Browse Source

Update check_ssl_cert to 1.113.0

master
Jan Wagner 3 months ago
parent
commit
8c8a7701c1
24 changed files with 300 additions and 179 deletions
  1. BIN
      check_ssl_cert/check_ssl_cert_1.109.0/._COPYRIGHT
  2. BIN
      check_ssl_cert/check_ssl_cert_1.109.0/._Makefile
  3. BIN
      check_ssl_cert/check_ssl_cert_1.109.0/._NEWS
  4. BIN
      check_ssl_cert/check_ssl_cert_1.109.0/._check_ssl_cert
  5. +0
    -1
      check_ssl_cert/check_ssl_cert_1.109.0/VERSION
  6. +4
    -1
      check_ssl_cert/check_ssl_cert_1.113.0/AUTHORS
  7. +0
    -0
      check_ssl_cert/check_ssl_cert_1.113.0/COPYING
  8. +0
    -0
      check_ssl_cert/check_ssl_cert_1.113.0/COPYRIGHT
  9. +16
    -0
      check_ssl_cert/check_ssl_cert_1.113.0/ChangeLog
  10. +0
    -0
      check_ssl_cert/check_ssl_cert_1.113.0/INSTALL
  11. +0
    -0
      check_ssl_cert/check_ssl_cert_1.113.0/Makefile
  12. +5
    -0
      check_ssl_cert/check_ssl_cert_1.113.0/NEWS
  13. +5
    -3
      check_ssl_cert/check_ssl_cert_1.113.0/README.md
  14. +0
    -0
      check_ssl_cert/check_ssl_cert_1.113.0/TODO
  15. +1
    -0
      check_ssl_cert/check_ssl_cert_1.113.0/VERSION
  16. +134
    -50
      check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert
  17. +10
    -4
      check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert.1
  18. +13
    -1
      check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert.spec
  19. BIN
      check_ssl_cert/check_ssl_cert_1.113.0/test/._unit_tests.sh
  20. +0
    -0
      check_ssl_cert/check_ssl_cert_1.113.0/test/cabundle.crt
  21. +0
    -0
      check_ssl_cert/check_ssl_cert_1.113.0/test/cacert.crt
  22. +110
    -117
      check_ssl_cert/check_ssl_cert_1.113.0/test/unit_tests.sh
  23. +1
    -1
      check_ssl_cert/control
  24. +1
    -1
      check_ssl_cert/src

BIN
check_ssl_cert/check_ssl_cert_1.109.0/._COPYRIGHT View File


BIN
check_ssl_cert/check_ssl_cert_1.109.0/._Makefile View File


BIN
check_ssl_cert/check_ssl_cert_1.109.0/._NEWS View File


BIN
check_ssl_cert/check_ssl_cert_1.109.0/._check_ssl_cert View File


+ 0
- 1
check_ssl_cert/check_ssl_cert_1.109.0/VERSION View File

@@ -1 +0,0 @@
1.109.0

check_ssl_cert/check_ssl_cert_1.109.0/AUTHORS → check_ssl_cert/check_ssl_cert_1.113.0/AUTHORS View File

@@ -90,4 +90,7 @@ Thanks:
* Many thanks to iasdeoupxe (https://github.com/iasdeoupxe) for various fixes
* Many thanks to Andre Klärner (https://github.com/klaernie) for the typos corrections
* Many thanks to Дилян Палаузов (https://github.com/dilyanpalauzov) for the DANE checks
* Many thanks to dupondje (https://github.com/dupondje) for the check_prog fix
* Many thanks to dupondje (https://github.com/dupondje) for the check_prog fix
* Many thanks to Jörg Thalheim (https://github.com/Mic92) for the xmpp-server patch
* Many thanks to Arkadiusz Miśkiewicz (https://github.com/arekm) for the OCSP timeout patch
* Many thanks to Thomas Weißschuh (https://github.com/t-8ch) for the PostgreSQL patch

check_ssl_cert/check_ssl_cert_1.109.0/COPYING → check_ssl_cert/check_ssl_cert_1.113.0/COPYING View File


check_ssl_cert/check_ssl_cert_1.109.0/COPYRIGHT → check_ssl_cert/check_ssl_cert_1.113.0/COPYRIGHT View File


check_ssl_cert/check_ssl_cert_1.109.0/ChangeLog → check_ssl_cert/check_ssl_cert_1.113.0/ChangeLog View File

@@ -1,3 +1,19 @@
2020-05-18 Matteo Corti <matteo@corti.li>

* check_ssl_cert: Propagates the -6 switch to nmap

2020-03-26 Matteo Corti <matteo@corti.li>

* check_ssl_cert (main): show command line arguments in debug mode

2020-03-09 Matteo Corti <matteo@corti.li>

* check_ssl_cert (check_attr): new option (--not-valid-longer-than) to check if a certificate is valid longer than the specified number of days

