| @@ -19,15 +19,15 @@
# enable substitution with:
# $ svn propset svn:keywords "Id Revision HeadURL Source Date"
#
-# $Id: check_ssl_cert 1340 2013-07-29 17:17:11Z corti $
-# $Revision: 1340 $
+# $Id: check_ssl_cert 1348 2013-12-23 08:07:44Z corti $
+# $Revision: 1348 $
# $HeadURL: https://svn.id.ethz.ch/nagios_plugins/check_ssl_cert/check_ssl_cert $
-# $Date: 2013-07-29 19:17:11 +0200 (Mon, 29 Jul 2013) $
+# $Date: 2013-12-23 09:07:44 +0100 (Mon, 23 Dec 2013) $
################################################################################
# Constants
-VERSION=1.15.0
+VERSION=1.16.0
SHORTNAME="SSL_CERT"
VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -88,6 +88,7 @@
echo " -t,--timeout seconds timeout after the specified time"
echo " (defaults to 15 seconds)"
echo " --temp dir directory where to store the temporary files"
+ echo " --tls1 force TLS version 1"
echo " -v,--verbose verbose output"
echo " -V,--version version"
echo " -w,--warning days minimum number of days a certificate has to be valid"
@@ -112,7 +113,7 @@
if [ -n "${CN}" ] ; then
tmp=" ${CN}"
fi
- printf "${SHORTNAME} CRITICAL$tmp: $1${PERFORMANCE_DATA}${LONG_OUTPUT}\n"
+ printf '%s CRITICAL%s: %s%s%s\n' "${SHORTNAME}" "${tmp}" "$1" "${PERFORMANCE_DATA}" "${LONG_OUTPUT}"
exit 2
}
@@ -124,7 +125,7 @@
if [ -n "${CN}" ] ; then
tmp=" ${CN}"
fi
- printf "${SHORTNAME} WARN$tmp: $1${PERFORMANCE_DATA}${LONG_OUTPUT}\n"
+ printf '%s WARN%s: %s%s%s\n' "${SHORTNAME}" "${tmp}" "$1" "${PERFORMANCE_DATA}" "${LONG_OUTPUT}"
exit 1
}
@@ -136,7 +137,7 @@
if [ -n "${CN}" ] ; then
tmp=" ${CN}"
fi
- printf "${SHORTNAME} UNKNOWN$tmp: $1\n"
+ printf '%s UNKNOWN%s: %s\n' "${SHORTNAME}" "${tmp}" "$1"
exit 3
}
@@ -167,7 +168,7 @@
fi
else
- eval ${command}
+ eval "${command}"
fi
}
@@ -179,7 +180,7 @@
# Returns 1 if the program exists and is executable
check_required_prog() {
- PROG=$(which $1 2> /dev/null)
+ PROG=$(which "$1" 2> /dev/null)
if [ -z "$PROG" ] ; then
critical "cannot find $1"
@@ -203,7 +204,7 @@
smtp|pop3|imap|ftp|xmpp)
-exec_with_timeout $TIMEOUT "echo 'Q' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} 2> ${ERROR} 1> ${CERT}"
+exec_with_timeout "$TIMEOUT" "echo 'Q' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} 2> ${ERROR} 1> ${CERT}"
;;
*)
@@ -216,7 +217,7 @@
if [ "${HOST}" = "localhost" ] ; then
- exec_with_timeout $TIMEOUT "/bin/cat '${FILE}' 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "$TIMEOUT" "/bin/cat '${FILE}' 2> ${ERROR} 1> ${CERT}"
else
@@ -226,7 +227,7 @@
else
-exec_with_timeout $TIMEOUT "echo 'Q' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} 2> ${ERROR} 1> ${CERT}"
+exec_with_timeout "$TIMEOUT" "echo 'Q' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} 2> ${ERROR} 1> ${CERT}"
fi
@@ -249,7 +250,6 @@
TIMEOUT=15
VERBOSE=""
OPENSSL=""
- SSLVERSION=""
