[pkg-nagios-changes] [Git][nagios-team/nagios-plugins-contrib][master] check_ssl_cert: Update to 2.70.0
Jan Wagner (@waja)
gitlab at salsa.debian.org
Mon Jun 12 19:44:23 BST 2023
Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / nagios-plugins-contrib
Commits:
5c7a4522 by Jan Wagner at 2023-06-12T20:41:34+02:00
check_ssl_cert: Update to 2.70.0
- - - - -
19 changed files:
- − check_ssl_cert/check_ssl_cert_2.61.0/VERSION
- check_ssl_cert/check_ssl_cert_2.61.0/AUTHORS.md → check_ssl_cert/check_ssl_cert_2.70.0/AUTHORS.md
- check_ssl_cert/check_ssl_cert_2.61.0/CITATION.cff → check_ssl_cert/check_ssl_cert_2.70.0/CITATION.cff
- check_ssl_cert/check_ssl_cert_2.61.0/COPYING.md → check_ssl_cert/check_ssl_cert_2.70.0/COPYING.md
- check_ssl_cert/check_ssl_cert_2.61.0/COPYRIGHT.md → check_ssl_cert/check_ssl_cert_2.70.0/COPYRIGHT.md
- check_ssl_cert/check_ssl_cert_2.61.0/ChangeLog → check_ssl_cert/check_ssl_cert_2.70.0/ChangeLog
- check_ssl_cert/check_ssl_cert_2.61.0/GNUmakefile → check_ssl_cert/check_ssl_cert_2.70.0/GNUmakefile
- check_ssl_cert/check_ssl_cert_2.61.0/INSTALL.md → check_ssl_cert/check_ssl_cert_2.70.0/INSTALL.md
- check_ssl_cert/check_ssl_cert_2.61.0/Makefile → check_ssl_cert/check_ssl_cert_2.70.0/Makefile
- check_ssl_cert/check_ssl_cert_2.61.0/NEWS.md → check_ssl_cert/check_ssl_cert_2.70.0/NEWS.md
- check_ssl_cert/check_ssl_cert_2.61.0/README.md → check_ssl_cert/check_ssl_cert_2.70.0/README.md
- + check_ssl_cert/check_ssl_cert_2.70.0/VERSION
- check_ssl_cert/check_ssl_cert_2.61.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_2.70.0/check_ssl_cert
- check_ssl_cert/check_ssl_cert_2.61.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_2.70.0/check_ssl_cert.1
- check_ssl_cert/check_ssl_cert_2.61.0/check_ssl_cert.completion → check_ssl_cert/check_ssl_cert_2.70.0/check_ssl_cert.completion
- check_ssl_cert/check_ssl_cert_2.61.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_2.70.0/check_ssl_cert.spec
- + check_ssl_cert/check_ssl_cert_2.70.0/check_ssl_cert_icinga2.conf
- check_ssl_cert/control
- check_ssl_cert/src
Changes:
=====================================
check_ssl_cert/check_ssl_cert_2.61.0/VERSION deleted
=====================================
@@ -1 +0,0 @@
-2.61.0
=====================================
check_ssl_cert/check_ssl_cert_2.61.0/AUTHORS.md → check_ssl_cert/check_ssl_cert_2.70.0/AUTHORS.md
=====================================
@@ -147,3 +147,5 @@ Maintainer: [Matteo Corti](https://github.com/matteocorti) <[matteo at corti.li](ma
* Many thanks to [Peter](https://github.com/Peter2121) for the FreeBSD jail patch
* Many thanks to [Marcel Burkhalter](https://github.com/marcel-burkhalter) for the path check
* Many thanks to [Slavko](https://github.com/slavkoja) for the RSA algorithms patch
+* Many thanks to [Ben Byrne](https://github.com/benbyr) for the CRL output format patch
+* Many thanks to [Tom Geißler](https://github.com/d7031) for the Icinga configuration
=====================================
check_ssl_cert/check_ssl_cert_2.61.0/CITATION.cff → check_ssl_cert/check_ssl_cert_2.70.0/CITATION.cff
=====================================
@@ -14,6 +14,9 @@ authors:
- family-names: "Miśkiewicz"
given-names: "Arkadiusz"
website: https://github.com/arekm
+- family-names: "Byrne"
+ given-names: "Ben"
+ website: https://github.com/benbyr
- family-names: "Strößenreuther"
given-names: "Bernd"
website: https://github.com/booboo-at-gluga-de
@@ -173,6 +176,9 @@ authors:
- family-names: "Grünewald"
given-names: "Tobias"
website: https://github.com/tobias-gruenewald
+- family-names: "Geißler"
+ given-names: "Tom"
+ website: https://github.com/d7031
- name: Tone
website: https://github.com/anthonyhaussman
- family-names: "Haarala"
@@ -248,8 +254,8 @@ authors:
given-names: "Дилян"
website: https://github.com/dilyanpalauzov
title: "check_ssl_cert"
-version: 2.61.0
-date-released: 2023-03-09
+version: 2.70.0
+date-released: 2023-05-20
url: "https://github.com/matteocorti/check_ssl_cert"
repository-code: "https://github.com/matteocorti/check_ssl_cert"
keywords:
=====================================
check_ssl_cert/check_ssl_cert_2.61.0/COPYING.md → check_ssl_cert/check_ssl_cert_2.70.0/COPYING.md
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.61.0/COPYRIGHT.md → check_ssl_cert/check_ssl_cert_2.70.0/COPYRIGHT.md
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.61.0/ChangeLog → check_ssl_cert/check_ssl_cert_2.70.0/ChangeLog
=====================================
@@ -1,3 +1,45 @@
+2023-05-23 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: Fixed the initialization order of OPENSSL and GREP_BIN because of the proxy check
+
+2023-05-14 Matteo Corti <matteo at corti.li>
+
+ * Added check_ssl_cert_icinga2.conf to the documentation check and distribution files. Added some missing options
+
+2023-04-25 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): Fixes the protocol used by nmap if the host is resolved with /etc/hosts
+ * check_ssl_cert (check_crl): Do not convert a CRL if already in the correct format
+ * check_ssl_cert (extract_cert_attribute): Removed a PCRE grep expression (non-standard)
+
+2023-04-24 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): Considers /etc/hosts for the existence checks
+
+2023-04-21 Matteo Corti <matteo at corti.li>
+
+ * test/unit_tests.sh (testFloatingPointThresholdsExpired): Added a test for decimal critical or warning values
+ and expired certificates
+ * check_ssl_cert (extract_cert_attribute): Fix CRL output format parsing
+ * check_ssl_cert (compare): Fixed a problem with decimal critical or warning values and expired certificates
+
+2023-04-07 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): Fixed the resolution of hosts with IPv6 addresses only
+
+2023-04-05 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert (main): Better (earlier) check for non-existing hosts
+
+2023-04-03 Matteo Corti <matteo at corti.li>
+
+ * test/integration_tests.sh (testWrongHostIgnore): Ignore expiration on wrong.host.badssl.com
+
+2023-03-16 Matteo Corti <matteo at corti.li>
+
+ * check_ssl_cert: unset TIMEOUT_REASON after the the context it should be used
+ * check_ssl_cert: added some more TIMEOUT_REASON messages
+
2023-03-09 Matteo Corti <matteo at corti.li>
* check_ssl_cert (main): Fixed the RSA algorithms
=====================================
check_ssl_cert/check_ssl_cert_2.61.0/GNUmakefile → check_ssl_cert/check_ssl_cert_2.70.0/GNUmakefile
=====================================
@@ -3,7 +3,7 @@ VERSION=`cat VERSION`
DIST_DIR=$(PLUGIN)-$(VERSION)
# files to be included in the distribution
-DIST_FILES=AUTHORS.md COPYING.md ChangeLog INSTALL.md Makefile GNUmakefile NEWS.md README.md VERSION $(PLUGIN) $(PLUGIN).spec COPYRIGHT.md ${PLUGIN}.1 CITATION.cff check_ssl_cert.completion
+DIST_FILES=AUTHORS.md COPYING.md ChangeLog INSTALL.md Makefile GNUmakefile NEWS.md README.md VERSION $(PLUGIN) $(PLUGIN).spec COPYRIGHT.md ${PLUGIN}.1 CITATION.cff check_ssl_cert.completion check_ssl_cert_icinga2.conf
# this year
YEAR=`date +"%Y"`
=====================================
check_ssl_cert/check_ssl_cert_2.61.0/INSTALL.md → check_ssl_cert/check_ssl_cert_2.70.0/INSTALL.md
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.61.0/Makefile → check_ssl_cert/check_ssl_cert_2.70.0/Makefile
=====================================
=====================================
check_ssl_cert/check_ssl_cert_2.61.0/NEWS.md → check_ssl_cert/check_ssl_cert_2.70.0/NEWS.md
=====================================
@@ -1,5 +1,30 @@
# News
+* 2023-05-20 Version 2.70.0
+ * Added an option to skip the test to see if the host can be resolved
+ * Added an option to resolve an host using DNS over HTTP
+ * Added the Icigna2 configuration file
+* 2023-05-12 Version 2.69.0
+ * Added an option to skip the test to see if the host can be resolved
+ * Added an option to resolve an host using DNS over HTTP
+* 2023-04-28 Version 2.68.0
+ * Fixes the protocol used by nmap if the host is resolved with /etc/hosts
+ * Do not convert a CRL if already in the correct format
+ * Removed a PCRE grep expression (non-standard)
+* 2023-04-24 Version 2.67.0
+ * Considers /etc/hosts for the existence checks
+* 2023-04-21 Version 2.66.0
+ * Fixed a problem with decimal critical or warning values and expired certificates
+* 2023-04-21 Version 2.65.0
+ * Fixed CRL output format parsing
+* 2023-04-07 Version 2.64.0
+ * Fixed the resolution of hosts with IPv6 addresses only
+* 2023-04-05 Version 2.63.0
+ * Command line option to ignore SSL Labs errors (```-ignore-ssl-labs-errors```)
+ * Better checks for non-resolvable hosts
+* 2023-03-16 Version 2.62.0
+ * Fixed the output in case of timeout
+ * Fixed the ciphers with ```--rsa```
* 2023-03-09 Version 2.61.0
* Fixed the algorithms used by ```--rsa```
* 2023-02-15 Version 2.60.0
=====================================
check_ssl_cert/check_ssl_cert_2.61.0/README.md → check_ssl_cert/check_ssl_cert_2.70.0/README.md
=====================================
@@ -1,6 +1,6 @@
# check\_ssl\_cert
- © Matteo Corti, ETH Zurich, 2007-2012.
+ © Matteo Corti, ETH Zurich, 2007-2012.