2020-02-17 Matteo Corti <matteo@corti.li>

* check_ssl_cert (fetch_certificate): added support for xmpp-server in the STARTTLS negotiation

2020-01-07 Matteo Corti <matteo@corti.li>

* check_ssl_cert (fetch_certificate): option to force HTTP/2

check_ssl_cert/check_ssl_cert_1.109.0/INSTALL → check_ssl_cert/check_ssl_cert_1.113.0/INSTALL View File


check_ssl_cert/check_ssl_cert_1.109.0/Makefile → check_ssl_cert/check_ssl_cert_1.113.0/Makefile View File


check_ssl_cert/check_ssl_cert_1.109.0/NEWS → check_ssl_cert/check_ssl_cert_1.113.0/NEWS View File

@@ -1,3 +1,8 @@
2020-05-19 Version 1.113.0: Fixed a bug with nmap and hosts with IPv6 addresses only
2020-04-07 Version 1.112.0: Timeout for OCSP queries and option to ignore timeout errors and PostgreSQL support
2020-03-09 Version 1.111.0: New option (--not-valid-longer-than) to check if a certificate is valid longer than the
specified number of days
2020-02-17 Version 1.110.0: Added support for xmpp-server in the STARTTLS negotiation
2020-01-07 Version 1.109.0: Option to force HTTP/2
2019-12-23 Version 1.108.0: Better error message in case of connection refused
2019-12-20 Version 1.107.0: Better error message in case of an invalid host

check_ssl_cert/check_ssl_cert_1.109.0/README.md → check_ssl_cert/check_ssl_cert_1.113.0/README.md View File

@@ -89,9 +89,11 @@ Options:
--openssl path path of the openssl binary to be used
-p,--port port TCP port
-P,--protocol protocol use the specific protocol
{ftp|ftps|http|imap|imaps|irc|ircs|ldap|ldaps|pop3|pop3s|sieve|smtp|smtps|xmpp}
http: default
ftp,imap,irc,ldap,pop3,sieve,smtp: switch to TLS using StartTLS
{ftp|ftps|http|https|h2|imap|imaps|irc|ircs|ldap|ldaps|pop3|pop3s|
postgres|sieve|smtp|smtps|xmpp|xmpp-server}
https: default
h2: forces HTTP/2
ftp,imap,irc,ldap,pop3,postgres,sieve,smtp: switch to TLS using StartTLS
--require-no-ssl2 critical if SSL version 2 is offered
--require-no-ssl3 critical if SSL version 3 is offered
--require-no-tls1 critical if TLS 1 is offered

check_ssl_cert/check_ssl_cert_1.109.0/TODO → check_ssl_cert/check_ssl_cert_1.113.0/TODO View File


+ 1
- 0
check_ssl_cert/check_ssl_cert_1.113.0/VERSION View File

@@ -0,0 +1 @@
1.113.0

check_ssl_cert/check_ssl_cert_1.109.0/check_ssl_cert → check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert View File

@@ -19,7 +19,7 @@
################################################################################
# Constants

VERSION=1.109.0
VERSION=1.113.0
SHORTNAME="SSL_CERT"

VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,serial,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -93,6 +93,7 @@ usage() {
echo " related checks"
echo " --ignore-exp ignore expiration date"
echo " --ignore-ocsp do not check revocation with OCSP"
echo " --ignore-ocsp-timeout ignore OCSP result when timeout occurs while checking"
echo " --ignore-sig-alg do not check if the certificate was signed with SHA1"
echo " or MD5"
echo " --ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)"
@@ -102,7 +103,7 @@ usage() {
echo " -K,--clientkey path use client certificate key to authenticate"
echo " -L,--check-ssl-labs grade SSL Labs assessment"
echo " (please check https://www.ssllabs.com/about/terms.html)"
echo " --check-ssl-labs-warn-grade SSL-Labs grade on which to warn"
echo " --check-ssl-labs-warn grade SSL-Labs grade on which to warn"
echo " --long-output list append the specified comma separated (no spaces) list"
echo " of attributes to the plugin output on additional lines"
echo " Valid attributes are:"
@@ -118,6 +119,7 @@ usage() {
echo " --no_tls1_1 disable TLS version 1.1"
echo " --no_tls1_2 disable TLS version 1.2"
echo " --no_tls1_3 disable TLS version 1.3"
echo " --not-valid-longer-than days critical if the certificate validity is longer than the specified period"
echo " -N,--host-cn match CN with the host name"
echo " --ocsp-critical hours minimum number of hours an OCSP response has to be valid to"
echo " issue a critical status"
@@ -127,9 +129,10 @@ usage() {
echo " --openssl path path of the openssl binary to be used"
echo " -p,--port port TCP port"
echo " -P,--protocol protocol use the specific protocol"
echo " {ftp|ftps|http|h2|imap|imaps|irc|ircs|ldap|ldaps|pop3|pop3s|sieve|smtp|smtps|xmpp}"
echo " http: default"
echo " ftp,imap,irc,ldap,pop3,sieve,smtp: switch to TLS using StartTLS"
echo " {ftp|ftps|http|https|h2|imap|imaps|irc|ircs|ldap|ldaps|pop3|pop3s|postgres|sieve|smtp|smtps|xmpp|xmpp-server}"
echo " https: default"
echo " h2: forces HTTP/2"
echo " ftp,imap,irc,ldap,pop3,postgres,sieve,smtp: switch to TLS using StartTLS"
echo " --require-no-ssl2 critical if SSL version 2 is offered"
echo " --require-no-ssl3 critical if SSL version 3 is offered"
echo " --require-no-tls1 critical if TLS 1 is offered"
@@ -397,11 +400,11 @@ append_warning_message() {
fi

