Changes - j0ke.net Open Build Service

Changes of Revision 17

[-] [+]	Changed	check_ssl_cert.spec
@@ -1,4 +1,4 @@ -%define version 1.8.1 +%define version 1.9.0 %define release 1 %define name check_ssl_cert %define _nagdir %{_prefix}/lib/nagios @@ -42,6 +42,9 @@ %{_mandir}/man1/check_ssl_cert.1* %changelog +* Tue Jan 25 2011 Carsten Schoene <cs@linux-administrator.com> - 1.9.0-1 +- update to release 1.9.0 + * Sat Dec 18 2010 Carsten Schoene <cs@linux-administrator.com> - 1.8.1-1 - update to release 1.8.1
	Deleted	check_ssl_cert-1.7.5.tar.bz2 ^
	Deleted	check_ssl_cert-1.7.7.tar.bz2 ^
	Deleted	check_ssl_cert-1.8.0.tar.bz2 ^
	Deleted	check_ssl_cert-1.8.1.tar.bz2 ^
[-] [+]	Changed	check_ssl_cert-1.9.0.tar.bz2/AUTHORS ^
@@ -15,9 +15,13 @@ * Many thanks to Wolfgang Schricker for - the selfsigned bug report and cleanup fixes - the patch adding the possibility to check local files (-f option) -* Many thanks to Yannick Gravel for the patch fixing the plugin output +* Many thanks to Yannick Gravel for the patch fixing the plugin output and the fix + on the test order * Many thanks to Scott Worthington for the --critical and --warning hints -* Many thanks to Lawren Quigley-Jones for the -A,--noauth patch +* Many thanks to Lawren Quigley-Jones for + - the -A,--noauth patch + - the trap fix +* Many thanks to Matthias Fuhrmeister for the -servername patch # File version information: # $Id: AUTHORS 1103 2009-12-07 07:49:19Z corti $
[-] [+]	Changed	check_ssl_cert-1.9.0.tar.bz2/COPYRIGHT ^
@@ -1,11 +1,15 @@ - Copyright (c) 2007-2010 Matteo Corti + Copyright (c) 2007-2011 ETH Zurich with the following individuals added to the list of Contributing Authors Dan Wallis + Lawren Quigley-Jones Marc Fournier Marcus Rejås + Matteo Corti + Matthias Fuhrmeister + Scott Worthington Tuomas Haarala Wolfgang Schricker Yannick Gravel
[-] [+]	Changed	check_ssl_cert-1.9.0.tar.bz2/ChangeLog ^
@@ -1,6 +1,41 @@ +2011-01-24 Matteo Corti <matteo.corti@id.ethz.ch> + + * check_ssl_cert: added an option to specify the openssl executable + +2010-12-16 Dan Wallis + + * check_ssl_cert: Sets $VERBOSE to avoid using value supplied by Nagios + * check_ssl_cert: Quotes regular expression for grep to avoid shell globbing + +2010-12-09 Matteo Corti <matteo.corti@id.ethz.ch> + + * check_ssl_cert.spec: standardized the RPM package name + + * check_ssl_cert: added support for the TLS servername extension + (thanks to Matthias Fuhrmeister) + +2010-11-02 Matteo Corti <matteo.corti@id.ethz.ch> + + * INSTALL: specifies that expect is needed for timeouts + +2010-10-29 Matteo Corti <matteo.corti@id.ethz.ch> + + * README: specifies that expect is needed for timeouts + +2010-10-28 Matteo Corti <matteo.corti@id.ethz.ch> + + * check_ssl_cert: trap on more signals (thanks to Lawren Quigley-Jones) + +2010-10-14 Matteo Corti <matteo.corti@id.ethz.ch> + + * check_ssl_cert: added a patch from Yannick Gravel putting the + chain verification at the end of the tests + 2010-10-01 Matteo Corti <matteo.corti@id.ethz.ch> - * check_ssl_cert: added a patch from Lawren Quigley-Jones which implements a new command line argument (-A) to disable the certificate chain check + * check_ssl_cert: added a patch from Lawren Quigley-Jones which + implements a new command line argument (-A) to disable the + certificate chain