© Matteo Corti, 2007-2023.
see [AUTHORS.md](AUTHORS.md) for the complete list of contributors
@@ -11,7 +11,6 @@
A POSIX shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection and certificate
## Usage
-
```text
Usage: check_ssl_cert -H host [OPTIONS]
@@ -77,6 +76,7 @@ Options:
--debug-time Write timing information in the
debugging output
--dig-bin path Path of the dig binary to be used
+ --do-not-resolve Do not check if the host can be resolved
--dtls Use the DTLS protocol
--dtls1 Use the DTLS protocol 1.0
--dtls1_2 Use the DTLS protocol 1.2
@@ -141,6 +141,8 @@ Options:
--ignore-sig-alg Do not check if the certificate was signed
with SHA1 or MD5
--ignore-ssl-labs-cache Force a new check by SSL Labs (see -L)
+ --ignore-ssl-labs-errors Ignore errors if SSL Labs is not
+ accessible or times out
--ignore-tls-renegotiation Ignore the TLS renegotiation check
--inetproto protocol Force IP version 4 or 6
--info Print certificate information
@@ -231,6 +233,8 @@ Options:
--require-purpose usage Require the specified key usage (can be
specified more then once)
--require-purpose-critical The key usage must be critical
+ --resolve-over-http [server] Resolve the host over HTTP using Google or
+ the specified server
--resolve ip Provide a custom IP address for the
specified host
--rootcert-dir path Root directory to be used for certificate
@@ -327,7 +331,6 @@ Deprecated options:
(see: --ssl2 or --ssl3)
Report bugs to https://github.com/matteocorti/check_ssl_cert/issues
-
```
## Configuration
=====================================
check_ssl_cert/check_ssl_cert_2.70.0/VERSION
=====================================
@@ -0,0 +1 @@
+2.70.0
=====================================
check_ssl_cert/check_ssl_cert_2.61.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_2.70.0/check_ssl_cert
=====================================
@@ -31,7 +31,7 @@
################################################################################
# Constants
-VERSION=2.61.0
+VERSION=2.70.0
SHORTNAME="SSL_CERT"
VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -106,6 +106,8 @@ fetch_http_headers() {
if [ -z "${CACHED_HEADERS}" ]; then
+ TIMEOUT_REASON='Fetching HTTP headers'
+
debuglog "Fetching headers"
create_temporary_file
@@ -141,6 +143,8 @@ fetch_http_headers() {
cp "${CACHED_HEADERS}" headers.txt
fi
+ unset TIMEOUT_REASON
+
fi
}
@@ -270,6 +274,7 @@ usage() {
echo " --debug-time Write timing information in the"
echo " debugging output"
echo " --dig-bin path Path of the dig binary to be used"
+ echo " --do-not-resolve Do not check if the host can be resolved"
echo " --dtls Use the DTLS protocol"
echo " --dtls1 Use the DTLS protocol 1.0"
echo " --dtls1_2 Use the DTLS protocol 1.2"
@@ -339,6 +344,8 @@ usage() {
echo " --ignore-sig-alg Do not check if the certificate was signed"
echo " with SHA1 or MD5"
echo " --ignore-ssl-labs-cache Force a new check by SSL Labs (see -L)"
+ echo " --ignore-ssl-labs-errors Ignore errors if SSL Labs is not"
+ echo " accessible or times out"
echo " --ignore-tls-renegotiation Ignore the TLS renegotiation check"
echo " --inetproto protocol Force IP version 4 or 6"
echo " --info Print certificate information"
@@ -438,6 +445,8 @@ usage() {
echo " --require-purpose usage Require the specified key usage (can be"
echo " specified more then once)"
echo " --require-purpose-critical The key usage must be critical"
+ echo " --resolve-over-http [server] Resolve the host over HTTP using Google or"
+ echo " the specified server"
echo " --resolve ip Provide a custom IP address for the"
echo " specified host"
echo " --rootcert-dir path Root directory to be used for certificate"
@@ -1309,6 +1318,7 @@ unknown() {
# $1 the left hand value
# $2 the comparison operator
# $3 the right hand value
+# $4 scale: total number of decimal digits after the decimal point
# Returns the boolean result of the comparison
compare() {
@@ -1316,9 +1326,17 @@ compare() {
op=$2
rhv=$3
- debuglog "Executing comparison '${lhv} ${op} ${rhv}'"
+ if [ -n "$4" ]; then
+ # custom scale
+ local_scale=$4
+ else
+ # default scale
+ local_scale="${SCALE}"
+ fi
+
+ debuglog "Executing comparison '${lhv} ${op} ${rhv}' (precision ${local_scale})"
- comparison="$(echo "${lhv} ${op} ${rhv}" | "${BCBIN}")"
+ comparison="$(echo "scale=${local_scale};${lhv} ${op} ${rhv}" | "${BCBIN}")"
debuglog " bc result = ${comparison}"
[ 1 -eq "${comparison}" ]
@@ -1556,15 +1574,16 @@ extract_cert_attribute() {
;;
crl_uri)
echo "${cert_content}" | "${OPENSSL}" x509 -noout -text |
- "${GREP_BIN}" -F -A 4 'X509v3 CRL Distribution Points' |
- "${GREP_BIN}" -F URI |
- sed 's/^.*URI://'
+ "${GREP_BIN}" -A 4 'X509v3 CRL Distribution Points' |
+ "${GREP_BIN}" 'URI:' |
+ sed 's/.*URI://' |
+ head -n 1
;;
version)
echo "${cert_content}" | "${OPENSSL}" x509 -noout -text | "${GREP_BIN}" Version | head -n 1 | sed 's/.*Version: //'
;;
- sig_algo)
+ pub_key_algo)
# The Signature Algorithm refers to the signature of the certificate created by the issuer
# The Public Key Algorithm refers to the public key inside the certificate
@@ -1573,6 +1592,20 @@ extract_cert_attribute() {
ALGORITHM=$(echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} -text | "${GREP_BIN}" -m 1 -F 'Public Key Algorithm' | sed -e 's/.*: //')
+ PUBLIC_KEY=$(echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} -text | "${GREP_BIN}" -m 1 -F 'Signature' | sed 's/.*: //')
+
+ echo "${ALGORITHM} ${PUBLIC_KEY}"
+ ;;
+
+ sig_algo)
+
+ # The Signature Algorithm refers to the signature of the certificate created by the issuer
+ # The Public Key Algorithm refers to the public key inside the certificate
+ #
+ # see https://security.stackexchange.com/questions/141661/whats-the-difference-between-public-key-algorithm-and-signature-algorithm-i
+
+ ALGORITHM=$(echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} -text | "${GREP_BIN}" -m 1 -F 'Signature Algorithm' | sed -e 's/.*: //')
+
PUBLIC_KEY=$(echo "${cert_content}" | "${OPENSSL}" "${OPENSSL_COMMAND}" -noout ${OPENSSL_PARAMS} -text | "${GREP_BIN}" -m 1 -F 'Public-Key' | sed 's/.*: //')
echo "${ALGORITHM} ${PUBLIC_KEY}"
@@ -1745,6 +1778,8 @@ EOT
else
debuglog "$(printf '%s\n' eval "${command}")"
+ debuglog " output: ${OUTFILE}"
+ debuglog " error: ${ERRFILE}"
eval "${command}" >"${OUTFILE}" 2>"${ERRFILE}"
RET=$?
@@ -1811,18 +1846,29 @@ check_crl() {
debuglog "Certificate revocation list available (${CRL_URI})."
- debuglog "CRL: fetching CRL ${CRL_URI} to ${CRL_TMP_DER}"
+ debuglog "CRL: fetching CRL ${CRL_URI} to ${CRL_TMP}"
TIMEOUT_REASON="fetching CRL"
if [ -n "${HTTP_USER_AGENT}" ]; then
- exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --user-agent '${HTTP_USER_AGENT}' --location \\\"${CRL_URI}\\\" > ${CRL_TMP_DER}"
+ exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --user-agent '${HTTP_USER_AGENT}' --location \\\"${CRL_URI}\\\" > ${CRL_TMP}"
else
- exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --location \\\"${CRL_URI}\\\" > ${CRL_TMP_DER}"
+ exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --location \\\"${CRL_URI}\\\" > ${CRL_TMP}"
fi
+ unset TIMEOUT_REASON
- # convert DER to
- debuglog "Converting ${CRL_TMP_DER} (DER) to ${CRL_TMP_PEM} (PEM)"
- "${OPENSSL}" crl -inform DER -in "${CRL_TMP_DER}" -outform PEM -out "${CRL_TMP_PEM}"
+
+ if "${FILE_BIN}" -L -b "${CRL_TMP}" | "${GREP_BIN}" -E -q '(data|Certificate)'; then
+
+ # convert DER to PEM
+ debuglog "Converting ${CRL_TMP} (DER) to ${CRL_TMP_PEM} (PEM)"
+ "${OPENSSL}" crl -inform DER -in "${CRL_TMP}" -outform PEM -out "${CRL_TMP_PEM}"
+
+ else
+
+ # file already in PEM format
+ CRL_TMP_PEM="${CRL_TMP}"
+
+ fi
# combine the certificate and the CRL
debuglog "Combining the certificate, the CRL and the root cert"
@@ -1937,6 +1983,7 @@ check_ocsp() {
else
exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --location \\\"${ELEMENT_ISSUER_URI}\\\" > ${ISSUER_CERT_TMP}"
fi
+ unset TIMEOUT_REASON
TYPE_TMP="$(${FILE_BIN} -L -b "${ISSUER_CERT_TMP}" | sed 's/.*://')"
debuglog "OCSP: issuer certificate type (1): ${TYPE_TMP}"
@@ -2225,6 +2272,8 @@ check_cert_end_date() {
if compare "${ELEM_DAYS_VALID}" ">=" 0 && compare "${ELEM_DAYS_VALID}" "<" 1; then
DAYS_AGO='less than a day ago'
else
+ # remove decimals
+ ELEM_DAYS_VALID=$( echo "${ELEM_DAYS_VALID}" | sed -e 's/[.].*//' )
DAYS_AGO="$((-ELEM_DAYS_VALID)) days ago"
fi
debuglog "CRITICAL: certificate element ${el_number} (${element_cn}) is expired (was valid until ${ELEM_END_DATE}, ${DAYS_AGO})"
@@ -2615,6 +2664,8 @@ fetch_certificate() {
fi
+ unset TIMEOUT_REASON
+
debuglog "storing the certificate to ${CERT}"
TYPE_TMP="$(${FILE_BIN} -L -b "${CERT}" | sed 's/.*://')"
debuglog "certificate type (2): ${TYPE_TMP}"
@@ -3000,6 +3051,10 @@ parse_command_line_options() {
--debug-time)
# start time
DEBUG_TIME=$(date +%s)
+ # --debug-time does not make any sense without -d
+ if [ "${DEBUG}" -le 1 ] ; then
+ DEBUG=1
+ fi
shift
;;
@@ -3008,6 +3063,11 @@ parse_command_line_options() {
exit
;;
+ --do-not-resolve)
+ DO_NOT_RESOLVE=1
+ shift
+ ;;
+
# DTLS
--dtls)
if [ -n "${SSL_VERSION}" ]; then
@@ -3081,6 +3141,10 @@ parse_command_line_options() {
IGNORE_SSL_LABS_CACHE="&startNew=on"
shift
;;
+ --ignore-ssl-labs-errors)
+ IGNORE_SSL_LABS_ERRORS=1
+ shift
+ ;;
--ignore-tls-renegotiation)
IGNORE_TLS_RENEGOTIATION='1'
shift
@@ -3721,6 +3785,7 @@ $2"
##############################
# Variable number of arguments
+
--dane)
if [ -n "${DANE}" ]; then
@@ -3766,6 +3831,27 @@ $2"
fi
;;
+
+ --resolve-over-http)
+
+ # dns.google.com: we use the IP in case DNS is not directly reachable
+ RESOLVE_OVER_HTTP=8.8.8.8
+
+ # check the second optional parameter if it exist
+ if [ $# -gt 1 ]; then
+ # shellcheck disable=SC2295
+ if [ "${2%${2#?}}"x = '-x' ]; then
+ shift
+ else
+ RESOLVE_OVER_HTTP=$2
+ shift 2
+ fi
+ else
+ shift
+ fi
+
+ ;;
+
--require-client-cert)
REQUIRE_CLIENT_CERT=1
@@ -3836,6 +3922,7 @@ $2"
shift
break
;;
+
-*)
# we try to check for grouped variables
OPTION="${1}"
@@ -4156,23 +4243,300 @@ main() {
fi
fi
- # we need the FQDN of an host to check the CN
- debuglog "Adding the domain if missing"
- # - the domain does not contain a .