MSG="${SHORTNAME} WARN${tmp}: ${1}${PERFORMANCE_DATA}${LONG_OUTPUT}"
if [ "${WARNING_MSG}" = "" ]; then
WARNING_MSG="${MSG}"
fi
ALL_MSG="${ALL_MSG}\n ${MSG}"


@@ -412,7 +415,6 @@ append_warning_message() {
echo "[DBG] WARNING <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
fi

}


@@ -462,6 +464,7 @@ unknown() {
# ...
# HEREDOC
set_variable() {
# shellcheck disable=SC2016
eval "$1"'=$(cat)'
}

@@ -514,7 +517,7 @@ exec_with_timeout() {
# (in fact the value is assigned with the function set_value)
EXPECT_SCRIPT=''
TIMEOUT_ERROR_CODE=42
set_variable EXPECT_SCRIPT << EOT

set echo \"-noecho\"
@@ -523,7 +526,7 @@ set timeout ${time}
# spawn the process
spawn -noecho sh -c { ${command} }

expect {
expect {
timeout { exit ${TIMEOUT_ERROR_CODE} }
eof
}
@@ -656,7 +659,7 @@ fetch_certificate() {

RET=0
ALPN=''
# IPv6 addresses need brackets in a URI
if [ "${HOST}" != "${HOST#*[0-9].[0-9]}" ]; then
if [ -n "${DEBUG}" ] ; then
@@ -726,11 +729,15 @@ fetch_certificate() {
exec_with_timeout "${TIMEOUT}" "printf 'A01 LOGOUT\\n' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
postgres)
exec_with_timeout "${TIMEOUT}" "printf 'X\0\0\0\4' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
sieve)
exec_with_timeout "${TIMEOUT}" "echo 'LOGOUT' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST}:${PORT} ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
xmpp)
xmpp|xmpp-server)
exec_with_timeout "${TIMEOUT}" "echo 'Q' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect ${HOST}:${XMPPPORT} ${XMPPHOST} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
@@ -753,7 +760,7 @@ fetch_certificate() {
if [ "${PROTOCOL}" = 'h2' ] ; then
ALPN='-alpn h2'
fi
exec_with_timeout "${TIMEOUT}" "printf '${HTTP_REQUEST}' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} ${ALPN} -connect ${HOST}:${PORT} ${SERVERNAME} -showcerts -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?

@@ -762,7 +769,7 @@ fetch_certificate() {
if [ -n "${DEBUG}" ] ; then

echo "[DBG] Return value of the command = ${RET}"
echo "[DBG] storing a copy of the retrieved certificate in ${TMPDIR}/${HOST}-${PORT}.crt"
cp "${CERT}" "${TMPDIR}/${HOST}-${PORT}.crt"

@@ -796,7 +803,7 @@ fetch_certificate() {
ERROR='Connection refused'
prepend_critical_message "${ERROR}"
critical "${SHORTNAME} CRITICAL: ${ERROR}"
else

# Try to clean up the error message
@@ -895,6 +902,7 @@ main() {
REQUIRE_SAN=""
REQUIRE_OCSP_STAPLING=""
OCSP="1" # enabled by default
OCSP_IGNORE_TIMEOUT=""
FORMAT=""
HTTP_METHOD="HEAD"
RSA=""
@@ -902,6 +910,10 @@ main() {
DANE=""
DISALLOWED_PROTOCOLS=""

# after 2020-09-01 we could set the default to 398 days because of Apple
# https://support.apple.com/en-us/HT211025
NOT_VALID_LONGER_THAN=""

# Set the default temp dir if not set
if [ -z "${TMPDIR}" ] ; then
TMPDIR="/tmp"
@@ -913,6 +925,8 @@ main() {
# We do not use getopts since it is unable to process long options and it is
# Bash specific.