check 2010-09-15 Matteo Corti <matteo.corti@id.ethz.ch> @@ -34,7 +69,7 @@ 2010-07-01 Matteo Corti <matteo.corti@id.ethz.ch> - * check_ssl_cert: [Yannick Gravel patch] Restore diplaying the CN in every messages: + * check_ssl_cert: [Yannick Gravel patch] Restore displaying the CN in every messages: a previous patch changed something and only critical were adjusted. * check_ssl_cert: [Yannick Gravel patch] Adjust what is displayed after the from in @@ -74,7 +109,7 @@ 2008-05-13 Matteo Corti <matteo.corti@id.ethz.ch> - * check_ssl_cert: applied a patch fom Dan Wallis to output the CN + * check_ssl_cert: applied a patch from Dan Wallis to output the CN in all the messages 2008-02-28 Matteo Corti <matteo.corti@id.ethz.ch>
[-] [+]	Changed	check_ssl_cert-1.9.0.tar.bz2/INSTALL ^
@@ -1,5 +1,7 @@ Simply copy the plugin to your nagios plugin directory +In order to use timeouts the plugin needs 'expect' in the current PATH +See: http://en.wikipedia.org/wiki/Expect # File version information: # $Id: AUTHORS 1103 2009-12-07 07:49:19Z corti $
[-] [+]	Changed	check_ssl_cert-1.9.0.tar.bz2/Makefile ^
@@ -19,7 +19,7 @@ version_check: VERSION=`cat VERSION` grep -q "VERSION\ =\ [\'\"]$(VERSION)" $(PLUGIN) - grep -q "^%define\ version\ $(VERSION)" $(PLUGIN).spec + grep -q "^%define\ version\ $(VERSION)" $(PLUGIN).spec grep -q -- "- $(VERSION)-" $(PLUGIN).spec grep -q "\"$(VERSION)\"" $(PLUGIN).1 grep -q "${VERSION}" NEWS
[-] [+]	Changed	check_ssl_cert-1.9.0.tar.bz2/NEWS ^
@@ -1,3 +1,9 @@ +2011-01-24 Version 1.9.0 Added an option to specify the openssl executable +2010-12-16 Version 1.8.1 Fixed bugs with environment bleeding & shell globbing +2010-12-08 Version 1.8.0 Added support for TLS servername extension in ClientHello +2010-10-28 Version 1.7.7 Fixed a bug in the signal specification introduced in 1.7.6 +2010-10-28 Version 1.7.6 Better temporary file clean up (thanks to Lawren Quigley-Jones) +2010-10-14 Version 1.7.5 Applied a patch from Yannick Gravel fixing the test order 2010-10-01 Version 1.7.4 Applied a patch from Lawren Quigley-Jones adding the -A option 2010-09-15 Version 1.7.3 Fixed a bug in the option processing 2010-08-26 Version 1.7.2 Removes useless use of cat, better test for expect utility
[-] [+]	Changed	check_ssl_cert-1.9.0.tar.bz2/README ^
@@ -1,5 +1,5 @@ - (c) Matteo Corti, ETH Zurich, 2007-2010 + (c) Matteo Corti, ETH Zurich, 2007-2011 see AUTHORS for the complete list of contributors @@ -37,7 +37,7 @@ -r,--rootcert path root certificate or directory to be used for certficate validation -t,--timeout seconds timeout after the specified time - (defaults to 15 seconds) + (defaults to 15 seconds and requires 'expect') -v,--verbose verbose output -V,--version version -w,--warning days minimum number of days a certificate has to be valid @@ -47,6 +47,21 @@ -d,--days days minimum number of days a certificate has to be valid (see --critical and --warning) +Expect: +======= + +check_ssl_cert requires 'expect' to enable timouts. If expect is not +present on your system timeouts will be disabled. + +See: http://en.wikipedia.org/wiki/Expect + +Virtual servers: +================ + +check_ssl_client supports the servername TLS extension in ClientHello +if the installed openssl version provides it. This is needed if you +are checking a machine with virtual hosts. + Notes: ======
