Changes - j0ke.net Open Build Service

Changes of Revision 19

[-] [+]	Changed	check_ssl_cert.spec
@@ -1,4 +1,4 @@ -%define version 1.9.1 +%define version 1.10.0 %define release 1 %define name check_ssl_cert %define _nagdir %{_prefix}/lib/nagios @@ -42,6 +42,9 @@ %{_mandir}/man1/check_ssl_cert.1* %changelog +* Fri Sep 02 2011 Carsten Schoene <csqlinux-administrator.com> - 1.10.0-1 +- update to release 1.10.0 + * Wed Mar 16 2011 Carsten Schoene <cs@linux-administrator.com> - 1.9.1-1 - update to release 1.9.1
[-] [+]	Changed	check_ssl_cert-1.10.0.tar.bz2/AUTHORS ^
@@ -24,6 +24,7 @@ * Many thanks to Matthias Fuhrmeister for the -servername patch * Many thanks to Raphael Thoma for the patch allowing HTTP to be specified as protocol and the fix on -N with wildcards +* Many thanks to Sven Nierlein for the client certificate authentication patch # File version information: # $Id: AUTHORS 1103 2009-12-07 07:49:19Z corti $
[-] [+]	Changed	check_ssl_cert-1.10.0.tar.bz2/COPYRIGHT ^
@@ -11,6 +11,7 @@ Matthias Fuhrmeister Raphael Thoma Scott Worthington + Sven Nierlein Tuomas Haarala Wolfgang Schricker Yannick Gravel
[-] [+]	Changed	check_ssl_cert-1.10.0.tar.bz2/ChangeLog ^
@@ -1,3 +1,8 @@ +2011-09-01 Matteo Corti <matteo.corti@id.ethz.ch> + + * check_ssl_cert: applied a patch from Sven Nierlein + (certificate authentication) + 2011-03-10 Matteo Corti <matteo.corti@id.ethz.ch> * check_ssl_cert: allows http to specified as protocol
[-] [+]	Changed	check_ssl_cert-1.10.0.tar.bz2/NEWS ^
@@ -1,35 +1,49 @@ -2011-03-10 Version 1.9.1 Allows HTTP as protocol and fixes -N with wildcards -2011-01-24 Version 1.9.0 Added an option to specify the openssl executable -2010-12-16 Version 1.8.1 Fixed bugs with environment bleeding & shell globbing -2010-12-08 Version 1.8.0 Added support for TLS servername extension in ClientHello -2010-10-28 Version 1.7.7 Fixed a bug in the signal specification introduced in 1.7.6 -2010-10-28 Version 1.7.6 Better temporary file clean up (thanks to Lawren Quigley-Jones) -2010-10-14 Version 1.7.5 Applied a patch from Yannick Gravel fixing the test order -2010-10-01 Version 1.7.4 Applied a patch from Lawren Quigley-Jones adding the -A option -2010-09-15 Version 1.7.3 Fixed a bug in the option processing -2010-08-26 Version 1.7.2 Removes useless use of cat, better test for expect utility -2010-08-26 Version 1.7.1 Replaces "-verify 6" which was erroneously removed in previous version -2010-08-26 Version 1.7.0 Overloaded --rootcert option to allow -CApath as well as -CAfile -2010-07-21 Version 1.6.1 Added an option to specify where to temporarily store the certificate -2010-07-09 Version 1.6.0 Added long command line options and substituted --days with --critical and --warning -2010-07-07 Version 1.5.2 Added the -f option to check a local file -2010-07-01 Version 1.5.1 Fixed the plugin output -2010-03-11 Version 1.4.4 Fixed bug #64 (== bashism) -2010-03-09 Version 1.4.3 -N and -n options to compare the CN to an hostname -2009-12-02 Version 1.4.2 the -i ISSUER option now checks if the O= or the CN= fields of the root certificate match -2009-11-30 Version 1.4.1 -r to specify the root cert to be used for verification -2009-11-30 Version 1.4.0 certificate chain verification -2009-03-30 Version 1.3.0 -P option to check TLS certificates (SMTP, FTP, POP3, ...) -2008-05-13 Version 1.2.2 include the CN in the messages (D. Wallis) -2008-02-25 Version 1.2.1 better error handling -2008-02-25 Version 1.2.0 general cleanup (POSIX compliance, removed - nmap dependency, ...) from Dan Wallis -2007-08-31 Version 1.1.0 - - option to enforce a given email address - - option to enforce a given organization - - temporary files cleanup upon exit -2007-08-15 Bug fix: openssl did not close the connection cleanly -2007-08-10 First release (1.0) +2011-09-01 Version 1.10.0 Applied a patch from Sven Nierlein to