COMMAND_LINE_ARGUMENTS=$*

while true; do

case "$1" in
@@ -1052,6 +1066,10 @@ main() {
OCSP=""
shift
;;
--ignore-ocsp-timeout)
OCSP_IGNORE_TIMEOUT=1
shift
;;
--terse)
TERSE=1
shift
@@ -1147,8 +1165,8 @@ main() {
SSL_LAB_CRIT_ASSESSMENT="$2"
shift 2
;;
--check-ssl-labs-warn-grade)
check_option_argument '--check-ssl-labs-warn-grade' "$2"
--check-ssl-labs-warn)
check_option_argument '--check-ssl-labs-warn' "$2"
SSL_LAB_WARN_ASSESTMENT="$2"
shift 2
;;
@@ -1176,6 +1194,11 @@ main() {
fi
shift 2
;;
--not-valid-longer-than)
check_option_argument '--not-valid-longer-than' "$2"
NOT_VALID_LONGER_THAN=$2
shift 2
;;
--ocsp-critical)
check_option_argument '--ocsp-critical' "$2"
OCSP_CRITICAL="$2"
@@ -1324,12 +1347,12 @@ main() {
if [ -z "${PORT}" ] ; then

if [ -z "${PROTOCOL}" ] ; then
# default is HTTPS
PORT='443'

else
case "${PROTOCOL}" in
smtp)
PORT=25
@@ -1361,6 +1384,9 @@ main() {
imaps)
PORT=993
;;
postgres)
PORT=5432
;;
sieve)
PORT=4190
;;
@@ -1376,9 +1402,13 @@ main() {
esac

fi
fi

if [ -n "${DEBUG}" ] ; then
echo "[DBG] Command line arguments: ${COMMAND_LINE_ARGUMENTS}"
fi

################################################################################
# Set COMMON_NAME to hostname if -N was given as argument.
# COMMON_NAME may be a space separated list of hostnames.
@@ -1486,6 +1516,18 @@ main() {

fi

if [ -n "${NOT_VALID_LONGER_THAN}" ] ; then

if [ -n "${DEBUG}" ] ; then
echo "[DBG] --not-valid-longer-than specified: ${NOT_VALID_LONGER_THAN}"
fi

if ! echo "${NOT_VALID_LONGER_THAN}" | grep -q '^[0-9][0-9]*$' ; then
unknown "invalid number of days ${NOT_VALID_LONGER_THAN}"
fi

fi

if [ -n "${TMPDIR}" ] ; then

if [ ! -d "${TMPDIR}" ] ; then
@@ -1515,7 +1557,7 @@ main() {
convert_ssl_lab_grade "${SSL_LAB_WARN_ASSESTMENT}"
SSL_LAB_WARN_ASSESTMENT_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
if [ "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" -lt "${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}" ]; then
unknown '--check-ssl-labs-warn-grade must be greater than -L|--check-ssl-labs'
unknown '--check-ssl-labs-warn must be greater than -L|--check-ssl-labs'
fi
fi

@@ -1608,8 +1650,8 @@ main() {
else
# we check if the provided binary actually works
check_required_prog "${NMAP_BIN}"
fi
fi
# Expect (optional)
EXPECT="$(command -v expect 2> /dev/null)"
test -x "${EXPECT}" || EXPECT=""
@@ -1752,11 +1794,11 @@ main() {
S_CLIENT_NAME=
if ${OPENSSL} s_client -help 2>&1 | grep -q -- -name || ${OPENSSL} s_client not_a_real_option 2>&1 | grep -q -- -name; then

HOSTNAME=$( hostname )
S_CLIENT_NAME="-name ${HOSTNAME}"
CURRENT_HOSTNAME=$( hostname )
S_CLIENT_NAME="-name ${CURRENT_HOSTNAME}"

if [ -n "${DEBUG}" ] ; then
echo "[DBG] '${OPENSSL} s_client' supports '-name': using ${HOSTNAME}"
echo "[DBG] '${OPENSSL} s_client' supports '-name': using ${CURRENT_HOSTNAME}"
fi

else
@@ -1829,6 +1871,13 @@ main() {
unknown "cannot connect using IPv6 as no local interface has IPv6 configured"
fi

# nmap does not have a -4 switch
NMAP_INETPROTO=''
if [ -n "${INETPROTO}" ] && [ "${INETPROTO}" = '-6' ] ; then
NMAP_INETPROTO='-6'
fi


fi

################################################################################
@@ -1840,18 +1889,30 @@ main() {
fi

HTTP_REQUEST="${HTTP_METHOD} / HTTP/1.1\\nHost: ${HOST_HEADER}\\nUser-Agent: check_ssl_cert/${VERSION}\\nConnection: close\\n\\n"
##############################################################################
# Check for disallowed protocols
if [ -n "${DISALLOWED_PROTOCOLS}" ] ; then

