|
[-]
[+]
|
Changed |
check_ssl_cert.spec
|
|
|
|
[-]
[+]
|
Changed |
check_ssl_cert-1.13.0.tar.bz2/AUTHORS
^
|
| @@ -25,6 +25,8 @@
* Many thanks to Raphael Thoma for the patch allowing HTTP to be
specified as protocol and the fix on -N with wildcards
* Many thanks to Sven Nierlein for the client certificate authentication patch
+* Many thanks to Rob Yamry for the help in debugging a problem with
+ certain versions of OpenSSL and TLS extensions
# File version information:
# $Id: AUTHORS 1103 2009-12-07 07:49:19Z corti $
|
|
[-]
[+]
|
Changed |
check_ssl_cert-1.13.0.tar.bz2/ChangeLog
^
|
| @@ -1,3 +1,7 @@
+2012-04-05 Matteo Corti <matteo.corti@id.ethz.ch>
+
+ * check_ssl_cert: handle broken OpenSSL clients (-servername not working)
+
2012-04-04 Matteo Corti <matteo.corti@id.ethz.ch>
* check_ssl_cert: removed an hard coded reference to the error number by the
|
|
[-]
[+]
|
Changed |
check_ssl_cert-1.13.0.tar.bz2/NEWS
^
|
| @@ -1,3 +1,5 @@
+2012-04-05 Version 1.13.0 The plugin will now try to fetch the certificate without
+ without TLS extensions in case of error
2012-04-04 Version 1.12.0 Fixed a bug in the chain verification (hard coded error number)
2011-10-22 Version 1.11.0 --altname option
2011-09-01 Version 1.10.0 Applied a patch from Sven Nierlein to authenicate
|
|
[-]
[+]
|
Changed |
check_ssl_cert-1.13.0.tar.bz2/VERSION
^
|
| @@ -1 +1 @@
-1.12.0
+1.13.0
|
|
[-]
[+]
|
Changed |
check_ssl_cert-1.13.0.tar.bz2/check_ssl_cert
^
|
| @@ -19,15 +19,15 @@
# enable substitution with:
# $ svn propset svn:keywords "Id Revision HeadURL Source Date"
#
-# $Id: check_ssl_cert 1291 2012-04-04 14:39:57Z corti $
-# $Revision: 1291 $
+# $Id: check_ssl_cert 1292 2012-04-05 09:30:27Z corti $
+# $Revision: 1292 $
# $HeadURL: https://svn.id.ethz.ch/nagios_plugins/check_ssl_cert/check_ssl_cert $
-# $Date: 2012-04-04 16:39:57 +0200 (Wed, 04 Apr 2012) $
+# $Date: 2012-04-05 11:30:27 +0200 (Thu, 05 Apr 2012) $
################################################################################
# Constants
-VERSION=1.12.0
+VERSION=1.13.0
SHORTNAME="SSL_CERT"
################################################################################
@@ -178,6 +178,53 @@
}
################################################################################
+# Tries to fetch the certificate
+
+fetch_certificate() {
+
+ # check if a protocol was specified (if not HTTP switch to TLS)
+ if [ -n "${PROTOCOL}" -a "${PROTOCOL}" != "http" -a "${PROTOCOL}" != "https" ] ; then
+
+ case "${PROTOCOL}" in
+
+ smtp|pop3|imap|ftp)
+
+timeout $TIMEOUT "echo 'Q' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}"
+;;
+
+*)
+
+unknown "Error: unsupported protocol ${PROTOCOL}"
+
+esac
+
+elif [ -n "${FILE}" ] ; then
+
+if [ "${HOST}" = "localhost" ] ; then
+
+ timeout $TIMEOUT "/bin/cat '${FILE}' 2> ${ERROR} 1> ${CERT}"
+
+else
+
+ unknown "Error: option 'file' works with -H localhost only"
+
+fi
+
+else
+
+timeout $TIMEOUT "echo 'Q' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}"
+
+fi
+
+if [ $? -ne 0 ] ; then
+ critical "Error: $(head -n 1 ${ERROR})"
+fi
+
+
+}
+
+
+################################################################################
# Main
################################################################################
@@ -482,42 +529,29 @@
# using named signals to be POSIX compliant
trap "rm -f $CERT $ERROR" EXIT HUP INT QUIT TERM
-# check if a protocol was specified (if not HTTP switch to TLS)
-if [ -n "${PROTOCOL}" -a "${PROTOCOL}" != "http" -a "${PROTOCOL}" != "https" ] ; then
+fetch_certificate
- case "${PROTOCOL}" in
+if grep -q 'sslv3\ alert\ unexpected\ message' ${ERROR} ; then
- smtp|pop3|imap|ftp)
+ if [ -n "${SERVERNAME}" ] ; then
- timeout $TIMEOUT "echo 'Q' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}"
- ;;
-
- *)
-
- unknown "Error: unsupported protocol ${PROTOCOL}"
-
- esac
-
-elif [ -n "${FILE}" ] ; then
-
- if [ "${HOST}" = "localhost" ] ; then
+ # some OpenSSL versions have problems with the -servername option
+ # we try without
+ if [ -n "${VERBOSE}" ] ; then
+ echo "'${OPENSSL} s_client' returned an error: trying without '-servername'"
+ fi
+
+ SERVERNAME=
+ fetch_certificate
- timeout $TIMEOUT "/bin/cat '${FILE}' 2> ${ERROR} 1> ${CERT}"
+ fi
- else
+ if grep -q 'sslv3\ alert\ unexpected\ message' ${ERROR} ; then
- unknown "Error: option 'file' works with -H localhost only"
+ critical "cannot fetch certificate: OpenSSL got an unexpected message"
fi
-else
-
- timeout $TIMEOUT "echo 'Q' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}"
-
-fi
-
-if [ $? -ne 0 ] ; then
- critical "Error: $(head -n 1 ${ERROR})"
fi
if ! grep -q "CERTIFICATE" ${CERT} ; then
|
|
[-]
[+]
|
Changed |
check_ssl_cert-1.13.0.tar.bz2/check_ssl_cert.1
^
|
| @@ -1,7 +1,7 @@
.\" Process this file with
.\" groff -man -Tascii foo.1
.\"
-.TH "check_ssl_cert" 1 "April, 2012" "1.12.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "April, 2012" "1.13.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
|
|
[-]
[+]
|
Changed |
check_ssl_cert-1.13.0.tar.bz2/check_ssl_cert.spec
^
|
| @@ -6,7 +6,7 @@
# $Date: 2010-02-16 21:06:11 +0100 (Tue, 16 Feb 2010) $
################################################################################
-%define version 1.12.0
+%define version 1.13.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
@@ -53,6 +53,9 @@
%{_mandir}/man1/%{sourcename}.1*
%changelog
+* Thu Apr 5 2012 Matteo Corti <matteo.corti@id.ethz.ch> - 1.13.0-0
+- updated to 1.13.0
+
* Wed Apr 4 2012 Matteo Corti <matteo.corti@id.ethz.ch> - 1.12.0-0
- updated to 1.12.0 (bug fix release)
|