- # - we are not checking a file
- # - we are not checking localhost
- # - we are not checking an IPv6 address (which does not have dots
- if ! echo "${HOST}" | "${GREP_BIN}" -q '[.]' && [ -z "${FILE}" ] && [ "${HOST}" != 'localhost' ] && ! echo "${HOST}" | "${GREP_BIN}" -q -F ':'; then
- debuglog "Domain for ${HOST} missing"
- DOMAIN=$(nslookup "${HOST}" | "${GREP_BIN}" ^Name: | head -n 1 | cut -d. -f2-)
- if [ -z "${DOMAIN}" ]; then
- critical "Cannot resolve ${HOST}"
+ ##############################################################################
+ # curl
+
+ if [ -z "${CURL_BIN}" ]; then
+ if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] ||
+ [ -n "${OCSP}" ] ||
+ [ -n "${CRL}" ] ||
+ [ -n "${IGNORE_CONNECTION_STATE}" ] ||
+ [ -n "${FILE_URI}" ]; then
+ debuglog "curl binary needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}, CURL = ${CRL}, IGNORE_CONNECTION_STATE=${IGNORE_CONNECTION_STATE}, FILE_URI=${FILE_URI}"
+ debuglog "curl binary not specified"
+
+ check_required_prog curl
+ CURL_BIN=${PROG}
+
+ debuglog "curl available: ${CURL_BIN}"
+ CURL_BIN_VERSION_TMP="$(${CURL_BIN} --version)"
+ debuglog "${CURL_BIN_VERSION_TMP}"
+
+ else
+ debuglog "curl binary not needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}"
+ fi
+ else
+ # we check if the provided binary actually works
+ check_required_prog "${CURL_BIN}"
+ fi
+
+ ##############################################################################
+ # OpenSSL
+ if [ -n "${OPENSSL}" ]; then
+ if [ ! -x "${OPENSSL}" ]; then
+ unknown "${OPENSSL} is not an executable"
+ fi
+ else
+ OPENSSL='openssl'
+ fi
+ check_required_prog "${OPENSSL}"
+ OPENSSL=${PROG}
+
+ ##############################################################################
+ # custom grep
+ if [ -z "${GREP_BIN}" ]; then
+ GREP_BIN='grep'
+ fi
+ check_required_prog "${GREP_BIN}"
+ GREP_BIN=${PROG}
+
+ ##############################################################################
+ # OpenSSL options
+ if [ -n "${REQUIRE_PURPOSE}" ] || [ -n "${REQUIRE_PURPOSE_CRITICAL}" ]; then
+ require_x509_option "-ext" " (required for certificate purpose)"
+ fi
+
+ ################################################################################
+ # Check if openssl s_client supports the -proxy option
+ #
+
+ SCLIENT_PROXY=
+ SCLIENT_PROXY_ARGUMENT=
+ CURL_PROXY=
+ CURL_PROXY_ARGUMENT=
+ if [ -n "${http_proxy}" ] || [ -n "${HTTP_PROXY}" ]; then
+
+ debuglog "\$http_proxy is set: configuring the proxy settings"
+
+ if [ -n "${http_proxy}" ]; then
+ HTTP_PROXY="${http_proxy}"
+ fi
+
+ if [ -z "${https_proxy}" ]; then
+ # try to set https_proxy
+ https_proxy="${http_proxy}"
+ fi
+
+ if [ -z "${HTTPS_PROXY}" ]; then
+ # try to set HTTPS_proxy
+ HTTPS_PROXY="${HTTP_PROXY}"
+ fi
+
+ if [ -n "${CURL_BIN}" ] && ${CURL_BIN} --manual 2>&1 | "${GREP_BIN}" -F -q -- --proxy; then
+ debuglog "Adding --proxy ${HTTP_PROXY} to the curl options"
+ CURL_PROXY="--proxy"
+ CURL_PROXY_ARGUMENT="${HTTP_PROXY}"
+ fi
+
+ if ${OPENSSL} s_client -help 2>&1 | "${GREP_BIN}" -F -q -- -proxy || ${OPENSSL} s_client not_a_real_option 2>&1 | "${GREP_BIN}" -F -q -- -proxy; then
+ SCLIENT_PROXY="-proxy"
+ SCLIENT_PROXY_ARGUMENT="$(echo "${HTTP_PROXY}" | sed 's/.*:\/\///' | sed 's/\/$//')"
+
+ debuglog "Adding -proxy ${SCLIENT_PROXY_ARGUMENT} to the s_client options"
+
+ else
+
+ verboselog "'${OPENSSL} s_client' does not support '-proxy': HTTP_PROXY could be ignored"
+
+ fi
+
+ fi
+
+ if [ -n "${NO_PROXY_CURL}" ]; then
+ CURL_PROXY=''
+ CURL_PROXY_ARGUMENT=''
+ fi
+
+ if [ -n "${NO_PROXY_S_CLIENT}" ]; then
+ SCLIENT_PROXY=''
+ SCLIENT_PROXY_ARGUMENT=''
+ fi
+
+ debuglog "Proxy settings (after):"
+ debuglog " http_proxy = ${http_proxy}"
+ debuglog " https_proxy = ${https_proxy}"
+ debuglog " HTTP_PROXY = ${HTTP_PROXY}"
+ debuglog " HTTPS_PROXY = ${HTTPS_PROXY}"
+ debuglog " s_client = ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT}"
+ debuglog " curl = ${CURL_PROXY} ${CURL_PROXY_ARGUMENT}"
+
+ # nmap doesn't work properly behind a proxy.
+ #
+ # See e.g.,
+ # https://subscription.packtpub.com/book/networking-and-servers/9781786467454/2/ch02lvl1sec37/scanning-through-proxies
+ # https://security.stackexchange.com/questions/120708/nmap-through-proxy
+ #
+ if [ -n "${http_proxy}" ] ||
+ [ -n "${https_proxy}" ] ||
+ [ -n "${HTTP_PROXY}" ] ||
+ [ -n "${HTTPS_PROXY}" ] ||
+ [ -n "${SCLIENT_PROXY}" ] ||
+ [ -n "${CURL_PROXY}" ]; then
+ DISABLE_NMAP=1
+ debuglog "A proxy is specified: nmap disabled"
+ verboselog "A proxy is specified: nmap checks disabled"
+ fi
+
+
+ # Expect (optional)
+ EXPECT="$(command -v expect 2>/dev/null)"
+ test -x "${EXPECT}" || EXPECT=""
+ if [ -z "${EXPECT}" ]; then
+ verboselog "expect not available" 2
+ else
+ verboselog "expect available (${EXPECT})" 2
+ fi
+
+ # Timeout (optional)
+ TIMEOUT_BIN="$(command -v timeout 2>/dev/null)"
+ test -x "${TIMEOUT_BIN}" || TIMEOUT_BIN=""
+ if [ -z "${TIMEOUT_BIN}" ]; then
+ verboselog "timeout not available" 2
+ else
+
+ verboselog "timeout available (${TIMEOUT_BIN})" 2
+ fi
+
+ if [ -z "${TIMEOUT_BIN}" ] && [ -z "${EXPECT}" ]; then
+ verboselog "disabling timeouts" 2
+ fi
+
+ ##############################################################################
+ # Check if the host can be resolved
+
+ if [ -n "${DO_NOT_RESOLVE}" ] && [ -n "${RESOLVE_OVER_HTTP}" ] ; then
+ unknown "--do-not-resolve and --resolve-over-http cannot be specified at the same time"
+ fi
+
+ if [ -z "${DO_NOT_RESOLVE}" ] ; then
+
+ if [ -z "${RESOLVE_OVER_HTTP}" ] ; then
+
+ ETC_HOSTS=
+ debuglog "Checking if the host is listed in /etc/hosts"
+ if "${GREP_BIN}" -q "[[:blank:]]${HOST}[[:blank:]]*$" /etc/hosts ; then
+
+ debuglog "Host listed in /etc/hosts"
+ if [ "${INETPROTO}" = '-4' ] ; then
+ if grep -q "^[0-9.]*[[:blank:]]*${HOST}" /etc/hosts ; then
+ ETC_HOSTS=4
+ fi
+ elif [ "${INETPROTO}" = '-6' ] ; then
+ if grep -q "^[a-fA-F:0-9]*[[:blank:]]*${HOST}" /etc/hosts ; then
+ ETC_HOSTS=6
+ NMAP_INETPROTO=-6
+ fi
+ elif grep -q "^[0-9.]*[[:blank:]]*${HOST}" /etc/hosts ; then
+ ETC_HOSTS=4
+ else
+ ETC_HOSTS=6
+ NMAP_INETPROTO=-6
+ fi
+
+ fi
+
+ # if the host was not listed in /etc/hosts we check if there is a DNS record
+
+ if [ -z "${ETC_HOSTS}" ] ; then
+
+ debuglog "Host not found in /etc/hosts: checking DNS"
+
+ # we need the FQDN of an host to check the CN
+ # - the domain does not contain a .