OFFERED_PROTOCOLS=$( ${NMAP_BIN} -Pn -p "${PORT}" --script ssl-enum-ciphers "${HOST}" | grep '^|' )
# check if the host has an IPv6 address only (as nmap is not able to resolve without the -6 switch
if ${NMAP_BIN} "${HOST}" 2>&1 | grep -q 'Failed to resolve' ; then
if [ -n "${DEBUG}" ] ; then
echo '[DBG] nmap is not able to resolve the host name. Trying with -6 to force IPv6 for an IPv6-only host'
fi
NMAP_INETPROTO='-6'
fi
if [ -n "${DEBUG}" ] ; then
echo "[DBG] Executing ${NMAP_BIN} -Pn -p \"${PORT}\" \"${NMAP_INETPROTO}\" --script ssl-enum-ciphers \"${HOST}\" | grep '^|'"
fi
OFFERED_PROTOCOLS=$( ${NMAP_BIN} -Pn -p "${PORT}" "${NMAP_INETPROTO}" --script ssl-enum-ciphers "${HOST}" | grep '^|' )

if [ -n "${DEBUG}" ] ; then
echo "[DBG] offered cyphers and protocols:"
echo "${OFFERED_PROTOCOLS}" | sed 's/^|/[DBG] /'
fi
for protocol in ${DISALLOWED_PROTOCOLS} ; do
if [ -n "${DEBUG}" ] ; then
echo "[DBG] Checking if '${protocol}' is offered"
@@ -1866,7 +1927,7 @@ main() {
done

fi
##############################################################################
# DANE

@@ -1876,7 +1937,6 @@ main() {
echo '[DBG] checking DANE'
fi

# dig can be replaced with delv, on the next eight lines, if it is working on the system, in order to verify DNSSEC
if [ -z "${DIG_BIN}" ] ; then
DIG_BIN='dig'
fi
@@ -2516,7 +2576,7 @@ main() {
fi

if [ "${OPENSSL_COMMAND}" = "x509" ]; then
# x509 certificates (default)

# We always check expired certificates
@@ -2549,9 +2609,27 @@ main() {
fi

fi

if [ -n "${NOT_VALID_LONGER_THAN}" ] ; then

if [ -n "${DEBUG}" ] ; then
echo "[DBG] checking if the certificate is valid longer than ${NOT_VALID_LONGER_THAN} days"
echo "[DBG] valid for ${DAYS_VALID} days"
fi

if [ "${DAYS_VALID}" -gt "${NOT_VALID_LONGER_THAN}" ] ; then

if [ -n "${DEBUG}" ] ; then
echo "[DBG] Certificate expires in ${DAYS_VALID} days which is more than ${NOT_VALID_LONGER_THAN} days"
fi

prepend_critical_message "Certificate expires in ${DAYS_VALID} days which is more than ${NOT_VALID_LONGER_THAN} days"
fi

fi

elif [ "${OPENSSL_COMMAND}" = "crl" ]; then
# CRL certificates

# We always check expired certificates
@@ -2855,28 +2933,28 @@ main() {

if [ -n "${KEYVALUE}" ] ; then
if [ -n "${DEBUG}" ] ; then
echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
echo "[DBG] executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
fi
OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
else
if [ -n "${DEBUG}" ] ; then
echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
echo "[DBG] executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
fi
OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
fi

else

if [ -n "${KEYVALUE}" ] ; then
if [ -n "${DEBUG}" ] ; then
echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
echo "[DBG] executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
fi
OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
else
if [ -n "${DEBUG}" ] ; then
echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
echo "[DBG] executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
fi
OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
fi

fi
@@ -2885,7 +2963,13 @@ main() {
echo "${OCSP_RESP}" | sed 's/^/[DBG] OCSP: response = /'
fi

if echo "${OCSP_RESP}" | grep -qi "revoked" ; then
if [ -n "${OCSP_IGNORE_TIMEOUT}" ] && echo "${OCSP_RESP}" | grep -qi "timeout on connect" ; then

if [ -n "${DEBUG}" ] ; then
echo '[DBG] OCSP: Timeout on connect'
fi

elif echo "${OCSP_RESP}" | grep -qi "revoked" ; then

if [ -n "${DEBUG}" ] ; then
echo '[DBG] OCSP: revoked'
@@ -2902,25 +2986,25 @@ main() {
if [ -n "${HTTP_PROXY:-}" ] ; then

if [ -n "${DEBUG}" ] ; then
echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}]\" -host \"${HTTP_PROXY#*://}\" -path \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
echo "[DBG] executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}]\" -host \"${HTTP_PROXY#*://}\" -path \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
fi

if [ -n "${OCSP_HEADER}" ] ; then
OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
else
OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" 2>&1 )"
OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" 2>&1 )"
fi

else

if [ -n "${DEBUG}" ] ; then
echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}\" -url \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
echo "[DBG] executing ${OPENSSL} ocsp -timeout \"${TIMEOUT}\" -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}\" -url \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
fi

if [ -n "${OCSP_HEADER}" ] ; then
OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
else
OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" 2>&1 )"
OCSP_RESP="$(${OPENSSL} ocsp -timeout "${TIMEOUT}" -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" 2>&1 )"
fi

fi

check_ssl_cert/check_ssl_cert_1.109.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert.1 View File