authenicate + using a client certificate +2011-03-10 Version 1.9.1 Allows HTTP as protocol and fixes -N with wildcards +2011-01-24 Version 1.9.0 Added an option to specify the openssl executable +2010-12-16 Version 1.8.1 Fixed bugs with environment bleeding & shell globbing +2010-12-08 Version 1.8.0 Added support for TLS servername extension in + ClientHello +2010-10-28 Version 1.7.7 Fixed a bug in the signal specification introduced + in 1.7.6 +2010-10-28 Version 1.7.6 Better temporary file clean up (thanks to Lawren + Quigley-Jones) +2010-10-14 Version 1.7.5 Applied a patch from Yannick Gravel fixing the test + order +2010-10-01 Version 1.7.4 Applied a patch from Lawren Quigley-Jones adding the + -A option +2010-09-15 Version 1.7.3 Fixed a bug in the option processing +2010-08-26 Version 1.7.2 Removes useless use of cat, better test for expect + utility +2010-08-26 Version 1.7.1 Replaces "-verify 6" which was erroneously removed in + the previous version +2010-08-26 Version 1.7.0 Overloaded --rootcert option to allow -CApath as well + as -CAfile +2010-07-21 Version 1.6.1 Added an option to specify where to temporarily + store the certificate +2010-07-09 Version 1.6.0 Added long command line options and substituted + -days with --critical and --warning +2010-07-07 Version 1.5.2 Added the -f option to check a local file +2010-07-01 Version 1.5.1 Fixed the plugin output +2010-03-11 Version 1.4.4 Fixed bug #64 (== bashism) +2010-03-09 Version 1.4.3 -N and -n options to compare the CN to an hostname +2009-12-02 Version 1.4.2 the -i ISSUER option now checks if the O= or the + CN= fields of the root certificate match +2009-11-30 Version 1.4.1 -r to specify the root cert to be used for + verification +2009-11-30 Version 1.4.0 certificate chain verification +2009-03-30 Version 1.3.0 -P option to check TLS certificates + (SMTP, FTP, POP3, ...) +2008-05-13 Version 1.2.2 include the CN in the messages (D. Wallis) +2008-02-25 Version 1.2.1 better error handling +2008-02-25 Version 1.2.0 general cleanup (POSIX compliance, removed + nmap dependency, ...) from Dan Wallis +2007-08-31 Version 1.1.0 - option to enforce a given email address + - option to enforce a given organization + - temporary files cleanup upon exit +2007-08-15 Bug fix: openssl did not close the connection cleanly +2007-08-10 First release (1.0) # File version information: # $Id: AUTHORS 1103 2009-12-07 07:49:19Z corti $
[-] [+]	Changed	check_ssl_cert-1.10.0.tar.bz2/README ^
@@ -19,6 +19,9 @@ -H,--host host server Options: + -A,--noauth ignore authority warnings (expiration only) + -C,--clientcert path use client certificate to authenticate + --clientpass phrase set passphrase for client certificate. -c,--critical days minimum number of days a certificate has to be valid to issue a critical status -e,--email address pattern to match the email address contained in the @@ -28,16 +31,18 @@ -i,--issuer issuer pattern to match the issuer of the certificate -n,---cn name pattern to match the CN of the certificate -N,--host-cn match CN with the host name - (will not work for wildcards) -o,--org org pattern to match the organization of the certificate + --openssl path path of the openssl binary to be used -p,--port port TCP port - -P,--protocol protocol switch to TLS and use specific protocol - {smtp\|pop3\|imap\|ftp} + -P,--protocol protocol use the specific protocol {http\|smtp\|pop3\|imap\|ftp} + http: default + smtp,pop3,imap,ftp: switch to TLS -s,--selfsigned allows self-signed certificates -r,--rootcert path root certificate or directory to be used for certficate validation -t,--timeout seconds timeout after the specified time - (defaults to 15 seconds and requires 'expect') + (defaults to 15 seconds) + --temp dir directory where to store the temporary files -v,--verbose verbose output -V,--version version -w,--warning days minimum number of days a certificate has to be valid