+ # - we are not checking a file
+ # - we are not checking localhost
+ # - we are not checking an IPv6 address (which does not have dots)
+
+ RESOLVE_ERROR=
+
+ if ! echo "${HOST}" | "${GREP_BIN}" -q '[.]' &&
+ [ -z "${FILE}" ] &&
+ [ "${HOST}" != 'localhost' ] &&
+ ! echo "${HOST}" | "${GREP_BIN}" -q -F ':'; then
+
+ debuglog "Domain for ${HOST} missing"
+ DOMAIN=$(nslookup "${HOST}" | "${GREP_BIN}" ^Name: | head -n 1 | cut -d. -f2-)
+ if [ -z "${DOMAIN}" ]; then
+ RESOLVE_ERROR="Cannot resolve ${HOST}"
+ else
+ debuglog "Adding domain ${DOMAIN} to ${HOST}"
+ HOST="${HOST}.${DOMAIN}"
+ debuglog "New host: ${HOST}"
+ fi
+
+ fi
+
+ if [ -z "${RESOLVE_ERROR}" ] ; then
+
+ # we do not check if localhost can be resolved since on some macOS installations
+ # host localhost will issue an error (Host localhost not found: 3(NXDOMAIN))
+ if ! echo "${HOST}" | grep -q ':' &&
+ echo "${HOST}" | grep -q '[a-z]' &&
+ [ "${HOST}" != 'localhost' ] ; then
+
+ # we have an host name and not an IP address
+
+ debuglog "Checking if the host (${HOST}) exists"
+ if [ "${INETPROTO}" = '-4' ] ; then
+ if ! host -t a "${HOST}" | grep -q 'has address' ; then
+ RESOLVE_ERROR="Cannot resolve ${HOST} (no A record)"
+ fi
+ elif [ "${INETPROTO}" = '-6' ] ; then
+ if ! host -t aaaa "${HOST}" | grep -q 'has IPv6 address' ; then
+ RESOLVE_ERROR="Cannot resolve ${HOST} (no AAAA record)"
+ fi
+ else
+ if ! host "${HOST}" | grep -q 'has .*address' ; then
+ RESOLVE_ERROR="Cannot resolve ${HOST}"
+ fi
+ fi
+ fi
+
+ fi
+
+ if [ -n "${RESOLVE_ERROR}" ] ; then
+
+ debuglog "${RESOLVE_ERROR}"
+ critical "${SHORTNAME} CRITICAL: ${RESOLVE_ERROR}"
+
+ fi
+
+ fi
+
+ else
+
+ # from https://superuser.com/questions/1400035/how-to-do-nslookup-or-dns-resolution-using-http-proxy
+ # How to do NSLOOKUP or DNS-resolution using HTTP-PROXY?
+
+ debuglog "Resolving using DNS over HTTP"
+
+ create_temporary_file
+ DNS_OVER_HTTP=${TEMPFILE}
+
+ TIMEOUT_REASON="Resolving over HTTP with ${RESOLVE_OVER_HTTP}"
+ exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --user-agent '${HTTP_USER_AGENT}' -H 'Content-Type: application/dns-json' https://${RESOLVE_OVER_HTTP}/resolve?name=${HOST}\\&type=A" "${DNS_OVER_HTTP}"
+
+ if [ "${DEBUG}" -ge 1 ]; then
+ jq < "${DNS_OVER_HTTP}" | sed 's/^/[DBG] /' 1>&2
+ fi
+
+ if grep -q '"Status":0' "${DNS_OVER_HTTP}" ; then
+ debuglog "Reolved via HTTP"
+ else
+ critical "${SHORTNAME} CRITICAL: Cannot resolve ${HOST} over HTTP using ${RESOLVE_OVER_HTTP}"
+ fi
+
fi
- debuglog "Adding domain ${DOMAIN} to ${HOST}"
- HOST="${HOST}.${DOMAIN}"
- debuglog "New host: ${HOST}"
+
+ else
+
+ debuglog "Skipping the check to see if the host can be resolved"
+
fi
+ ##############################################################################
+ # End of the "resolve" check
+
# we do quick check if the argument seems an IPv6 address (no validity check)
if echo "${HOST}" | "${GREP_BIN}" -q "^[0-9a-fA-F:]*$"; then
debuglog "${HOST} seems an IPv6 address without []"
@@ -4287,14 +4651,6 @@ main() {
check_required_prog "${FILE_BIN}"
FILE_BIN=${PROG}
- ##############################################################################
- # custom grep
- if [ -z "${GREP_BIN}" ]; then
- GREP_BIN='grep'
- fi
- check_required_prog "${GREP_BIN}"
- GREP_BIN=${PROG}
-
##############################################################################
# Python is needed for TDS
if [ -n "${PROTOCOL}" ] && [ "${PROTOCOL}" = 'tds' ]; then
@@ -4311,24 +4667,6 @@ main() {
fi
- ##############################################################################
- # OpenSSL
- if [ -n "${OPENSSL}" ]; then
- if [ ! -x "${OPENSSL}" ]; then
- unknown "${OPENSSL} is not an executable"
- fi
- else
- OPENSSL='openssl'
- fi
- check_required_prog "${OPENSSL}"
- OPENSSL=${PROG}
-
- ##############################################################################
- # OpenSSL options
- if [ -n "${REQUIRE_PURPOSE}" ] || [ -n "${REQUIRE_PURPOSE_CRITICAL}" ]; then
- require_x509_option "-ext" " (required for certificate purpose)"
- fi
-
##############################################################################
# Root certificate
if [ -n "${ROOT_CA}" ]; then
@@ -4434,31 +4772,6 @@ main() {
debuglog "${FILE} is an URI with an authority"
fi
- # curl
- if [ -z "${CURL_BIN}" ]; then
- if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] ||
- [ -n "${OCSP}" ] ||
- [ -n "${CRL}" ] ||
- [ -n "${IGNORE_CONNECTION_STATE}" ] ||
- [ -n "${FILE_URI}" ]; then
- debuglog "curl binary needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}, CURL = ${CRL}, IGNORE_CONNECTION_STATE=${IGNORE_CONNECTION_STATE}, FILE_URI=${FILE_URI}"
- debuglog "curl binary not specified"
-
- check_required_prog curl
- CURL_BIN=${PROG}
-
- debuglog "curl available: ${CURL_BIN}"
- CURL_BIN_VERSION_TMP="$(${CURL_BIN} --version)"
- debuglog "${CURL_BIN_VERSION_TMP}"
-
- else
- debuglog "curl binary not needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}"
- fi
- else
- # we check if the provided binary actually works
- check_required_prog "${CURL_BIN}"
- fi
-
if [ -n "${FILE}" ]; then
if [ -n "${FILE_URI}" ]; then
@@ -4475,6 +4788,7 @@ main() {
else
exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --location \\\"${FILE_URI}\\\" > ${FILE}"
fi
+ unset TIMEOUT_REASON
if [ ! -r "${FILE}" ]; then
critical "Cannot fetch ${FILE_URI}"
@@ -4531,8 +4845,8 @@ main() {
if [ -n "${CRITICAL_DAYS}" ] && [ -n "${WARNING_DAYS}" ] && [ -n "${CRITICAL_SECONDS}" ] && [ -n "${WARNING_SECONDS}" ]; then
# When comparing, always use values in seconds, because values in days might be floating point numbers
- if compare "${WARNING_SECONDS}" '<=' "${CRITICAL_SECONDS}"; then
- unknown "--warning (${WARNING_DAYS}) is less than or equal to --critical (${CRITICAL_DAYS})"
+ if compare "${WARNING_SECONDS}" '<' "${CRITICAL_SECONDS}"; then
+ unknown "--warning (${WARNING_DAYS}) is less than --critical (${CRITICAL_DAYS})"
fi
fi
@@ -4628,7 +4942,7 @@ main() {
# see https://github.com/matteocorti/check_ssl_cert/issues/164#issuecomment-540623344
# see https://github.com/matteocorti/check_ssl_cert/issues/167
# see https://github.com/matteocorti/check_ssl_cert/issues/446
- SSL_AU="RSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA224:RSA+SHA1:RSA-PSS+SHA256"
+ SSL_AU="RSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA224:RSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA512:RSA-PSS+SHA384"
else
# see https://github.com/matteocorti/check_ssl_cert/issues/164#issuecomment-540623344
SSL_AU="RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256:RSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA224:RSA+SHA1"
@@ -4689,39 +5003,24 @@ main() {
NMAP_HOST_ADDR=$(echo "${NMAP_HOST_ADDR}" | sed -e 's/^\[//' -e 's/\]$//')
fi
- # check if the host has an IPv6 address only (as nmap is not able to resolve without the -6 switch)
- debuglog "Checking IPs: host ${HOST_ADDR}"
- if echo "${HOST_ADDR}" | "${GREP_BIN}" -q '[a-z]' && ! host "${HOST_ADDR}" | "${GREP_BIN}" -F -q ' has address '; then
- debuglog "the host does not have an IPv4 address. Trying nmap with -6 to force IPv6 for an IPv6-only host"
- NMAP_INETPROTO='-6'
- fi
+ if [ -z "${ETC_HOSTS}" ] && [ "${ETC_HOSTS}" != '-4' ] ; then
- if echo "${NMAP_HOST_ADDR}" | "${GREP_BIN}" -q ':'; then
- debuglog "host specified as an IPv6 address: forcing IPv6 with nmap"
- NMAP_INETPROTO='-6'
- fi
+ # check if the host has an IPv6 address only (as nmap is not able to resolve without the -6 switch)
+ debuglog "Checking IPs: host ${HOST_ADDR}"
+ if echo "${HOST_ADDR}" | "${GREP_BIN}" -q '[a-z]' && ! host "${HOST_ADDR}" | "${GREP_BIN}" -F -q ' has address '; then
+ debuglog "the host does not have an IPv4 address. Trying nmap with -6 to force IPv6 for an IPv6-only host"
+ NMAP_INETPROTO='-6'
+ fi
- # Expect (optional)
- EXPECT="$(command -v expect 2>/dev/null)"
- test -x "${EXPECT}" || EXPECT=""
- if [ -z "${EXPECT}" ]; then
- verboselog "expect not available" 2
- else
- verboselog "expect available (${EXPECT})" 2
- fi
+ if echo "${NMAP_HOST_ADDR}" | "${GREP_BIN}" -q ':'; then
+ debuglog "host specified as an IPv6 address: forcing IPv6 with nmap"
+ NMAP_INETPROTO='-6'
+ fi
- # Timeout (optional)
- TIMEOUT_BIN="$(command -v timeout 2>/dev/null)"
- test -x "${TIMEOUT_BIN}" || TIMEOUT_BIN=""
- if [ -z "${TIMEOUT_BIN}" ]; then
- verboselog "timeout not available" 2
else
- verboselog "timeout available (${TIMEOUT_BIN})" 2
- fi
+ debuglog "Hosts resolved to an IPv4 address with /etc/hosts"
- if [ -z "${TIMEOUT_BIN}" ] && [ -z "${EXPECT}" ]; then
- verboselog "disabling timeouts" 2
fi
PERL="$(command -v perl 2>/dev/null)"
@@ -4886,84 +5185,6 @@ main() {
unset HTTPS_PROXY
fi
- ################################################################################
- # Check if openssl s_client supports the -proxy option
- #
- SCLIENT_PROXY=
- SCLIENT_PROXY_ARGUMENT=
- CURL_PROXY=
- CURL_PROXY_ARGUMENT=
- if [ -n "${http_proxy}" ] || [ -n "${HTTP_PROXY}" ]; then
-
- if [ -n "${http_proxy}" ]; then
- HTTP_PROXY="${http_proxy}"
- fi
-
- if [ -z "${https_proxy}" ]; then
- # try to set https_proxy
- https_proxy="${http_proxy}"
- fi
-
- if [ -z "${HTTPS_PROXY}" ]; then
- # try to set HTTPS_proxy
- HTTPS_PROXY="${HTTP_PROXY}"
- fi
-
- if [ -n "${CURL_BIN}" ] && ${CURL_BIN} --manual | "${GREP_BIN}" -F -q -- --proxy; then
- debuglog "Adding --proxy ${HTTP_PROXY} to the curl options"
- CURL_PROXY="--proxy"
- CURL_PROXY_ARGUMENT="${HTTP_PROXY}"
- fi
-
- if ${OPENSSL} s_client -help 2>&1 | "${GREP_BIN}" -F -q -- -proxy || ${OPENSSL} s_client not_a_real_option 2>&1 | "${GREP_BIN}" -F -q -- -proxy; then
- SCLIENT_PROXY="-proxy"
- SCLIENT_PROXY_ARGUMENT="$(echo "${HTTP_PROXY}" | sed 's/.*:\/\///' | sed 's/\/$//')"
-
- debuglog "Adding -proxy ${SCLIENT_PROXY_ARGUMENT} to the s_client options"
-
- else
-
- verboselog "'${OPENSSL} s_client' does not support '-proxy': HTTP_PROXY could be ignored"
-
- fi
-
- fi
-
- if [ -n "${NO_PROXY_CURL}" ]; then
- CURL_PROXY=''
- CURL_PROXY_ARGUMENT=''
- fi
-
- if [ -n "${NO_PROXY_S_CLIENT}" ]; then
- SCLIENT_PROXY=''
- SCLIENT_PROXY_ARGUMENT=''
- fi
-
- debuglog "Proxy settings (after):"
- debuglog " http_proxy = ${http_proxy}"
- debuglog " https_proxy = ${https_proxy}"
- debuglog " HTTP_PROXY = ${HTTP_PROXY}"
- debuglog " HTTPS_PROXY = ${HTTPS_PROXY}"
- debuglog " s_client = ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT}"
- debuglog " curl = ${CURL_PROXY} ${CURL_PROXY_ARGUMENT}"
-
- # nmap doesn't work properly behind a proxy.
