Changes - j0ke.net Open Build Service

Changes of Revision 23

[-] [+]	Added	check_ssl_cert.changes
@@ -0,0 +1,5 @@ +------------------------------------------------------------------- +Sat Jul 7 10:45:26 UTC 2012 - cs@linux-administrator.com + +- update to 1.14.0 +
[-] [+]	Changed	check_ssl_cert.spec ^
@@ -1,4 +1,4 @@ -%define version 1.13.0 +%define version 1.14.0 %define release 1 %define name check_ssl_cert %define _nagdir %{_prefix}/lib/nagios @@ -42,91 +42,3 @@ %{_mandir}/man1/check_ssl_cert.1* %changelog -* Thu Mar 05 2012 Carsten Schoene <cs@linux-administrator.com> - 1.13.0-1 -- update to release 1.13.0 - -* Wed Mar 04 2012 Carsten Schoene <cs@linux-administrator.com> - 1.12.0-1 -- update to release 1.12.0 - -* Sat Oct 22 2011 Carsten Schoene <cs@linux-administrator.com> - 1.11.0-1 -- update to release 1.11.0 - -* Fri Sep 02 2011 Carsten Schoene <cs@linux-administrator.com> - 1.10.0-1 -- update to release 1.10.0 - -* Wed Mar 16 2011 Carsten Schoene <cs@linux-administrator.com> - 1.9.1-1 -- update to release 1.9.1 - -* Tue Jan 25 2011 Carsten Schoene <cs@linux-administrator.com> - 1.9.0-1 -- update to release 1.9.0 - -* Sat Dec 18 2010 Carsten Schoene <cs@linux-administrator.com> - 1.8.1-1 -- update to release 1.8.1 - -* Fri Dec 10 2010 Carsten Schoene <cs@linux-administrator.com> - 1.8.0-1 -- update to release 1.8.0 - -* Thu Oct 28 2010 Carsten Schoene <cs@linux-administrator.com> - 1.7.7-1 -- update to release 1.7.7 - -* Thu Oct 14 2010 Carsten Schoene <cs@linux-administrator.com> - 1.7.5-1 -- update to release 1.7.5 - -* Sat Oct 02 2010 Carsten Schoene <cs@linux-administrator.com> - 1.7.4-1 -- update to release 1.7.4 - -* Wed Sep 15 2010 Carsten Schoene <cs@linux-administrator.com> - 1.7.3-1 -- update to release 1.7.3 - -* Thu Aug 26 2010 Carsten Schoene <cs@linux-administrator.com> - 1.7.2-1 -- update to release 1.7.2 - -* Thu Jul 22 2010 Carsten Schoene <cs@linux-administrator.com> - 1.6.1-1 -- update to release 1.6.1 - -* Sun Jul 04 2010 Carsten Schoene <cs@linux-administrator.com> - 1.5.1-1 -- update to release 1.5.1 - - The plugin output (information text) was fixed. - - A new command line option to allow self-signed certificates. - -* Fri Mar 12 2010 Carsten Schoene <cs@linux-administrator.com> - 1.4.4-1 -- update to release 1.4.4 - - This release fixes a bashism (the script was issuing an error if - executed with a shell not supporting the == test operator). - -* Tue Mar 09 2010 Carsten Schoene <cs@linux-administrator.com> - 1.4.3-1 -- update to release 1.4.3 - -n and -N options were added to match the CN with a host name. - -* Wed Dec 02 2009 Carsten Schoene <cs@linux-administrator.com> - 1.4.2-1 -- update to release 1.4.2 - - The pattern specified with the -i option to check for a predefined - certificate issuer is now compared with both the organization (O) - and the common name (CN) of the Certificate Authority. - -* Mon Nov 30 2009 Carsten Schoene <cs@linux-administrator.com> - 1.4.1-1 -- import to BS -- fix requires -- changed some macros to make rpmlint happy - -* Mon Nov 30 2009 Matteo Corti <matteo.corti@id.ethz.ch> - 1.4.1-0 -- updated to 1.4.1 (-r option) - -* Mon Nov 30 2009 Matteo Corti <matteo.corti@id.ethz.ch> - 1.4.0-0 -- Updated to 1.4.0: verify the certificate chain - -* Mon Mar 30 2009 Matteo Corti <matteo.corti@id.ethz.ch> - 1.3.0-0 -- Tuomas Haarala patch: -P option - -* Tue May 13 2008 Matteo Corti <matteo.corti@id.ethz.ch> - 1.2.2-0 -- Dan Wallis patch to include the CN in the messages - -* Mon Feb 25 2008 Matteo Corti <matteo.corti@id.ethz.ch> - 1.2.1-0 -- Dan Wallis patches (error checking, see ChangeLog) - -* Mon Feb 25 2008 Matteo Corti <matteo.corti@id.ethz.ch> - 1.2.0-0 -- Dan Wallis patches (see the ChangeLog) - -* Mon Sep 24 2007 Matteo Corti <matteo.corti@id.ethz.ch> - 1.1.0-0 -- first rpm package -
[-] [+]	Changed	check_ssl_cert-1.14.0.tar.bz2/ChangeLog ^