[-] [+]	Changed	check_ssl_cert-1.9.0.tar.bz2/VERSION ^
@@ -1 +1 @@ -1.7.4 +1.9.0
[-] [+]	Changed	check_ssl_cert-1.9.0.tar.bz2/check_ssl_cert ^
@@ -9,7 +9,7 @@ # # See the INSTALL file for installation instructions # -# Copyright (c) 2007-2010 ETH Zurich. +# Copyright (c) 2007-2011 ETH Zurich. # # This module is free software; you can redistribute it and/or modify it # under the terms of GNU general public license (gpl) version 3. @@ -19,15 +19,15 @@ # enable substitution with: # $ svn propset svn:keywords "Id Revision HeadURL Source Date" # -# $Id: check_ssl_cert 1191 2010-10-01 15:47:02Z corti $ -# $Revision: 1191 $ +# $Id: check_ssl_cert 1214 2011-01-24 14:24:42Z corti $ +# $Revision: 1214 $ # $HeadURL: https://svn.id.ethz.ch/nagios_plugins/check_ssl_cert/check_ssl_cert $ -# $Date: 2010-10-01 17:47:02 +0200 (Fri, 01 Oct 2010) $ +# $Date: 2011-01-24 15:24:42 +0100 (Mon, 24 Jan 2011) $ ################################################################################ # Constants -VERSION=1.7.4 +VERSION=1.9.0 SHORTNAME="SSL_CERT" ################################################################################ @@ -43,7 +43,7 @@ echo "Error: $1" 1>&2 fi - #### The following line is 80 characters long (helps to fit the help text in a standard terminal + #### The following line is 80 characters long (helps to fit the help text in a standard terminal) ######-------------------------------------------------------------------------------- echo @@ -65,6 +65,7 @@ echo " -N,--host-cn match CN with the host name" echo " (will not work for wildcards)" echo " -o,--org org pattern to match the organization of the certificate" + echo " --openssl path path of the openssl binary to be used" echo " -p,--port port TCP port" echo " -P,--protocol protocol switch to TLS and use specific protocol" echo " {smtp\|pop3\|imap\|ftp}" @@ -179,6 +180,8 @@ # default values PORT=443 TIMEOUT=15 +VERBOSE="" +OPENSSL="" # set the default temp dir if not set if [ -z "${TMPDIR}" ] ; then @@ -262,6 +265,12 @@ unknown "-o,--org requires an argument" fi ;; + --openssl) if [ $# -gt 1 ]; then + OPENSSL=$2; shift 2 + else + unknown "--openssl requires an argument" + fi ;; + -p\|--port) if [ $# -gt 1 ]; then PORT=$2; shift 2 else @@ -339,13 +348,13 @@ fi if [ -n "${CRITICAL}" ] ; then - if ! echo "${CRITICAL}" \| grep -q [0-9][0-9]* ; then + if ! echo "${CRITICAL}" \| grep -q '[0-9][0-9]' ; then unknown "invalid number of days ${CRITICAL}" fi fi if [ -n "${WARNING}" ] ; then - if ! echo ${WARNING} \| grep -q [0-9][0-9] ; then + if ! echo ${WARNING} \| grep -q '[0-9][0-9]' ; then unknown "invalid number of days ${WARNING}" fi fi @@ -365,11 +374,23 @@ fi fi +if [ -n "${OPENSSL}" ] ; then + if [ ! -x ${OPENSSL} ] ; then + unknown "${OPENSSL} ist not an executable" + fi + if [ $(basename ${OPENSSL}) != 'openssl' ] ; then + unknown "${OPENSSL} ist not an openssl executable" + fi +fi + + ####################### # Check needed programs -check_required_prog openssl -OPENSSL=$PROG +if [ -z "${OPENSSL}" ] ; then + check_required_prog openssl + OPENSSL=$PROG +fi EXPECT=$(which expect 2> /dev/null) test -x "${EXPECT}" \|\| EXPECT="" @@ -378,6 +399,22 @@ fi ################################################################################ +# check if openssl