- #
- # See e.g.,
- # https://subscription.packtpub.com/book/networking-and-servers/9781786467454/2/ch02lvl1sec37/scanning-through-proxies
- # https://security.stackexchange.com/questions/120708/nmap-through-proxy
- #
- if [ -n "${http_proxy}" ] ||
- [ -n "${https_proxy}" ] ||
- [ -n "${HTTP_PROXY}" ] ||
- [ -n "${HTTPS_PROXY}" ] ||
- [ -n "${SCLIENT_PROXY}" ] ||
- [ -n "${CURL_PROXY}" ]; then
- DISABLE_NMAP=1
- debuglog "A proxy is specified: nmap disabled"
- verboselog "A proxy is specified: nmap checks disabled"
- fi
-
################################################################################
# Check if openssl s_client supports the -name option
#
@@ -5266,7 +5487,17 @@ main() {
debuglog "Executing: '${NMAP_BIN} ${NMAP_INETPROTO} --unprivileged -Pn -p ${PORT} ${NMAP_HOST_ADDR}'"
- if ! ${NMAP_BIN} "${NMAP_INETPROTO}" --unprivileged -Pn -p "${PORT}" "${NMAP_HOST_ADDR}" 2>&1 | "${GREP_BIN}" -q "${PORT}.*open"; then
+ NMAP_OUTPUT=$( ${NMAP_BIN} "${NMAP_INETPROTO}" --unprivileged -Pn -p "${PORT}" "${NMAP_HOST_ADDR}" 2>&1 )
+
+ if [ "${DEBUG}" -ge 1 ]; then
+ echo "${NMAP_OUTPUT}" | sed -e 's/^/[DBG] //'
+ fi
+ debuglog "${GREP_BIN} -q \"${PORT}.*open\""
+ if [ "${DEBUG}" -ge 1 ]; then
+ echo "${NMAP_OUTPUT}" | "${GREP_BIN}" -q "${PORT}.*open" | sed -e 's/^/[DBG] //'
+ fi
+
+ if ! echo "${NMAP_OUTPUT}" | "${GREP_BIN}" -q "${PORT}.*open"; then
if [ -n "${IGNORE_CONNECTION_STATE}" ]; then
@@ -5315,7 +5546,7 @@ main() {
ERROR=${TEMPFILE}
create_temporary_file
- CRL_TMP_DER=${TEMPFILE}
+ CRL_TMP=${TEMPFILE}
create_temporary_file
CRL_TMP_PEM=${TEMPFILE}
create_temporary_file
@@ -5421,6 +5652,7 @@ main() {
RET=$?
;;
esac
+ unset TIMEOUT_REASON
if [ "${RET}" -eq 1 ]; then
@@ -5720,6 +5952,9 @@ EOF
fi
+ PUB_KEY_ALGORITHM="$(extract_cert_attribute 'pub_key_algo' "${CERT}" | sed 's/.*: //')"
+ info "Public key algorithm" "${PUB_KEY_ALGORITHM}"
+
SIGNATURE_ALGORITHM="$(extract_cert_attribute 'sig_algo' "${CERT}" | sed 's/.*: //')"
info "Signature algorithm" "${SIGNATURE_ALGORITHM}"
@@ -5734,7 +5969,7 @@ EOF
debuglog "FINGERPRINT= ${FINGERPRINT}"
debuglog "OCSP_URI = ${OCSP_URI}"
debuglog "ISSUER_URI = ${ISSUER_URI}"
- debuglog "${SIGNATURE_ALGORITHM}"
+ debuglog "${PUB_KEY_ALGORITHM}"
fi
if [ -n "${ISSUER_URI}" ]; then
@@ -5747,7 +5982,7 @@ EOF
ISSUER_INFO="$(echo ${ISSUERS})"
info "Issuers" "${ISSUER_INFO}"
- if echo "${SIGNATURE_ALGORITHM}" | "${GREP_BIN}" -F -q "sha1"; then
+ if echo "${PUB_KEY_ALGORITHM}" | "${GREP_BIN}" -F -q "sha1"; then
if [ -n "${NOSIGALG}" ]; then
@@ -5761,7 +5996,7 @@ EOF
fi
- if echo "${SIGNATURE_ALGORITHM}" | "${GREP_BIN}" -F -qi "md5"; then
+ if echo "${PUB_KEY_ALGORITHM}" | "${GREP_BIN}" -F -qi "md5"; then
if [ -n "${NOSIGALG}" ]; then
@@ -6170,6 +6405,7 @@ INPUT
# -Pn is needed even if we specify a port
TIMEOUT_REASON="checking ciphers"
exec_with_timeout "${NMAP_BIN} --unprivileged -Pn --script +ssl-enum-ciphers ${NMAP_INETPROTO} ${HOST_ADDR} -p ${PORT}" "${NMAP_OUT}" "${NMAP_ERR}"
+ unset TIMEOUT_REASON
if [ "${DEBUG}" -ge 1 ]; then
debuglog 'nmap output:'
@@ -6262,6 +6498,8 @@ ${WARNING}"
# Check SSL Labs
if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ]; then
+ TIMEOUT_REASON='SSL Lab assesstment'
+
create_temporary_file
JSON=${TEMPFILE}
debuglog "Storing the SSL Labs JSON output to ${JSON}"
@@ -6284,6 +6522,10 @@ ${WARNING}"
if [ "${CURL_RETURN_CODE}" -ne 0 ]; then
+ if [ -n "${IGNORE_SSL_LABS_ERRORS}" ] ; then
+ break
+ fi
+
debuglog "curl returned ${CURL_RETURN_CODE}: ${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent \"https://api.ssllabs.com/api/v2/analyze?host=${HOST_NAME}${IGNORE_SSL_LABS_CACHE}\""
critical "Error checking SSL Labs: curl returned ${CURL_RETURN_CODE}, see 'man curl' for details"
@@ -6309,6 +6551,11 @@ ${WARNING}"
case "${SSL_LABS_HOST_STATUS}" in
'ERROR')
+
+ if [ -n "${IGNORE_SSL_LABS_ERRORS}" ] ; then
+ break
+ fi
+
SSL_LABS_STATUS_MESSAGE=$(sed 's/.*"statusMessage":[ ]*"\([^"]*\)".*/\1/' "${JSON}")
prepend_critical_message "Error checking SSL Labs: ${SSL_LABS_STATUS_MESSAGE}"
break
@@ -6317,6 +6564,11 @@ ${WARNING}"
if ! "${GREP_BIN}" -F -q "grade" "${JSON}"; then
# Something went wrong
+
+ if [ -n "${IGNORE_SSL_LABS_ERRORS}" ] ; then
+ break
+ fi
+
SSL_LABS_STATUS_MESSAGE=$(sed 's/.*"statusMessage":[ ]*"\([^"]*\)".*/\1/' "${JSON}")
prepend_critical_message "SSL Labs error: ${SSL_LABS_STATUS_MESSAGE}"
break
@@ -6365,6 +6617,11 @@ ${WARNING}"
;;
*)
# Try to extract a message
+
+ if [ -n "${IGNORE_SSL_LABS_ERRORS}" ] ; then
+ break
+ fi
+
SSL_LABS_ERROR_MESSAGE=$(sed 's/.*"message":[ ]*"\([^"]*\)".*/\1/' "${JSON}")
if [ -z "${SSL_LABS_ERROR_MESSAGE}" ]; then
@@ -6384,6 +6641,8 @@ ${WARNING}"
done
+ unset TIMEOUT_REASON
+
fi
################################################################################
@@ -6666,7 +6925,7 @@ ${WARNING}"
PROTOCOL_TMP="$(var_for_sed PROTOCOL "${PROTOCOL}")"
SELFSIGNEDCERT_TMP="$(var_for_sed SELFSIGNEDCERT "${SELFSIGNEDCERT}")"
SHORTNAME_TMP="$(var_for_sed SHORTNAME "${SHORTNAME}")"
- SIGALGO_TMP="$(var_for_sed SIGALGO "${SIGNATURE_ALGORITHM}")"
+ SIGALGO_TMP="$(var_for_sed SIGALGO "${PUB_KEY_ALGORITHM}")"
SSL_LABS_HOST_GRADE_TMP="$(var_for_sed SSL_LABS_HOST_GRADE "${SSL_LABS_HOST_GRADE}")"
echo "${FORMAT}${EXTRA_OUTPUT}" | sed \
=====================================
check_ssl_cert/check_ssl_cert_2.61.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_2.70.0/check_ssl_cert.1
=====================================
@@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii check_ssl_cert.1
.\"
-.TH "check_ssl_cert" 1 "March, 2023" "2.61.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "May, 2023" "2.70.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
@@ -110,6 +110,9 @@ Print the default output format and exit
.BR " --dig-bin" " path"
Path of the dig binary to be used
.TP
+.BR " --do-not-resolve"
+Do not check if the host can be resolved
+.TP
.BR " --dtls"
Use the DTLS protocol
.TP
@@ -232,6 +235,9 @@ Do not check if the certificate was signed with SHA1 or MD5
.BR " --ignore-ssl-labs-cache"
Force a new check by SSL Labs (see -L)
.TP
+.BR " --ignore-ssl-labs-errors"
+Ignore errors if SSL Labs is not accessible or times out
+.TP
.BR " --ignore-tls-renegotiation"
Ignore the TLS renegotiation check
.TP
@@ -397,6 +403,9 @@ Require all the HTTP security headers:
.BR " --resolve" " ip"
Provide a custom IP address for the specified host
.TP
+.BR " --resolve-over-http" " [server]"
+Resolve the host over HTTP using Google or the specified server
+.TP
.BR " --rootcert-dir" " dir"
Root directory to be used for certificate validation (passed to openssl's -CApath)
overrides option -r,--rootcert
=====================================
check_ssl_cert/check_ssl_cert_2.61.0/check_ssl_cert.completion → check_ssl_cert/check_ssl_cert_2.70.0/check_ssl_cert.completion
=====================================
@@ -14,7 +14,7 @@ _check_ssl_cert() {
# only the autocompletion with long options is implemented: long options are more readable and quick to enter since we are