@@ -1,3 +1,8 @@ +2012-07-06 Matteo Corti <matteo.corti@id.ethz.ch> + + * check_ssl_cert: performance data in days + * check_ssl_cert: long output (certificate attributes) + 2012-04-05 Matteo Corti <matteo.corti@id.ethz.ch> * check_ssl_cert: handle broken OpenSSL clients (-servername not working)
[-] [+]	Changed	check_ssl_cert-1.14.0.tar.bz2/NEWS ^
@@ -1,3 +1,7 @@ +2012-07-06 Version 1.14.0 The status now includes performance data in days until + expirtation (requires perl with Date::Parse). + It is now possible to print additional information in + the plugins long output (multiline, Nagios 3 only) 2012-04-05 Version 1.13.0 The plugin will now try to fetch the certificate without without TLS extensions in case of error 2012-04-04 Version 1.12.0 Fixed a bug in the chain verification (hard coded error number)
[-] [+]	Changed	check_ssl_cert-1.14.0.tar.bz2/VERSION ^
@@ -1 +1 @@ -1.13.0 +1.14.0
[-] [+]	Changed	check_ssl_cert-1.14.0.tar.bz2/check_ssl_cert ^
@@ -19,17 +19,19 @@ # enable substitution with: # $ svn propset svn:keywords "Id Revision HeadURL Source Date" # -# $Id: check_ssl_cert 1292 2012-04-05 09:30:27Z corti $ -# $Revision: 1292 $ +# $Id: check_ssl_cert 1305 2012-07-06 19:46:31Z corti $ +# $Revision: 1305 $ # $HeadURL: https://svn.id.ethz.ch/nagios_plugins/check_ssl_cert/check_ssl_cert $ -# $Date: 2012-04-05 11:30:27 +0200 (Thu, 05 Apr 2012) $ +# $Date: 2012-07-06 21:46:31 +0200 (Fri, 06 Jul 2012) $ ################################################################################ # Constants -VERSION=1.13.0 +VERSION=1.14.0 SHORTNAME="SSL_CERT" +VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint," + ################################################################################ # Functions @@ -64,6 +66,12 @@ echo " certificate" echo " -f,--file file local file path (works with -H localhost only)" echo " -h,--help,-? this help message" + echo " --long-output list append the specified comma separated (no spaces) list" + echo " of attributes to the plugin output on additiona lines." + echo " Valid attributes are:" + echo " enddate, startdate, subject, issuer, modulus, serial," + echo " hash, email, ocsp_uri and fingerprint." + echo " 'all' will include all the available attributes." echo " -i,--issuer issuer pattern to match the issuer of the certificate" echo " -n,--cn name pattern to match the CN of the certificate" echo " -N,--host-cn match CN with the host name" @@ -103,7 +111,7 @@ if [ -n "${CN}" ] ; then tmp=" ${CN}" fi - printf "${SHORTNAME} CRITICAL$tmp: $1\n" + printf "${SHORTNAME} CRITICAL$tmp: $1${PERFORMANCE_DATA}${LONG_OUTPUT}\n" exit 2 } @@ -115,7 +123,7 @@ if [ -n "${CN}" ] ; then tmp=" ${CN}" fi - printf "${SHORTNAME} WARN$tmp: $1\n" + printf "${SHORTNAME} WARN$tmp: $1${PERFORMANCE_DATA}${LONG_OUTPUT}\n" exit 1 } @@ -305,6 +313,12 @@ unknown "-i,--issuer requires an argument" fi ;; + --long-output) if [ $# -gt 1 ]; then + LONG_OUTPUT_ATTR=$2; shift 2 + else + unknown "--long-output requires an argument" + fi ;; + -n\|--cn) if [ $# -gt 1 ]; then COMMON_NAME=$2; shift 2 else @@ -462,22 +476,36 @@ ####################### # Check needed programs +# OpenSSL if [ -z "${OPENSSL}" ] ; then check_required_prog openssl OPENSSL=$PROG fi +# check if openssl s_client supports the -servername option +SERVERNAME= +if ${OPENSSL} s_client not_a_real_option 2>&1 \| grep -q -- -servername ; then + SERVERNAME="-servername ${HOST}" +fi + +# Expect (optional) EXPECT=$(which expect 2> /dev/null) test -x "${EXPECT}" \|\| EXPECT="" if [ -z "${EXPECT}" -a -n "${VERBOSE}" ] ; then echo "Expect not found: disabling timeouts" fi -# check if openssl s_client supports the -servername option - -SERVERNAME= -if ${OPENSSL} s_client not_a_real_option 2>&1 \| grep -q -- -servername ; then - SERVERNAME="-servername ${HOST}" +# Perl with Date::Parse (optional) +PERL=$(which perl 2> /dev/null) +test -x "${PERL}" \|\| PERL="" +if [ -z "${PERL}" -a -n "${VERBOSE}" ] ; then + echo "Perl not found: disabling date computations" +fi +if ! ${PERL} -e "use Date::Parse;" > /dev/null 2>&1 ; then + if [ -n "${VERBOSE}" ] ; then + echo "Perl module Date::Parse not installed: disabling date computations" + fi + PERL= fi ################################################################################ @@ -571,6 +599,71 @@ CA_O=$($OPENSSL x509 -in ${CERT} -issuer -noout \| sed -e "s/^.