@@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii check_ssl_cert.1
.\"
.TH "check_ssl_cert" 1 "January, 2020" "1.109.0" "USER COMMANDS"
.TH "check_ssl_cert" 1 "May, 2020" "1.113.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
@@ -93,6 +93,9 @@ ignore expiration date
.BR " --ignore-ocsp"
do not check revocation with OCSP
.TP
.BR " --ignore-ocsp-timeout"
ignore OCSP result when timeout occurs while checking
.TP
.BR " --ignore-sig-alg"
do not check if the certificate was signed with SHA1 or MD5
.TP
@@ -109,9 +112,9 @@ pattern to match the issuer of the certificate
use client certificate key to authenticate
.TP
.BR "-L,--check-ssl-labs grade"
SSL Labs assestment (please check https://www.ssllabs.com/about/terms.html)
SSL Labs assestment (please check https://www.ssllabs.com/about/terms.html). Critical if the grade is lower than specified.
.TP
.BR " --check-ssl-warn-labs grade"
.BR " --check-ssl-labs-warn grade"
SSL Labs grade on which to warn
.TP
.BR " --long-output" " list"
@@ -139,6 +142,9 @@ disable TLS version 1.3
.BR " --no_tls1_2"
disable TLS version 1.2
.TP
.BR " --not-valid-longer-than" " days"
critical if the certificate validity is longer than the specified period
.TP
.BR "-N,--host-cn"
match CN with the host name
.TP
@@ -158,7 +164,7 @@ path of the openssl binary to be used
TCP port
.TP
.BR "-P,--protocol" " protocol"
use the specific protocol: ftp, ftps, http (default), h2 (http/2), imap, imaps, irc, ircs, ldap, ldaps, pop3, pop3s, sieve, smtp, smtps, xmpp.
use the specific protocol: ftp, ftps, http, https (default), h2 (http/2), imap, imaps, irc, ircs, ldap, ldaps, pop3, pop3s, postgres, sieve, smtp, smtps, xmpp, xmpp-server.
.br
These protocols switch to TLS using StartTLS: ftp, imap, irc, ldap, pop3, smtp.
.TP

check_ssl_cert/check_ssl_cert_1.109.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert_1.113.0/check_ssl_cert.spec View File

@@ -1,4 +1,4 @@
%define version 1.109.0
%define version 1.113.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
@@ -45,6 +45,18 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/%{sourcename}.1*

%changelog
* Tue May 19 2020 Matteo Corti <matteo@corti.li> - 1.113.0-0
- Updated to 1.113.0

* Tue Apr 7 2020 Matteo Corti <matteo@corti.li> - 1.112.0-0
- Updated to 1.112.0

* Mon Mar 9 2020 Matteo Corti <matteo@corti.li> - 1.111.0-0
- Updated to 1.111.0

* Mon Feb 17 2020 Matteo Corti <matteo@corti.li> - 1.110.0-0
- Updated to 1.110.0

* Tue Jan 7 2020 Matteo Corti <matteo@corti.li> - 1.109.0-0
- Updated to 1.109.0


BIN
check_ssl_cert/check_ssl_cert_1.109.0/test/._unit_tests.sh → check_ssl_cert/check_ssl_cert_1.113.0/test/._unit_tests.sh View File


check_ssl_cert/check_ssl_cert_1.109.0/test/cabundle.crt → check_ssl_cert/check_ssl_cert_1.113.0/test/cabundle.crt View File


check_ssl_cert/check_ssl_cert_1.109.0/test/cacert.crt → check_ssl_cert/check_ssl_cert_1.113.0/test/cacert.crt View File


check_ssl_cert/check_ssl_cert_1.109.0/test/unit_tests.sh → check_ssl_cert/check_ssl_cert_1.113.0/test/unit_tests.sh View File

@@ -38,8 +38,8 @@ oneTimeSetUp() {
# check in OpenSSL supports dane checks
if openssl s_client -help 2>&1 | grep -q -- -dane_tlsa_rrdata || openssl s_client not_a_real_option 2>&1 | grep -q -- -dane_tlsa_rrdata; then

echo "dane checks supported"
DANE=1
echo "dane checks supported"
DANE=1
fi

}
@@ -79,13 +79,13 @@ testUsage() {
}

testMissingArgument() {
${SCRIPT} -H www.google.com -c > /dev/null 2>&1
${SCRIPT} -H www.google.com --critical > /dev/null 2>&1
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
}

testMissingArgument2() {
${SCRIPT} -H www.google.com -c -w 10 > /dev/null 2>&1
${SCRIPT} -H www.google.com --critical --warning 10 > /dev/null 2>&1
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
}
@@ -206,15 +206,15 @@ testXMPPHost() {
# $TRAVIS is set an environment variable
# shellcheck disable=SC2154
if [ -z "${TRAVIS+x}" ] ; then
out=$(${SCRIPT} -H prosody.xmpp.is --port 5222 --protocol xmpp --xmpphost xmpp.is)
EXIT_CODE=$?
if echo "${out}" | grep -q "s_client' does not support '-xmpphost'" ; then
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
else
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
fi
out=$(${SCRIPT} -H prosody.xmpp.is --port 5222 --protocol xmpp --xmpphost xmpp.is)
EXIT_CODE=$?
if echo "${out}" | grep -q "s_client' does not support '-xmpphost'" ; then
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
else
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
fi
else
echo "Skipping XMPP tests on Travis CI"
echo "Skipping XMPP tests on Travis CI"
fi
}