# using autocompletion.
#
- opts="--file --host --noauth --all --all-local --allow-empty-san --clientcert --configuration --critical --check-chain --check-ciphers --check-ciphers-warnings --check-http-headers --check-ssl-labs --check-ssl-labs-warn --clientpass --crl --curl-bin --user-agent --custom-http-header --dane --date --debug-cert --debug-file --debug-headers --debug-time --default-format --dig-bin --dtls --dtls1 --dtls1_2 --ecdsa --element --file-bin --fingerprint --first-element-only --force-dconv-date --force-perl-date --format --grep-bin --http-headers-path --http-use-get --ignore-altnames --jks-alias --ignore-connection-problems --ignore-exp --ignore-http-headers --ignore-host-cn --ignore-incomplete-chain --ignore-maximum-validity --ignore-ocsp --ignore-ocsp-errors --ignore-ocsp-timeout --ignore-sct --ignore-sig-alg --ignore-ssl-labs-cache --ignore-tls-renegotiation --inetproto protocol --info --init-host-cache --issuer-cert-cache --long-output --match --maximum-validity --nmap-bin --no-perf --no-proxy --no-proxy-curl --no-proxy-s_client --no-ssl2 --no-ssl3 --no-tls1 --no-tls1_1 --no-tls1_2 --no-tls1_3 --not-issued-by --not-valid-longer-than --ocsp-critical --ocsp-warning --openssl --password --path --precision --prometheus --proxy --require-client-cert --require-dnssec --require-http-header --require-no-http-header --require-no-ssl2 --require-no-ssl3 --require-no-tls1 --require-no-tls1_1 --require-ocsp-stapling --require-purpose --require-purpose-critical --resolve --rootcert-dir --rootcert-file --rsa --serial --security-level --skip-element --sni --ssl2 --ssl3 --temp --terse --tls1 --tls1_1 --tls1_2 --tls1_3 --xmpphost -4 -6 --clientkey --protocol --version --debug --email --help --issuer --cn --org --port port --rootcert --quiet --selfsigned --timeout --url --verbose --warning --python-bin"
+ opts="--file --host --noauth --all --all-local --allow-empty-san --clientcert --configuration --critical --check-chain --check-ciphers --check-ciphers-warnings --check-http-headers --check-ssl-labs --check-ssl-labs-warn --clientpass --crl --curl-bin --user-agent --custom-http-header --dane --date --debug-cert --debug-file --debug-headers --debug-time --default-format --dig-bin --do-not-resolve --dtls --dtls1 --dtls1_2 --ecdsa --element --file-bin --fingerprint --first-element-only --force-dconv-date --force-perl-date --format --grep-bin --http-headers-path --http-use-get --ignore-altnames --jks-alias --ignore-connection-problems --ignore-exp --ignore-http-headers --ignore-host-cn --ignore-incomplete-chain --ignore-maximum-validity --ignore-ocsp --ignore-ocsp-errors --ignore-ocsp-timeout --ignore-sct --ignore-sig-alg --ignore-ssl-labs-cache --ignore-tls-renegotiation --inetproto protocol --info --init-host-cache --issuer-cert-cache --long-output --match --maximum-validity --nmap-bin --no-perf --no-proxy --no-proxy-curl --no-proxy-s_client --no-ssl2 --no-ssl3 --no-tls1 --no-tls1_1 --no-tls1_2 --no-tls1_3 --not-issued-by --not-valid-longer-than --ocsp-critical --ocsp-warning --openssl --password --path --precision --prometheus --proxy --require-client-cert --require-dnssec --require-http-header --require-no-http-header --require-no-ssl2 --require-no-ssl3 --require-no-tls1 --require-no-tls1_1 --require-ocsp-stapling --require-purpose --require-purpose-critical --resolve --resolve-over-http --rootcert-dir --rootcert-file --rsa --serial --security-level --skip-element --sni --ssl2 --ssl3 --temp --terse --tls1 --tls1_1 --tls1_2 --tls1_3 --xmpphost -4 -6 --clientkey --protocol --version --debug --email --help --issuer --cn --org --port port --rootcert --quiet --selfsigned --timeout --url --verbose --warning --python-bin"
if [[ ${cur} == -* || ${COMP_CWORD} -eq 1 ]]; then
# shellcheck disable=2207
=====================================
check_ssl_cert/check_ssl_cert_2.61.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_2.70.0/check_ssl_cert.spec
=====================================
@@ -1,4 +1,4 @@
-%global version 2.61.0
+%global version 2.70.0
%global release 0
%global sourcename check_ssl_cert
%global packagename nagios-plugins-check_ssl_cert
@@ -54,6 +54,33 @@ rm -rf $RPM_BUILD_ROOT
%endif
%changelog
+* Tue May 30 2023 Matteo Corti <matteo at corti.li> - 2.70.0-0
+- Updated to 2.70.0
+
+* Fri May 12 2023 Matteo Corti <matteo at corti.li> - 2.69.0-0
+- Updated to 2.69.0
+
+* Fri Apr 28 2023 Matteo Corti <matteo at corti.li> - 2.68.0-0
+- Updated to 2.68.0
+
+* Mon Apr 24 2023 Matteo Corti <matteo at corti.li> - 2.67.0-0
+- Updated to 2.67.0
+
+* Fri Apr 21 2023 Matteo Corti <matteo at corti.li> - 2.66.0-0
+- Updated to 2.66.0
+
+* Fri Apr 21 2023 Matteo Corti <matteo at corti.li> - 2.65.0-0
+- Updated to 2.65.0
+
+* Fri Apr 7 2023 Matteo Corti <matteo at corti.li> - 2.64.0-0
+- Updated to 2.64.0
+
+* Wed Apr 5 2023 Matteo Corti <matteo at corti.li> - 2.63.0-0
+- Updated to 2.63.0
+
+* Thu Mar 16 2023 Matteo Corti <matteo at corti.li> - 2.62.0-0
+- Updated to 2.62.0
+
* Thu Mar 9 2023 Matteo Corti <matteo at corti.li> - 2.61.0-0
- Updated to 2.61.0
=====================================
check_ssl_cert/check_ssl_cert_2.70.0/check_ssl_cert_icinga2.conf
=====================================
@@ -0,0 +1,709 @@
+object CheckCommand "ssl_cert_extended" {
+ import "plugin-check-command"
+
+ command = [ PluginDir + "/check_ssl_cert.sh" ]
+
+ arguments = {
+ "--file" = {
+ value = "$ssl_cert_extended_file$"
+ description = "Local file path or URI. With -f you can not only pass a x509 certificate file but also a certificate revocation list (CRL) to check the validity period or a Java KeyStore file"
+ }
+
+ "--host" = {
+ value = "$ssl_cert_extended_host$"
+ description = "Server"
+ }
+
+ "--noauth" = {
+ set_if = "$ssl_cert_extended_noauth$"
+ description = "Ignore authority warnings (expiration only)"
+ }
+
+ "--all" = {
+ set_if = "$ssl_cert_extended_all$"
+ description = "Enable all the possible optional checks at the maximum level"
+ }
+
+ "--all-local" = {
+ set_if = "$ssl_cert_extended_all_local$"
+ description = "Enable all the possible optional checks at the maximum level (without SSL-Labs)"
+ }
+
+ "--allow-empty-san" = {
+ set_if = "$ssl_cert_extended_allow_empty_san$"
+ description = "Allow certificates without Subject Alternative Names (SANs)"
+ }
+
+ "--clientcert" = {
+ value = "$ssl_cert_extended_clientcert$"
+ description = "Use client certificate to authenticate"
+ }
+
+ "--critical" = {
+ value = "$ssl_cert_extended_critical$"
+ description = "Minimum number of days a certificate has to be valid to issue a critical status. Can be a floating point number, e.g., 0.5 Default: 15"
+ }
+
+ "--check-chain" = {
+ set_if = "$ssl_cert_extended_check_chain$"
+ description = "The certificate chain cannot contain double or root certificates"
+ }
+
+ "--check-ciphers" = {
+ value = "$ssl_cert_extended_check_ciphers$"
+ description = "Check the offered ciphers"
+ }
+
+ "--check-ciphers-warnings" = {
+ set_if = "$ssl_cert_extended_check_ciphers_warnings$"
+ description = "Critical if nmap reports a warning for an offered cipher"
+ }
+
+ "--check-http-headers" = {
+ set_if = "$ssl_cert_extended_check_http_headers$"
+ description = "Check the HTTP headers for best practices"
+ }
+
+ "--check-ssl-labs-warn" = {
+ value = "$ssl_cert_extended_check_ssl_labs_warn$"
+ description = "SSL Labs grade on which to warn"
+ }
+
+ "--clientpass" = {
+ value = "$ssl_cert_extended_clientpass$"
+ description = "Set passphrase for client certificate."