\/O=//" -e "s/\/[A-Z][A-Z]=.$//") CA_CN=$($OPENSSL x509 -in ${CERT} -issuer -noout \| sed -e "s/^.\/CN=//" -e "s/\/[A-Za-z][A-Za-z]=.$//") + +################################################################################ +# Generate the long output +if [ -n "${LONG_OUTPUT_ATTR}" ] ; then + + check_attr() { + ATTR=$1 + if ! echo "${VALID_ATTRIBUTES}" \| grep -q ",${ATTR}," ; then + unknown "Invalid certificate attribute: ${ATTR}" + else + value=$(${OPENSSL} x509 -in ${CERT} -noout -${ATTR} \| sed -e "s/.=//") + LONG_OUTPUT="${LONG_OUTPUT}\n${ATTR}: ${value}" + fi + + } + + # split on comma + if [ "${LONG_OUTPUT_ATTR}" = "all" ] ; then + LONG_OUTPUT_ATTR=${VALID_ATTRIBUTES} + fi + attributes=$( echo ${LONG_OUTPUT_ATTR} \| tr ',' "\n" ) + for attribute in $attributes ; do + check_attr ${attribute} + done + +fi + +################################################################################ +# compute for how many days the certificate will be valid + +if [ -n "${PERL}" ] ; then + + export CERT_END_DATE=$($OPENSSL x509 -in ${CERT} -noout -enddate \| sed -e "s/.=//") + + DAYS_VALID=$( perl <<-'EOF' + + use strict; + use warnings; + + use Date::Parse; + + my $cert_date = str2time( $ENV{'CERT_END_DATE'} ); + + my $days = int (( $cert_date - time ) / 86400 + 0.5); + + print "$days\n"; + +EOF +) + + if [ -n "${VERBOSE}" ] ; then + if [ ${DAYS_VALID} -ge 0 ] ; then + echo "The certificate will expire in ${DAYS_VALID} day(s)" + else + echo "The certificate expired "$((- DAYS_VALID))" day(s) ago" + fi + + fi + + PERFORMANCE_DATA="\|days=$DAYS_VALID;${WARNING};${CRITICAL};;" + +fi + + + ################################################################################ # check the CN (this will not work as expected with wildcard certificates) @@ -718,6 +811,6 @@ CN=${COMMON_NAME} fi -echo "${SHORTNAME} OK - X.509 ${SELFSIGNEDCERT}certificate for '$CN' from '$CA_ISSUER_MATCHED' valid until $DATE" +echo "${SHORTNAME} OK - X.509 ${SELFSIGNEDCERT}certificate for '${CN}' from '${CA_ISSUER_MATCHED}' valid until ${DATE}${PERFORMANCE_DATA}${LONG_OUTPUT}" exit 0
[-] [+]	Changed	check_ssl_cert-1.14.0.tar.bz2/check_ssl_cert.1 ^
@@ -1,7 +1,7 @@ .\" Process this file with .\" groff -man -Tascii foo.1 .\" -.TH "check_ssl_cert" 1 "April, 2012" "1.13.0" "USER COMMANDS" +.TH "check_ssl_cert" 1 "April, 2012" "1.14.0" "USER COMMANDS" .SH NAME check_ssl_cert \- checks the validity of X.509 certificates .SH SYNOPSIS @@ -42,6 +42,10 @@ .BR "-h,--help,-?" this help message .TP +.BR "--long-output" " list" +append the specified comma separated (no spaces) list of attributes to the plugin output on additiona lines. +Valid attributes are: enddate, startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include all the available attributes. +.TP .BR "-i,--issuer" " issuer" pattern to match the issuer of the certificate .TP
[-] [+]	Changed	check_ssl_cert-1.14.0.tar.bz2/check_ssl_cert.spec ^
@@ -6,7 +6,7 @@ # $Date: 2010-02-16 21:06:11 +0100 (Tue, 16 Feb 2010) $ ################################################################################ -%define version 1.13.0 +%define version 1.14.0 %define release 0 %define sourcename check_ssl_cert %define packagename nagios-plugins-check_ssl_cert @@ -53,6 +53,9 @@ %{_mandir}/man1/%{sourcename}.1* %changelog +* Fri Jul 6 2012 Matteo Corti <matteo.corti@id.ethz.ch> - 1.14.0-0 +- updated to 1.14.0 + * Thu Apr 5 2012 Matteo Corti <matteo.corti@id.ethz.ch> - 1.13.0-0 - updated to 1.13.0