@@ -226,42 +226,42 @@ testTimeOut() {

testIMAP() {
if [ -z "${TRAVIS+x}" ] ; then
${SCRIPT} --rootcert cabundle.crt -H imap.gmx.com --port 143 --timeout 30 --protocol imap
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
${SCRIPT} --rootcert cabundle.crt -H imap.gmx.com --port 143 --timeout 30 --protocol imap
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping IMAP tests on Travis CI"
echo "Skipping IMAP tests on Travis CI"
fi
}

testIMAPS() {
if [ -z "${TRAVIS+x}" ] ; then
${SCRIPT} --rootcert cabundle.crt -H imap.gmail.com --port 993 --timeout 30 --protocol imaps
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
${SCRIPT} --rootcert cabundle.crt -H imap.gmail.com --port 993 --timeout 30 --protocol imaps
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping IMAP tests on Travis CI"
echo "Skipping IMAP tests on Travis CI"
fi
}

testPOP3S() {
if [ -z "${TRAVIS+x}" ] ; then
${SCRIPT} --rootcert cabundle.crt -H pop.gmail.com --port 995 --timeout 30 --protocol pop3s
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
${SCRIPT} --rootcert cabundle.crt -H pop.gmail.com --port 995 --timeout 30 --protocol pop3s
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping POP3S tests on Travis CI"
echo "Skipping POP3S tests on Travis CI"
fi
}


testSMTP() {
if [ -z "${TRAVIS+x}" ] ; then
${SCRIPT} --rootcert cabundle.crt -H smtp.gmail.com --protocol smtp --port 25 --timeout 60
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
${SCRIPT} --rootcert cabundle.crt -H smtp.gmail.com --protocol smtp --port 25 --timeout 60
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping SMTP tests on Travis CI"
echo "Skipping SMTP tests on Travis CI"
fi
}

@@ -343,61 +343,61 @@ testBadSSLIncompleteChain() {

testBadSSLSHA256() {
if [ -z "${TRAVIS+x}" ] ; then
${SCRIPT} -H sha256.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
${SCRIPT} -H sha256.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping SHA 256 with badssl.com on Travis CI"
echo "Skipping SHA 256 with badssl.com on Travis CI"
fi
}

testBadSSLEcc256() {
if [ -z "${TRAVIS+x}" ] ; then
${SCRIPT} -H ecc256.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
${SCRIPT} -H ecc256.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping ECC 256 with badssl.com on Travis CI"
echo "Skipping ECC 256 with badssl.com on Travis CI"
fi
}

testBadSSLEcc384() {
if [ -z "${TRAVIS+x}" ] ; then
${SCRIPT} -H ecc384.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
${SCRIPT} -H ecc384.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping ECC 384 with badssl.com on Travis CI"
echo "Skipping ECC 384 with badssl.com on Travis CI"
fi
}

testBadSSLRSA8192() {
if [ -z "${TRAVIS+x}" ] ; then
${SCRIPT} -H rsa8192.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
${SCRIPT} -H rsa8192.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping RSA8192 with badssl.com on Travis CI"
echo "Skipping RSA8192 with badssl.com on Travis CI"
fi
}

testBadSSLLongSubdomainWithDashes() {
if [ -z "${TRAVIS+x}" ] ; then
${SCRIPT} -H long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
${SCRIPT} -H long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping long subdomain with dashes with badssl.com on Travis CI"
echo "Skipping long subdomain with dashes with badssl.com on Travis CI"
fi
}

testBadSSLLongSubdomain() {
if [ -z "${TRAVIS+x}" ] ; then
${SCRIPT} -H longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
${SCRIPT} -H longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com --host-cn
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping long subdomain with badssl.com on Travis CI"
echo "Skipping long subdomain with badssl.com on Travis CI"
fi
}