[-] [+]	Changed	check_ssl_cert-1.10.0.tar.bz2/VERSION ^
@@ -1 +1 @@ -1.9.1 +1.10.0
[-] [+]	Changed	check_ssl_cert-1.10.0.tar.bz2/check_ssl_cert ^
@@ -27,7 +27,7 @@ ################################################################################ # Constants -VERSION=1.9.1 +VERSION=1.10.0 SHORTNAME="SSL_CERT" ################################################################################ @@ -54,6 +54,8 @@ echo echo "Options:" echo " -A,--noauth ignore authority warnings (expiration only)" + echo " -C,--clientcert path use client certificate to authenticate" + echo " --clientpass phrase set passphrase for client certificate." echo " -c,--critical days minimum number of days a certificate has to be valid" echo " to issue a critical status" echo " -e,--email address pattern to match the email address contained in the" @@ -289,6 +291,18 @@ unknown "-r,--rootcert requires an argument" fi ;; + -C\|--clientcert) if [ $# -gt 1 ]; then + CLIENT_CERT=$2; shift 2 + else + unknown "-c,--clientcert requires an argument" + fi ;; + + --clientpass) if [ $# -gt 1 ]; then + CLIENT_PASS=$2; shift 2 + else + unknown "--clientpass requires an argument" + fi ;; + -t\|--timeout) if [ $# -gt 1 ]; then TIMEOUT=$2; shift 2 else @@ -347,6 +361,12 @@ fi fi +if [ -n "${CLIENT_CERT}" ] ; then + if [ ! -r ${CLIENT_CERT} ] ; then + unknown "Cannot read client certificate ${CLIENT_CERT}" + fi +fi + if [ -n "${CRITICAL}" ] ; then if ! echo "${CRITICAL}" \| grep -q '[0-9][0-9]' ; then unknown "invalid number of days ${CRITICAL}" @@ -433,6 +453,16 @@ echo "downloading certificate to ${TMPDIR}" fi +CLIENT="" +if [ -n "${CLIENT_CERT}" ] ; then + CLIENT="-cert ${CLIENT_CERT}" +fi + +CLIENTPASS="" +if [ -n "${CLIENT_PASS}" ] ; then + CLIENTPASS="-pass pass:${CLIENT_PASS}" +fi + # cleanup before program termination # using named signals to be POSIX compliant trap "rm -f $CERT $ERROR" EXIT HUP INT QUIT TERM @@ -444,7 +474,7 @@ smtp\|pop3\|imap\|ftp) - timeout $TIMEOUT "echo 'Q' \| $OPENSSL s_client -starttls ${PROTOCOL} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}" + timeout $TIMEOUT "echo 'Q' \| $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}" ;; ) @@ -467,7 +497,7 @@ else - timeout $TIMEOUT "echo 'Q' \| $OPENSSL s_client -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}" + timeout $TIMEOUT "echo 'Q' \| $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}" fi
[-] [+]	Changed	check_ssl_cert-1.10.0.tar.bz2/check_ssl_cert.1 ^
@@ -1,7 +1,7 @@ .\" Process this file with .\" groff -man -Tascii foo.1 .\" -.TH "check_ssl_cert" 1 "January, 2011" "1.9.1" "USER COMMANDS" +.TH "check_ssl_cert" 1 "January, 2011" "1.10.0" "USER COMMANDS" .SH NAME check_ssl_cert \- checks the validity of X.509 certificates .SH SYNOPSIS @@ -21,6 +21,12 @@ .BR "-A,--noauth" ignore authority warnings (expiration only) .TP +.BR "-C,--clientcert" " path" +use client certificate to authenticate +.TP +.BR " --clientpass" " phrase" +set passphrase for client certificate. +.TP .BR "-c,--critical" " days" minimum number of days a certificate has to be valid to issue a critical status .TP
[-] [+]	Changed	check_ssl_cert-1.10.0.tar.bz2/check_ssl_cert.spec ^
@@ -6,7 +6,7 @@ # $Date: 2010-02-16 21:06:11 +0100 (Tue, 16 Feb 2010) $ ################################################################################ -%define version 1.9.1 +%define version 1.10.0 %define release 0 %define sourcename check_ssl_cert %define packagename nagios-plugins-check_ssl_cert @@ -53,6 +53,9 @@ %{_mandir}/man1/%{sourcename}.1* %changelog +* Thu Sep 1 2011 Matteo Corti <matteo.corti@id.ethz.ch> - 1.10.0-0 +- apllied patch from Sven Nierlein for client certificate authentication + * Thu Mar 10 2011 Matteo Corti <matteo.corti@id.ethz.ch> - 1.9.1-0 - updated to 1.9.1: allows http as protocol and fixes -N with wildcards