ssl-labs-warn --clientpass --crl --curl-bin --user-agent --custom-http-header --dane --date --debug-cert --debug-file --debug-headers --debug-time --default-format --dig-bin --dtls --dtls1 --dtls1_2 --ecdsa --element --file-bin --fingerprint --first-element-only --force-dconv-date --force-perl-date --format --grep-bin --http-headers-path --http-use-get --ignore-altnames --jks-alias --ignore-connection-problems --ignore-exp --ignore-http-headers --ignore-host-cn --ignore-incomplete-chain --ignore-maximum-validity --ignore-ocsp --ignore-ocsp-errors --ignore-ocsp-timeout --ignore-sct --ignore-sig-alg --ignore-ssl-labs-cache --ignore-tls-renegotiation --inetproto protocol --info --init-host-cache --issuer-cert-cache --long-output --match --maximum-validity --nmap-bin --no-perf --no-proxy --no-proxy-curl --no-proxy-s_client --no-ssl2 --no-ssl3 --no-tls1 --no-tls1_1 --no-tls1_2 --no-tls1_3 --not-issued-by --not-valid-longer-than --ocsp-critical --ocsp-warning --openssl --password --path --precision --prometheus --proxy --require-client-cert --require-dnssec --require-http-header --require-no-http-header --require-no-ssl2 --require-no-ssl3 --require-no-tls1 --require-no-tls1_1 --require-ocsp-stapling --require-purpose --require-purpose-critical --resolve --rootcert-dir --rootcert-file --rsa --serial --security-level --skip-element --sni --ssl2 --ssl3 --temp --terse --tls1 --tls1_1 --tls1_2 --tls1_3 --xmpphost -4 -6 --clientkey --protocol --version --debug --email --help --issuer --cn --org --port port --rootcert --quiet --selfsigned --timeout --url --verbose --warning --python-bin"
if [[ ${cur} == -* || ${COMP_CWORD} -eq 1 ]]; then
# shellcheck disable=2207
@@ -96,6 +96,12 @@ _check_ssl_cert() {
COMPREPLY=($(compgen -W "X-Powered-By X-Aspnet-Version X-XSS-Protection Server X-AspNetMvc-Version" -- "${cur}"))
;;
+ --security-level)
+
+ # shellcheck disable=2207
+ COMPREPLY=($(compgen -W "0 1 2 3 4 5" -- "${cur}"))
+ ;;
+
--port | -p)
# shellcheck disable=2207
COMPREPLY=($(compgen -W "21 22 80 443 143 993 194 994 389 587 636 3306 3391 110 995 5432 4190 25 465 5222 5269" -- "${cur}"))
@@ -103,7 +109,7 @@ _check_ssl_cert() {
--protocol | -P)
# shellcheck disable=2207
- COMPREPLY=($(compgen -W "ftp ftps http https h2 imap imaps irc ircs ldap ldaps mysql pop3 pop3s postgres sieve smtp smtps xmpp xmpp-server tds" -- "${cur}"))
+ COMPREPLY=($(compgen -W "dns ftp ftps http https h2 imap imaps irc ircs ldap ldaps mysql pop3 pop3s postgres sieve smtp smtps xmpp xmpp-server tds" -- "${cur}"))
;;
*) ;;
=====================================
check_ssl_cert/check_ssl_cert_2.57.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_2.58.0/check_ssl_cert.spec
=====================================
@@ -1,4 +1,4 @@
-%global version 2.57.0
+%global version 2.58.0
%global release 0
%global sourcename check_ssl_cert
%global packagename nagios-plugins-check_ssl_cert
@@ -54,6 +54,9 @@ rm -rf $RPM_BUILD_ROOT
%endif
%changelog
+* Mon Jan 16 2023 Matteo Corti <matteo at corti.li> - 2.58.0-0
+- Updated to 2.58.0
+
* Sun Dec 4 2022 Matteo Corti <matteo at corti.li> - 2.57.0-0
- Updated to 2.57.0
=====================================
check_ssl_cert/control
=====================================
@@ -1,7 +1,7 @@
Uploaders: Jan Wagner <waja at cyconet.org>
Recommends: bc, curl, file, openssl
Suggests: expect, iproute2, dnsutils
-Version: 2.57.0
+Version: 2.58.0
Homepage: https://github.com/matteocorti/check_ssl_cert
Watch: https://github.com/matteocorti/check_ssl_cert/releases >check_ssl_cert-([0-9.]+)<
Description: plugin to check the CA and validity of an
=====================================
check_ssl_cert/src
=====================================
@@ -1 +1 @@
-check_ssl_cert_2.57.0
\ No newline at end of file
+check_ssl_cert_2.58.0/
\ No newline at end of file
View it on GitLab: https://salsa.debian.org/nagios-team/nagios-plugins-contrib/-/commit/7206c6d3cbaf774cde15b0d5556d56dd7ad40adf
--
View it on GitLab: https://salsa.debian.org/nagios-team/nagios-plugins-contrib/-/commit/7206c6d3cbaf774cde15b0d5556d56dd7ad40adf
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20230119/7c527f03/attachment-0001.htm>
More information about the pkg-nagios-changes
mailing list