# set the default temp dir if not set
if [ -z "${TMPDIR}" ] ; then
@@ -277,6 +277,8 @@
-N|--host-cn) COMMON_NAME="__HOST__"; shift ;;
-s|--selfsigned) SELFSIGNED=1; shift ;;
+
+ --tls1) SSL_VERSION="-tls1"; shift ;;
-v|--verbose) VERBOSE=1; shift ;;
@@ -397,7 +399,7 @@
TMPDIR=$2; shift 2
else
unknown "--temp requires an argument"
- fi ;;
+ fi ;;
-w|--warning) if [ $# -gt 1 ]; then
WARNING=$2; shift 2
@@ -436,20 +438,20 @@
fi
if [ -n "${ROOT_CA}" ] ; then
- if [ ! -r ${ROOT_CA} ] ; then
+ if [ ! -r "${ROOT_CA}" ] ; then
unknown "Cannot read root certificate ${ROOT_CA}"
fi
- if [ -d ${ROOT_CA} ] ; then
+ if [ -d "${ROOT_CA}" ] ; then
ROOT_CA="-CApath ${ROOT_CA}"
- elif [ -f ${ROOT_CA} ] ; then
+ elif [ -f "${ROOT_CA}" ] ; then
ROOT_CA="-CAfile ${ROOT_CA}"
else
- unknown "Root certificate of unknown type $(file ${ROOT_CA} 2> /dev/null)"
+ unknown "Root certificate of unknown type $(file "${ROOT_CA}" 2> /dev/null)"
fi
fi
if [ -n "${CLIENT_CERT}" ] ; then
- if [ ! -r ${CLIENT_CERT} ] ; then
+ if [ ! -r "${CLIENT_CERT}" ] ; then
unknown "Cannot read client certificate ${CLIENT_CERT}"
fi
fi
@@ -461,31 +463,31 @@
fi
if [ -n "${WARNING}" ] ; then
- if ! echo ${WARNING} | grep -q '[0-9][0-9]*' ; then
+ if ! echo "${WARNING}" | grep -q '[0-9][0-9]*' ; then
unknown "invalid number of days ${WARNING}"
fi
fi
if [ -n "${CRITICAL}" ] && [ -n "${WARNING}" ] ; then
- if [ ${WARNING} -le ${CRITICAL} ] ; then
+ if [ "${WARNING}" -le "${CRITICAL}" ] ; then
unknown "--warning (${WARNING}) is less than or equal to --critical (${CRITICAL})"
fi
fi
if [ -n "${TMPDIR}" ] ; then
- if [ ! -d ${TMPDIR} ] ; then
+ if [ ! -d "${TMPDIR}" ] ; then
unknown "${TMPDIR} is not a directory";
fi
- if [ ! -w ${TMPDIR} ] ; then
+ if [ ! -w "${TMPDIR}" ] ; then
unknown "${TMPDIR} is not writable";
fi
fi
if [ -n "${OPENSSL}" ] ; then
- if [ ! -x ${OPENSSL} ] ; then
+ if [ ! -x "${OPENSSL}" ] ; then
unknown "${OPENSSL} ist not an executable"
fi
- if [ $(basename ${OPENSSL}) != 'openssl' ] ; then
+ if [ "${OPENSSL##*/}" != 'openssl' ] ; then
unknown "${OPENSSL} ist not an openssl executable"
fi
fi
@@ -535,7 +537,7 @@
if [ -n "${VERBOSE}" ] ; then
echo "Perl module Date::Parse not installed: disabling date computations"
fi
- PERL=
+ PERL=""
fi
################################################################################
@@ -564,13 +566,13 @@
# fetch the X.509 certificate
# temporary storage for the certificate and the errors
-
- CERT=$( mktemp -t "$( basename $0 )XXXXXX" 2> /dev/null )
+
+ CERT=$( mktemp -t "${0##*/}XXXXXX" 2> /dev/null )
if [ -z "${CERT}" ] || [ ! -w "${CERT}" ] ; then
unknown 'temporary file creation failure.'
fi
- ERROR=$( mktemp -t "$( basename $0 )XXXXXX" 2> /dev/null )
+ ERROR=$( mktemp -t "${0##*/}XXXXXX" 2> /dev/null )
if [ -z "${ERROR}" ] || [ ! -w "${ERROR}" ] ; then
unknown 'temporary file creation failure.'