s_client supports the -servername option +# +# openssl s_client does not have a -help option +# => we supply an invalid command line option to get the help +# on standard error +# +SERVERNAME= +if ${OPENSSL} s_client not_a_real_option 2>&1 \| grep -q -- -servername ; then + SERVERNAME="-servername ${HOST}" +else + if [ -n "${VERBOSE}" ] ; then + echo "'${OPENSSL} s_client' does not support '-servername': disabling virtual server support" + fi +fi + +################################################################################ # fetch the X.509 certificate # temporary storage for the certificate and the errors @@ -395,8 +432,10 @@ if [ -n "${VERBOSE}" ] ; then echo "downloading certificate to ${TMPDIR}" fi - -trap "rm -f $CERT $ERROR" 0 + +# cleanup before program termination +# using named signals to be POSIX compliant +trap "rm -f $CERT $ERROR" EXIT HUP INT QUIT TERM if [ -n "${PROTOCOL}" ] ; then @@ -404,7 +443,7 @@ smtp\|pop3\|imap\|ftp) - timeout $TIMEOUT "echo 'Q' \| $OPENSSL s_client -starttls ${PROTOCOL} -connect $HOST:$PORT -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}" + timeout $TIMEOUT "echo 'Q' \| $OPENSSL s_client -starttls ${PROTOCOL} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}" ;; ) @@ -427,7 +466,7 @@ else - timeout $TIMEOUT "echo 'Q' \| $OPENSSL s_client -connect $HOST:$PORT -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}" + timeout $TIMEOUT "echo 'Q' \| $OPENSSL s_client -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}" fi @@ -444,30 +483,6 @@ fi ################################################################################ -# Check if the certificate was verified - -if [ -z "${NOAUTH}" ] && grep -q '^verify\ error:' ${ERROR} ; then - - if grep -q '^verify\ error:num=18:self\ signed\ certificate' ${ERROR} ; then - - if [ -z "${SELFSIGNED}" ] ; then - critical "Cannot verify certificate\nself signed certificate" - else - SELFSIGNEDCERT="self signed " - fi - - else - - # process errors - details=$(grep '^verify\ error:' ${ERROR} \| sed -e "s/verify\ error:num=[0-9]:/verification error: /" ) - - critical "Cannot verify certificate\n${details}" - - fi - -fi - -################################################################################ # parse the X.509 certificate DATE=$($OPENSSL x509 -in ${CERT} -enddate -noout \| sed -e "s/^notAfter=//") @@ -580,6 +595,30 @@ fi ################################################################################ +# Check if the certificate was verified + +if [ -z "${NOAUTH}" ] && grep -q '^verify\ error:' ${ERROR} ; then + + if grep -q '^verify\ error:num=18:self\ signed\ certificate' ${ERROR} ; then + + if [ -z "${SELFSIGNED}" ] ; then + critical "Cannot verify certificate\nself signed certificate" + else + SELFSIGNEDCERT="self signed " + fi + + else + + # process errors + details=$(grep '^verify\ error:' ${ERROR} \| sed -e "s/verify\ error:num=[0-9]:/verification error: /" ) + + critical "Cannot verify certificate\n${details}" + + fi + +fi + +################################################################################ # If we get this far, assume all is well. :) echo "${SHORTNAME} OK - X.509 ${SELFSIGNEDCERT}certificate for '$CN' from '$CA_ISSUER_MATCHED' valid until $DATE"
[-] [+]	Changed	check_ssl_cert-1.9.0.tar.bz2/check_ssl_cert.1 ^