+ }
+
+ "--configuration" = {
+ value = "$ssl_cert_extended_configuration$"
+ description = "Read options from the specified file"
+ }
+
+ "--crl" = {
+ set_if = "$ssl_cert_extended_crl$"
+ description = "Check revocation via CRL (requires --rootcert-file)"
+ }
+
+ "--curl-bin" = {
+ value = "$ssl_cert_extended_curl_bin$"
+ description = "Path of the curl binary to be used"
+ }
+
+ "--custom-http-header" = {
+ value = "$ssl_cert_extended_custom_http_header$"
+ description = "Custom HTTP header sent when getting the cert example: 'X-Check-Ssl-Cert: Foobar=1'"
+ }
+
+ "--default-format" = {
+ set_if = "$ssl_cert_extended_default_format$"
+ description = "Print the default output format and exit"
+ }
+
+ "--dane" = {
+ set_if = "$ssl_cert_extended_dane$"
+ description = "Verify that valid DANE records exist (since OpenSSL 1.1.0)"
+ }
+
+ "--dane 211" = {
+ set_if = "$ssl_cert_extended_dane_211$"
+ description = "Verify that a valid DANE-TA(2) SPKI(1) SHA2-256(1) TLSA record exists"
+ }
+
+ "--dane 301" = {
+ set_if = "$ssl_cert_extended_dane_301$"
+ description = "Verify that a valid DANE-EE(3) Cert(0) SHA2-256(1) TLSA record exists"
+ }
+
+ "--dane 302" = {
+ set_if = "$ssl_cert_extended_dane_302$"
+ description = "Verify that a valid DANE-EE(3) Cert(0) SHA2-512(2) TLSA record exists"
+ }
+
+ "--dane 311" = {
+ set_if = "$ssl_cert_extended_dane_311$"
+ description = "Verify that a valid DANE-EE(3) SPKI(1) SHA2-256(1) TLSA record exists"
+ }
+
+ "--dane 312" = {
+ set_if = "$ssl_cert_extended_dane_312$"
+ description = "Verify that a valid DANE-EE(3) SPKI(1) SHA2-512(1) TLSA record exists"
+ }
+
+ "--date" = {
+ set_if = "$ssl_cert_extended_date$"
+ description = "Path of the date binary to be used"
+ }
+
+ "--debug" = {
+ set_if = "$ssl_cert_extended_debug$"
+ description = "Produce debugging output (can be specified more than once)"
+ }
+
+ "--debug-cert" = {
+ set_if = "$ssl_cert_extended_debug_cert$"
+ description = "Store the retrieved certificates in the current directory"
+ }
+
+ "--debug-headers" = {
+ set_if = "$ssl_cert_extended_debug_headers$"
+ description = "Store the retrieved HTLM headers in the headers.txt file"
+ }
+
+ "--debug-file" = {
+ value = "$ssl_cert_extended_debug_file$"
+ description = "Write the debug messages to file"
+ }
+
+ "--debug-time" = {
+ set_if = "$ssl_cert_extended_debug_time$"
+ description = "Write timing information in the debugging output"
+ }
+
+ "--dig-bin" = {
+ value = "$ssl_cert_extended_dig_bin$"
+ description = "Path of the dig binary to be used"
+ }
+
+ "--do-not-resolve" = {
+ value = "$ssl_cert_extended_do_not_resolve$"
+ description = "Do not check if the host can be resolved"
+ }
+
+ "--dtls" = {
+ set_if = "$ssl_cert_extended_dtls$"
+ description = "Use the DTLS protocol"
+ }
+
+ "--dtls1" = {
+ set_if = "$ssl_cert_extended_dtls1$"
+ description = "Use the DTLS protocol 1.0"
+ }
+
+ "--dtls1_2" = {
+ set_if = "$ssl_cert_extended_dtls1_2$"
+ description = "Use the DTLS protocol 1.2"
+ }
+
+ "--email" = {
+ value = "$ssl_cert_extended_email$"
+ description = "Pattern to match the email address contained in the certificate"
+ }
+
+ "--ecdsa" = {
+ set_if = "$ssl_cert_extended_ecdsa$"
+ description = "Signature algorithm selection: force ECDSA certificate"
+ }
+
+ "--element" = {
+ value = "$ssl_cert_extended_element$"
+ description = "Check up to the N cert element from the beginning of the chain"
+ }
+
+ "--file-bin" = {
+ value = "$ssl_cert_extended_file_bin$"
+ description = "Path of the file binary to be used"
+ }
+
+ "--fingerprint" = {
+ value = "$ssl_cert_extended_fingerprint$"
+ description = "Pattern to match the SHA1-Fingerprint"
+ }
+
+ "--first-element-only" = {
+ set_if = "$ssl_cert_extended_first_element_only$"
+ description = "Verify just the first cert element, not the whole chain"
+ }
+
+ "--force-dconv-date" = {
+ set_if = "$ssl_cert_extended_force_dconv_date$"
+ description = "Force the usage of dconv for date computations"
+ }
+
+ "--force-perl-date" = {
+ set_if = "$ssl_cert_extended_force_perl_date$"
+ description = "Force the usage of dconv for date computations"
+ }
+
+ "--force-perl-date" = {
+ set_if = "$ssl_cert_extended_force_perl_date$"
+ description = "Force the usage of Perl for date computations"
+ }
+
+ "--format" = {
+ value = "$ssl_cert_extended_format$"
+ description = "Format output template on success, for example: '%SHORTNAME% OK %CN% from %CA_ISSUER_MATCHED%' list of possible variables: - %CA_ISSUER_MATCHED% - %CHECKEDNAMES% - %CN% - %DATE% - %DAYS_VALID% - %DYSPLAY_CN% - %HOST% - %OCSP_EXPIRES_IN_HOURS% - %OPENSSL_COMMAND% - %PORT% - %SELFSIGNEDCERT% - %SHORTNAME% - %SIGALGO% - %SSL_LABS_HOST_GRADE% See --default-format for the default"
+ }
+
+ "--grep-bin" = {
+ value = "$ssl_cert_extended_grep_bin$"
+ description = "Path of the grep binary to be used"
+ }
+
+ "--http-headers-path" = {
+ value = "$ssl_cert_extended_http_headers_path$"
+ description = "The path to be used to fetch HTTP headers"
+ }
+
+ "--http-use-get" = {
+ set_if = "$ssl_cert_extended_http_use_get$"
+ description = "Use GET instead of HEAD (default) for the HTTP related checks"
+ }
+
+ "--issuer" = {
+ value = "$ssl_cert_extended_issuer$"
+ description = "Pattern to match the issuer of the certificate"
+ }
+
+ "--ignore-altnames" = {
+ set_if = "$ssl_cert_extended_ignore_altnames$"
+ description = "Ignore alternative names when matching pattern specified in -n (or the host name)"
+ }
+
+ "--ignore-connection-problems" = {
+ set_if = "$ssl_cert_extended_ignore_connection_problems$"
+ description = "[state] In case of connection problems returns OK or the optional state"
+ }
+
+ "--ignore-exp" = {
+ set_if = "$ssl_cert_extended_ignore_exp$"
+ description = "Ignore expiration date"
+ }
+
+ "--ignore-http-headers" = {
+ set_if = "$ssl_cert_extended_ignore_http_headers$"
+ description = "Ignore checks on HTTP headers with --all and --all-local"
+ }
+
+ "--ignore-host-cn" = {
+ set_if = "$ssl_cert_extended_ignore_host_cn$"
+ description = "Do not complain if the CN does not match the host name"
+ }
+
+ "--ignore-incomplete-chain" = {
+ set_if = "$ssl_cert_extended_ignore_incomplete_chain$"
+ description = "Do not check chain integrity"
+ }
+
+ "--ignore-maximum-validity" = {
+ set_if = "$ssl_cert_extended_ignore_maximum_validity$"
+ description = "Ignore the certificate maximum validity"
+ }
+
+ "--ignore-ocsp" = {
+ set_if = "$ssl_cert_extended_ignore_ocsp$"
+ description = "Do not check revocation with OCSP"
+ }
+
+ "--ignore-ocsp-errors" = {
+ set_if = "$ssl_cert_extended_ignore_ocsp_errors$"
+ description = "Continue if the OCSP status cannot be checked"
+ }
+
+ "--ignore-ocsp-timeout" = {
+ set_if = "$ssl_cert_extended_ignore_ocsp_timeout$"
+ description = "Ignore OCSP result when timeout occurs while checking"
+ }
+
+ "--ignore-sct" = {
+ set_if = "$ssl_cert_extended_ignore_sct$"
+ description = "Do not check for signed certificate timestamps (SCT)"
+ }
+
+ "--ignore-sig-alg" = {
+ set_if = "$ssl_cert_extended_ignore_sig_alg$"
+ description = "Do not check if the certificate was signed with SHA1 or MD5"
+ }
+
+ "--ignore-ssl-labs-cache" = {
+ set_if = "$ssl_cert_extended_ignore_ssl_labs_cache$"
+ description = "Force a new check by SSL Labs (see -L)"
+ }
+
+ "--ignore-ssl-labs-errors" = {
+ set_if = "$ssl_cert_extended_ignore_ssl_labs_errors$"
+ description = "Ignore errors if SSL Labs is not accessible or times out"
+ }
+
+ "--ignore-tls-renegotiation" = {
+ set_if = "$ssl_cert_extended_ignore_tls_renegotiation$"
+ description = "Ignore the TLS renegotiation check"
+ }
+
+ "--inetproto" = {
+ value = "$ssl_cert_extended_inetproto$"
+ description = "Force IP version 4 or 6"
+ }
+
+ "--info" = {
+ set_if = "$ssl_cert_extended_info$"
+ description = "Print certificate information"
+ }
+
+ "--init-host-cache" = {
+ set_if = "$ssl_cert_extended_init_host_cache$"
+ description = "Initialize the host cache"
+ }
+
+ "--issuer-cert-cache" = {
+ value = "$ssl_cert_extended_issuer_cert_cache$"
+ description = "Directory where to store issuer certificates cache"
+ }
+
+ "--jks-alias" = {
+ value = "$ssl_cert_extended_jks_alias$"
+ description = "Alias name of the Java KeyStore entry (requires --file)"
+ }
+
+ "--clientkey" = {
+ value = "$ssl_cert_extended_clientkey$"
+ description = "Use client certificate key to authenticate"
+ }
+
+ "--check-ssl-labs" = {
+ value = "$ssl_cert_extended_check_ssl_labs$"
+ description = "SSL Labs assessment (please check https://www.ssllabs.com/about/terms.html)"
+ }
+
+ "--long-output" = {
+ value = "$ssl_cert_extended_long_output$"
+ description = "Append the specified comma separated (no spaces) list of attributes to the plugin output on additional lines Valid attributes are: enddate, startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include all the available attributes."