fi
@@ -591,11 +593,11 @@
# cleanup before program termination
# using named signals to be POSIX compliant
- trap "rm -f $CERT $ERROR" EXIT HUP INT QUIT TERM
+ trap 'rm -f $CERT $ERROR' EXIT HUP INT QUIT TERM
fetch_certificate
- if grep -q 'sslv3\ alert\ unexpected\ message' ${ERROR} ; then
+ if grep -q 'sslv3\ alert\ unexpected\ message' "${ERROR}" ; then
if [ -n "${SERVERNAME}" ] ; then
@@ -610,7 +612,7 @@
fi
- if grep -q 'sslv3\ alert\ unexpected\ message' ${ERROR} ; then
+ if grep -q 'sslv3\ alert\ unexpected\ message' "${ERROR}" ; then
critical "cannot fetch certificate: OpenSSL got an unexpected message"
@@ -618,7 +620,7 @@
fi
- if ! grep -q "CERTIFICATE" ${CERT} ; then
+ if ! grep -q "CERTIFICATE" "${CERT}" ; then
if [ -n "${FILE}" ] ; then
critical "'${FILE}' is not a valid certificate file"
else
@@ -634,7 +636,7 @@
# - finally the substitution replaces every newline with a space on
# the pattern space
- ERROR_MESSAGE=$(sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/; /g' ${ERROR})
+ ERROR_MESSAGE=$(sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/; /g' "${ERROR}")
if [ -n "${VERBOSE}" ] ; then
echo "Error: ${ERROR_MESSAGE}"
fi
@@ -645,11 +647,11 @@
################################################################################
# parse the X.509 certificate
- DATE=$($OPENSSL x509 -in ${CERT} -enddate -noout | sed -e "s/^notAfter=//")
- CN=$($OPENSSL x509 -in ${CERT} -subject -noout | sed -e "s/^.*\/CN=//" -e "s/\/[A-Za-z][A-Za-z]*=.*$//")
+ DATE=$($OPENSSL x509 -in "${CERT}" -enddate -noout | sed -e "s/^notAfter=//")
+ CN=$($OPENSSL x509 -in "${CERT}" -subject -noout | sed -e "s/^.*\/CN=//" -e "s/\/[A-Za-z][A-Za-z]*=.*\$//")
- CA_O=$($OPENSSL x509 -in ${CERT} -issuer -noout | sed -e "s/^.*\/O=//" -e "s/\/[A-Z][A-Z]*=.*$//")
- CA_CN=$($OPENSSL x509 -in ${CERT} -issuer -noout | sed -e "s/^.*\/CN=//" -e "s/\/[A-Za-z][A-Za-z]*=.*$//")
+ CA_O=$($OPENSSL x509 -in "${CERT}" -issuer -noout | sed -e "s/^.*\/O=//" -e "s/\/[A-Z][A-Z]*=.*\$//")
+ CA_CN=$($OPENSSL x509 -in "${CERT}" -issuer -noout | sed -e "s/^.*\/CN=//" -e "s/\/[A-Za-z][A-Za-z]*=.*\$//")
################################################################################
@@ -661,7 +663,7 @@
if ! echo "${VALID_ATTRIBUTES}" | grep -q ",${ATTR}," ; then
unknown "Invalid certificate attribute: ${ATTR}"
else
- value=$(${OPENSSL} x509 -in ${CERT} -noout -${ATTR} | sed -e "s/.*=//")
+ value=$(${OPENSSL} x509 -in "${CERT}" -noout -"${ATTR}" | sed -e "s/.*=//")
LONG_OUTPUT="${LONG_OUTPUT}\n${ATTR}: ${value}"
fi
@@ -673,7 +675,7 @@
fi
attributes=$( echo ${LONG_OUTPUT_ATTR} | tr ',' "\n" )
for attribute in $attributes ; do
- check_attr ${attribute}
+ check_attr "${attribute}"
done
fi
@@ -683,7 +685,7 @@
if [ -n "${PERL}" ] ; then
- CERT_END_DATE=$($OPENSSL x509 -in ${CERT} -noout -enddate | sed -e "s/.*=//")
+ CERT_END_DATE=$($OPENSSL x509 -in "${CERT}" -noout -enddate | sed -e "s/.*=//")
DAYS_VALID=$( perl - "${CERT_END_DATE}" <<-"EOF"
@@ -703,7 +705,7 @@
)
if [ -n "${VERBOSE}" ] ; then
- if [ ${DAYS_VALID} -ge 0 ] ; then
+ if [ "${DAYS_VALID}" -ge 0 ] ; then
echo "The certificate will expire in ${DAYS_VALID} day(s)"
else
echo "The certificate expired "$((- DAYS_VALID))" day(s) ago"
@@ -730,7 +732,7 @@
# check alterante names
if [ -n "${ALTNAMES}" ] ; then
- for alt_name in $( $OPENSSL x509 -in ${CERT} -text | \
+ for alt_name in $( $OPENSSL x509 -in "${CERT}" -text | \
grep --after-context=1 '509v3 Subject Alternative Name:' | \