@@ -1,7 +1,7 @@ .\" Process this file with .\" groff -man -Tascii foo.1 .\" -.TH "check_ssl_cert" 1 "August, 2010" "1.7.4" "USER COMMANDS" +.TH "check_ssl_cert" 1 "January, 2011" "1.9.0" "USER COMMANDS" .SH NAME check_ssl_cert \- checks the validity of X.509 certificates .SH SYNOPSIS @@ -45,6 +45,9 @@ .BR "-o,--org" " org" pattern to match the organization of the certificate .TP +.BR " --openssl" " path" +path of the openssl binary to be used +.TP .BR "-p,--port" " port" TCP port .TP @@ -77,7 +80,7 @@ minimum number of days a certificate has to be valid (see --critical and --warning) .SH "SEE ALSO" -x509(1), openssl(1) +x509(1), openssl(1), expect(1) .SH "EXIT STATUS" check_ssl_cert returns a zero exist status if it finds no errors, 1 for warnings, 2 for a critical errors and 3 for unknown problems .SH BUGS
[-] [+]	Changed	check_ssl_cert-1.9.0.tar.bz2/check_ssl_cert.spec ^
@@ -6,24 +6,26 @@ # $Date: 2010-02-16 21:06:11 +0100 (Tue, 16 Feb 2010) $ ################################################################################ -%define version 1.7.4 -%define release 0 -%define name check_ssl_cert +%define version 1.9.0 +%define release 0 +%define sourcename check_ssl_cert +%define packagename nagios-plugins-check_ssl_cert %define nagiospluginsdir %{_libdir}/nagios/plugins # No binaries in this package %define debug_package %{nil} Summary: A Nagios plugin to check X.509 certificates -Name: %{name} +Name: %{packagename} Version: %{version} +Obsoletes: check_ssl_cert Release: %{release}%{?dist} License: GPLv3+ Packager: Matteo Corti <matteo.corti@id.ethz.ch> Group: Applications/System -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRoot: %{_tmppath}/%{packagename}-%{version}-%{release}-root-%(%{__id_u} -n) URL: https://trac.id.ethz.ch/projects/nagios_plugins/wiki/check_ssl_cert -Source: https://trac.id.ethz.ch/projects/nagios_plugins/downloads/%{name}-%{version}.tar.gz +Source: https://trac.id.ethz.ch/projects/nagios_plugins/downloads/%{sourcename}-%{version}.tar.gz Requires: nagios-plugins @@ -34,7 +36,7 @@ - checks the validity %prep -%setup -q +%setup -q -n %{sourcename}-%{version} %build @@ -48,9 +50,27 @@ %defattr(-,root,root,-) %doc AUTHORS ChangeLog NEWS README INSTALL TODO COPYING VERSION COPYRIGHT %attr(0755, root, root) %{nagiospluginsdir}/check_ssl_cert -%{_mandir}/man1/%{name}.1* +%{_mandir}/man1/%{sourcename}.1* %changelog +* Mon Jan 24 2011 Matteo Corti <matteo.corti@id.ethz.ch> - 1.9.0-0 +- updated to 1.9.0: --openssl option + +* Thu Dec 16 2010 Dan Wallis - 1.8.1-0 +- Fixed bugs with environment bleeding & shell globbing + +* Thu Dec 9 2010 Matteo Corti <matteo.corti@id.ethz.ch> - 1.8.0-0 +- added support for TLS servername extension + +* Thu Oct 28 2010 Matteo Corti <matteo.corti@id.ethz.ch> - 1.7.7-0 +- Fixed a bug in the signal specification + +* Thu Oct 28 2010 Matteo Corti <matteo.corti@id.ethz.ch> - 1.7.6-0 +- better temporary file clean up + +* Thu Oct 14 2010 Matteo Corti <matteo.corti@id.ethz.ch> - 1.7.5-0 +- updated to 1.7.5 (fixed the check order) + * Fri Oct 1 2010 Matteo Corti <matteo.corti@id.ethz.ch> - 1.7.4-0 - added -A command line option @@ -108,5 +128,5 @@ - Dan Wallis patches (see the ChangeLog) * Mon Sep 24 2007 Matteo Corti <matteo.corti@id.ethz.ch> - 1.1.0-0 -- first rpm package +- first RPM package