+ }
+
+ "--match" = {
+ value = "$ssl_cert_extended_match$"
+ description = "Pattern to match the CN or AltName (can be specified multiple times)"
+ }
+
+ "--maximum-validity" = {
+ value = "$ssl_cert_extended_maximum_validity$"
+ description = "The maximum validity of the certificate must not exceed 'days' (default 397) This check is automatic for HTTPS"
+ }
+
+ "--nmap-bin" = {
+ value = "$ssl_cert_extended_nmap_bin$"
+ description = "Path of the nmap binary to be used"
+ }
+
+ "--no-perf" = {
+ set_if = "$ssl_cert_extended_no_perf$"
+ description = "Do not show performance data"
+ }
+
+ "--no-proxy" = {
+ set_if = "$ssl_cert_extended_no_proxy$"
+ description = "Ignore the http_proxy and https_proxy environment variables"
+ }
+
+ "--no-proxy-curl" = {
+ set_if = "$ssl_cert_extended_no_proxy_curl$"
+ description = "Ignore the http_proxy and https_proxy environment variables for curl"
+ }
+
+ "--no-proxy-s_client" = {
+ set_if = "$ssl_cert_extended_no_proxy_s_client$"
+ description = "Ignore the http_proxy and https_proxy environment variables for openssl s_client"
+ }
+
+ "--no-ssl2" = {
+ set_if = "$ssl_cert_extended_no_ssl2$"
+ description = "Disable SSL version 2"
+ }
+
+ "--no-ssl3" = {
+ set_if = "$ssl_cert_extended_no_ssl3$"
+ description = "Disable SSL version 3"
+ }
+
+ "--no-tls1" = {
+ set_if = "$ssl_cert_extended_no_tls1$"
+ description = "Disable TLS version 1"
+ }
+
+ "--no-tls1_1" = {
+ set_if = "$ssl_cert_extended_no_tls1_1$"
+ description = "Disable TLS version 1.1"
+ }
+
+ "--no-tls1_2" = {
+ set_if = "$ssl_cert_extended_no_tls1_2$"
+ description = "Disable TLS version 1.2"
+ }
+
+ "--no-tls1_3" = {
+ set_if = "$ssl_cert_extended_no_tls1_3$"
+ description = "Disable TLS version 1.3"
+ }
+
+ "--not-issued-by" = {
+ value = "$ssl_cert_extended_not_issued_by$"
+ description = "Check that the issuer of the certificate does not match the given pattern"
+ }
+
+ "--not-valid-longer-than" = {
+ value = "$ssl_cert_extended_not_valid_longer_than$"
+ description = "Critical if the certificate validity is longer than the specified period"
+ }
+
+ "--org" = {
+ value = "$ssl_cert_extended_org$"
+ description = "Pattern to match the organization of the certificate"
+ }
+
+ "--ocsp-critical" = {
+ value = "$ssl_cert_extended_ocsp_critical$"
+ description = "Minimum number of hours an OCSP response has to be valid to issue a critical status"
+ }
+
+ "--ocsp-warning" = {
+ value = "$ssl_cert_extended_ocsp_warning$"
+ description = "Minimum number of hours an OCSP response has to be valid to issue a warning status"
+ }
+
+ "--openssl" = {
+ value = "$ssl_cert_extended_openssl$"
+ description = "Path of the openssl binary to be used"
+ }
+
+ "--path" = {
+ value = "$ssl_cert_extended_path$"
+ description = "Set the PATH variable to 'path'"
+ }
+
+ "--port" = {
+ value = "$ssl_cert_extended_port$"
+ description = "TCP port (default 443)"
+ }
+
+ "--precision" = {
+ value = "$ssl_cert_extended_precision$"
+ description = "Number of decimal places for durations:defaults to 0 if critical or warning are integers, 2 otherwise"
+ }
+
+ "--protocol" = {
+ value = "$ssl_cert_extended_protocol$"
+ description = "Use the specific protocol: dns, ftp, ftps, http, https (default), h2 (HTTP/2), imap, imaps, irc, ircs, ldap, ldaps, mysql, pop3, pop3s, postgres, sieve, smtp, smtps, tds, xmpp, xmpp-server. ftp, imap, irc, ldap, pop3, postgres, sieve, smtp: switch to TLS using StartTLS"
+ }
+
+ "--password" = {
+ value = "$ssl_cert_extended_password$"
+ description = "Password source for a local certificate, see the PASS PHRASE ARGUMENTS section openssl(1)"
+ }
+
+ "--prometheus" = {
+ set_if = "$ssl_cert_extended_prometheus$"
+ description = "Generate Prometheus/OpenMetrics output"
+ }
+
+ "--proxy" = {
+ value = "$ssl_cert_extended_proxy$"
+ description = "Set http_proxy and the s_client -proxy option"
+ }
+
+ "--python-bin" = {
+ value = "$ssl_cert_extended_python_bin$"
+ description = "Path of the python binary to be used"
+ }
+
+ "--quiet" = {
+ set_if = "$ssl_cert_extended_quiet$"
+ description = "Do not produce any output"
+ }
+
+ "--rootcert" = {
+ value = "$ssl_cert_extended_rootcert$"
+ description = "Root certificate or directory to be used for certificate validation"
+ }
+
+ "--require-client-cert" = {
+ value = "$ssl_cert_extended_require_client_cert$"
+ description = "The server must accept a client certificate. 'list' is an optional comma separated list of expected client certificate CAs"
+ }
+
+ "--require-dnssec" = {
+ set_if = "$ssl_cert_extended_require_dnssec$"
+ description = "Require DNSSEC"
+ }
+
+ "--require-http-header" = {
+ value = "$ssl_cert_extended_require_http_header$"
+ description = "Require the specified HTTP header (e.g., X-Frame-Options)"
+ }
+
+ "--require-no-http-header" = {
+ value = "$ssl_cert_extended_require_no_http_header$"
+ description = "Require the absence of the specified HTTP header (e.g., X-Powered-By)"
+ }
+
+ "--require-no-ssl2" = {
+ set_if = "$ssl_cert_extended_require_no_ssl2$"
+ description = "Critical if SSL version 2 is offered"
+ }
+
+ "--require-no-ssl3" = {
+ set_if = "$ssl_cert_extended_require_no_ssl3$"
+ description = "Critical if SSL version 3 is offered"
+ }
+
+ "--require-no-tls1" = {
+ set_if = "$ssl_cert_extended_require_no_tls1$"
+ description = "Critical if TLS 1 is offered"
+ }
+
+ "--require-no-tls1_1" = {
+ set_if = "$ssl_cert_extended_require_no_tls1_1$"
+ description = "Critical if TLS 1.1 is offered"
+ }
+
+ "--require-ocsp-stapling" = {
+ set_if = "$ssl_cert_extended_require_ocsp_stapling$"
+ description = "Require OCSP stapling"
+ }
+
+ "--require-purpose" = {
+ value = "$ssl_cert_extended_require_purpose$"
+ description = "Require the specified key usage (can be specified more then once)"
+ }
+
+ "--require-purpose-critical" = {
+ set_if = "$ssl_cert_extended_require_purpose_critical$"
+ description = "The key usage must be critical"
+ }
+
+ "--resolve" = {
+ value = "$ssl_cert_extended_resolve$"
+ description = "Provide a custom IP address for the specified host"
+ }
+
+ "--resolve-over-http" = {
+ value = "$ssl_cert_extended_resolve_over_http$"
+ description = "Resolve the host over HTTP using Google or the specified server"
+ }
+
+ "--rootcert-dir" = {
+ value = "$ssl_cert_extended_rootcert_dir$"
+ description = "Root directory to be used for certificate validation"
+ }
+
+ "--rootcert-file" = {
+ value = "$ssl_cert_extended_rootcert_file$"
+ description = "Root certificate to be used for certificate validation"
+ }
+
+ "--rsa" = {
+ set_if = "$ssl_cert_extended_rsa$"
+ description = "Signature algorithm selection: force RSA certificate"
+ }
+
+ "--security-level" = {
+ value = "$ssl_cert_extended_security_level$"
+ description = "Set the security level to specified value See SSL_CTX_set_security_level(3) for a description of what each level means"
+ }
+
+ "--selfsigned" = {
+ set_if = "$ssl_cert_extended_selfsigned$"
+ description = "Allow self-signed certificates"
+ }
+
+ "--serial" = {
+ value = "$ssl_cert_extended_serial$"
+ description = "Pattern to match the serial number"
+ }
+
+ "--skip-element" = {
+ value = "$ssl_cert_extended_skip_element$"
+ description = "Skip checks on the Nth cert element (can be specified multiple times)"
+ }
+
+ "--sni" = {
+ value = "$ssl_cert_extended_sni$"
+ description = "Set the TLS SNI (Server Name Indication) extension in the ClientHello message to 'name'"
+ }
+
+ "--ssl2" = {
+ set_if = "$ssl_cert_extended_ssl2$"
+ description = "Force SSL version 2"
+ }
+
+ "--ssl3" = {
+ set_if = "$ssl_cert_extended_ssl3$"
+ description = "Force SSL version 3"
+ }
+
+ "--timeout" = {
+ value = "$ssl_cert_extended_timeout$"
+ description = "Timeout after the specified time (defaults to 120 seconds)"
+ }
+
+ "--temp" = {
+ value = "$ssl_cert_extended_temp$"
+ description = "Directory where to store the temporary files"
+ }
+
+ "--terse" = {
+ set_if = "$ssl_cert_extended_terse$"
+ description = "Terse output"
+ }
+
+ "--tls1" = {
+ set_if = "$ssl_cert_extended_tls1$"
+ description = "Force TLS version 1"
+ }
+
+ "--tls1_1" = {
+ set_if = "$ssl_cert_extended_tls1_1$"
+ description = "Force TLS version 1.1"
+ }
+
+ "--tls1_2" = {
+ set_if = "$ssl_cert_extended_tls1_2$"
+ description = "Force TLS version 1.2"
+ }
+
+ "--tls1_3" = {
+ set_if = "$ssl_cert_extended_tls1_3$"
+ description = "Force TLS version 1.3"
+ }
+
+ "--url" = {
+ value = "$ssl_cert_extended_url$"
+ description = "HTTP request URL"
+ }
+
+ "--user-agent" = {
+ value = "$ssl_cert_extended_user_agent$"
+ description = "User agent that shall be used for HTTPS connections"
+ }
+
+ "--verbose" = {
+ value = "$ssl_cert_extended_verbose$"
+ description = "Verbose output (can be specified more than once)"
+ }
+
+ "--warning" = {
+ value = "$ssl_cert_extended_warning$"
+ description = "Minimum number of days a certificate has to be valid to issue a warning status. Can be a floating point number, e.g., 0.5 Default: 20"
+ }
+
+ "--xmpphost" = {
+ value = "$ssl_cert_extended_xmpphost$"
+ description = " Specify the host for the 'to' attribute of the stream element"
+ }
+
+ "--4" = {
+ set_if = "$ssl_cert_extended_4$"
+ description = "Force IPv4"
+ }
+
+ "--6" = {
+ set_if = "$ssl_cert_extended_6$"
+ description = "Force IPv6"
+ }
+ }
+
+ vars.ssl_cert_extended_warning = 30
+ vars.ssl_cert_extended_critical = 14
+ vars.ssl_cert_extended_require_no_ssl2 = true
+ vars.ssl_cert_extended_require_no_ssl3 = true
+ vars.ssl_cert_extended_require_no_tls1 = true
+ vars.ssl_cert_extended_require_no_tls1_1 = true
+}
=====================================
check_ssl_cert/control
=====================================
@@ -1,7 +1,7 @@
Uploaders: Jan Wagner <waja at cyconet.org>
Recommends: bc, curl, file, openssl
Suggests: expect, iproute2, dnsutils
-Version: 2.61.0
+Version: 2.70.0
Homepage: https://github.com/matteocorti/check_ssl_cert
Watch: https://github.com/matteocorti/check_ssl_cert/releases >check_ssl_cert-([0-9.]+)<
Description: plugin to check the CA and validity of an
=====================================
check_ssl_cert/src
=====================================
@@ -1 +1 @@
-check_ssl_cert_2.61.0
\ No newline at end of file
+check_ssl_cert_2.70.0/
\ No newline at end of file
View it on GitLab: https://salsa.debian.org/nagios-team/nagios-plugins-contrib/-/commit/5c7a452246c857d8dadef74df0a2f5e1793ec91e
--
View it on GitLab: https://salsa.debian.org/nagios-team/nagios-plugins-contrib/-/commit/5c7a452246c857d8dadef74df0a2f5e1793ec91e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20230612/d5d8f4e0/attachment-0001.htm>
More information about the pkg-nagios-changes
mailing list