@@ -428,29 +428,29 @@ testRequireOCSP() {
# tests for -4 and -6
testIPv4() {
if openssl s_client -help 2>&1 | grep -q -- -4 ; then
${SCRIPT} -H www.google.com --rootcert cabundle.crt -4
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
${SCRIPT} -H www.google.com --rootcert cabundle.crt -4
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping forcing IPv4: no OpenSSL support"
echo "Skipping forcing IPv4: no OpenSSL support"
fi
}

testIPv6() {
if openssl s_client -help 2>&1 | grep -q -- -6 ; then

if ifconfig -a | grep -q inet6 ; then
if ifconfig -a | grep -q inet6 ; then

${SCRIPT} -H www.google.com --rootcert cabundle.crt -6
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
${SCRIPT} -H www.google.com --rootcert cabundle.crt -6
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"

else
echo "Skipping forcing IPv6: not IPv6 configured locally"
fi
else
echo "Skipping forcing IPv6: not IPv6 configured locally"
fi

else
echo "Skipping forcing IPv6: no OpenSSL support"
echo "Skipping forcing IPv6: no OpenSSL support"
fi
}

@@ -481,63 +481,44 @@ testMoreErrors2() {

# dane

testDANE() {
${SCRIPT} --dane -H mail.aegee.org
EXIT_CODE=$?
if [ -n "${DANE}" ] ; then
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
fi
}

testDANE211() {
${SCRIPT} --dane 211 --port 25 -P smtp -H hummus.csx.cam.ac.uk
EXIT_CODE=$?
if [ -n "${DANE}" ] ; then
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
fi
}

testDANE311SMTP() {
${SCRIPT} --dane 311 --port 25 -P smtp -H mail.ietf.org
EXIT_CODE=$?
if [ -n "${DANE}" ] ; then
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
fi
}

testDANE311() {
${SCRIPT} --dane 311 -H www.ietf.org
EXIT_CODE=$?
if [ -n "${DANE}" ] ; then
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
fi
}
# does not work anymore
#testDANE311SMTP() {
# ${SCRIPT} --dane 311 --port 25 -P smtp -H mail.ietf.org
# EXIT_CODE=$?
# if [ -n "${DANE}" ] ; then
# assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
# else
# assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
# fi
#}
#
#testDANE311() {
# ${SCRIPT} --dane 311 -H www.ietf.org
# EXIT_CODE=$?
# if [ -n "${DANE}" ] ; then
# assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
# else
# assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
# fi
#}

testDANE301ECDSA() {
${SCRIPT} --dane 301 --ecdsa -H mail.aegee.org
EXIT_CODE=$?
if [ -n "${DANE}" ] ; then
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
fi
}

testDANE302ECDSA() {
${SCRIPT} --dane 302 --ecdsa -H mail.aegee.org
EXIT_CODE=$?
if [ -n "${DANE}" ] ; then
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
assertEquals "wrong exit code" "${NAGIOS_UNKNOWN}" "${EXIT_CODE}"
fi
}

@@ -555,21 +536,21 @@ testRequiredProgramPermissions() {

testSieveRSA() {
if [ -z "${TRAVIS+x}" ] ; then
${SCRIPT} -P sieve -p 4190 -H mail.aegee.org --rsa
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
${SCRIPT} -P sieve -p 4190 -H mail.aegee.org --rsa
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping sieve tests on Travis CI"
echo "Skipping sieve tests on Travis CI"
fi
}

testSieveECDSA() {
if [ -z "${TRAVIS+x}" ] ; then
${SCRIPT} -P sieve -p 4190 -H mail.aegee.org --ecdsa
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
${SCRIPT} -P sieve -p 4190 -H mail.aegee.org --ecdsa
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
else
echo "Skipping sieve tests on Travis CI"
echo "Skipping sieve tests on Travis CI"
fi
}

@@ -579,11 +560,23 @@ testHTTP2() {
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}

testForceHTTP2() {
${SCRIPT} -H www.ethz.ch --protocol h2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}

testNotLongerValidThan() {
${SCRIPT} -H www.ethz.ch --not-valid-longer-than 2
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
}

# SSL Labs (last one as it usually takes a lot of time

testETHZWithSSLLabs() {
# we assume www.ethz.ch gets at least a C
${SCRIPT} -H ethz.ch --cn ethz.ch --check-ssl-labs A --rootcert cabundle.crt
# we assume www.ethz.ch gets at least a B
${SCRIPT} -H ethz.ch --cn ethz.ch --check-ssl-labs B --rootcert cabundle.crt
EXIT_CODE=$?
assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
}

+ 1
- 1
check_ssl_cert/control View File

@@ -1,7 +1,7 @@
Uploaders: Jan Wagner <waja@cyconet.org>
Recommends: curl, file, openssl
Suggests: expect
Version: 1.109.0
Version: 1.113.0
Homepage: https://github.com/matteocorti/check_ssl_cert
Watch: https://github.com/matteocorti/check_ssl_cert/releases check_ssl_cert-([0-9.]+)\.tar\.gz
Description: plugin to check the CA and validity of an


+ 1
- 1
check_ssl_cert/src View File

@@ -1 +1 @@
check_ssl_cert_1.109.0/
check_ssl_cert_1.113.0

Loading…
Cancel
Save