tail -n 1 | sed -e "s/DNS://g" | sed -e "s/,//g" ) ; do
case $COMMON_NAME in
@@ -753,12 +755,12 @@
ok=''
CA_ISSUER_MATCHED=''
- if echo $CA_CN | grep -q "^$ISSUER$" ; then
+ if echo "$CA_CN" | grep -q "^${ISSUER}\$" ; then
ok='true'
CA_ISSUER_MATCHED="${CA_CN}"
fi
- if echo $CA_O | grep -q "^$ISSUER$" ; then
+ if echo "$CA_O" | grep -q "^${ISSUER}\$" ; then
ok='true'
CA_ISSUER_MATCHED="${CA_O}"
fi
@@ -777,13 +779,13 @@
# check the validity
# we always check expired certificates
- if ! $OPENSSL x509 -in ${CERT} -noout -checkend 0 ; then
+ if ! $OPENSSL x509 -in "${CERT}" -noout -checkend 0 ; then
critical "certificate is expired (was valid until $DATE)"
fi
if [ -n "${CRITICAL}" ] ; then
- if ! $OPENSSL x509 -in ${CERT} -noout -checkend $(( ${CRITICAL} * 86400 )) ; then
+ if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( CRITICAL * 86400 )) ; then
critical "certificate will expire on $DATE"
fi
@@ -791,7 +793,7 @@
if [ -n "${WARNING}" ] ; then
- if ! $OPENSSL x509 -in ${CERT} -noout -checkend $(( ${WARNING} * 86400 )) ; then
+ if ! $OPENSSL x509 -in "${CERT}" -noout -checkend $(( WARNING * 86400 )) ; then
warning "certificate will expire on $DATE"
fi
@@ -802,9 +804,9 @@
if [ -n "$ORGANIZATION" ] ; then
- ORG=$($OPENSSL x509 -in ${CERT} -subject -noout | sed -e "s/.*\/O=//" -e "s/\/.*//")
+ ORG=$($OPENSSL x509 -in "${CERT}" -subject -noout | sed -e "s/.*\/O=//" -e "s/\/.*//")
- if ! echo $ORG | grep -q "^$ORGANIZATION" ; then
+ if ! echo "$ORG" | grep -q "^$ORGANIZATION" ; then
critical "invalid organization ('$ORGANIZATION' does not match '$ORG')"
fi
@@ -815,7 +817,7 @@
if [ -n "$ADDR" ] ; then
- EMAIL=$($OPENSSL x509 -in ${CERT} -email -noout)
+ EMAIL=$($OPENSSL x509 -in "${CERT}" -email -noout)
if [ -n "${VERBOSE}" ] ; then
echo "checking email (${ADDR}): ${EMAIL}"
@@ -825,7 +827,7 @@
critical "the certficate does not contain an email address"
fi
- if ! echo $EMAIL | grep -q "^$ADDR" ; then
+ if ! echo "$EMAIL" | grep -q "^$ADDR" ; then
critical "invalid email ($ADDR does not match $EMAIL)"
fi
@@ -834,9 +836,9 @@
################################################################################
# Check if the certificate was verified
- if [ -z "${NOAUTH}" ] && grep -q '^verify\ error:' ${ERROR} ; then
+ if [ -z "${NOAUTH}" ] && grep -q '^verify\ error:' "${ERROR}" ; then
- if grep -q '^verify\ error:num=[0-9][0-9]*:self\ signed\ certificate' ${ERROR} ; then
+ if grep -q '^verify\ error:num=[0-9][0-9]*:self\ signed\ certificate' "${ERROR}" ; then
if [ -z "${SELFSIGNED}" ] ; then
critical "Cannot verify certificate\nself signed certificate"
@@ -847,7 +849,7 @@
else
# process errors
- details=$(grep '^verify\ error:' ${ERROR} | sed -e "s/verify\ error:num=[0-9]*:/verification error: /" )
+ details=$(grep '^verify\ error:' "${ERROR}" | sed -e "s/verify\ error:num=[0-9]*:/verification error: /" )
critical "Cannot verify certificate\n${details}"
@@ -866,13 +868,13 @@
if [ -n "${DAYS_VALID}" ] ; then
# nicer formatting
- if [ ${DAYS_VALID} -gt 1 ] ; then
+ if [ "${DAYS_VALID}" -gt 1 ] ; then
DAYS_VALID=" (expires in ${DAYS_VALID} days)"
- elif [ ${DAYS_VALID} -eq 1 ] ; then
+ elif [ "${DAYS_VALID}" -eq 1 ] ; then
DAYS_VALID=" (expires tomorrow)"
- elif [ ${DAYS_VALID} -eq 0 ] ; then
+ elif [ "${DAYS_VALID}" -eq 0 ] ; then
DAYS_VALID=" (expires today)"
- elif [ ${DAYS_VALID} -eq -1 ] ; then
+ elif [ "${DAYS_VALID}" -eq -1 ] ; then
DAYS_VALID=" (expired yesterday)"
else
DAYS_VALID=" (expired ${DAYS_VALID} days ago)"
|
