Changes - j0ke.net Open Build Service

Changes of Revision 22

[-] [+]	Changed	check_ssl_cert.spec
@@ -1,4 +1,4 @@ -%define version 1.12.0 +%define version 1.13.0 %define release 1 %define name check_ssl_cert %define _nagdir %{_prefix}/lib/nagios @@ -42,6 +42,9 @@ %{_mandir}/man1/check_ssl_cert.1* %changelog +* Thu Mar 05 2012 Carsten Schoene <cs@linux-administrator.com> - 1.13.0-1 +- update to release 1.13.0 + * Wed Mar 04 2012 Carsten Schoene <cs@linux-administrator.com> - 1.12.0-1 - update to release 1.12.0 x 1 @@ -1,4 +1,4 @@ 2 -%define version 1.12.0 3 +%define version 1.13.0 4 %define release 1 5 %define name check_ssl_cert 6 %define _nagdir %{_prefix}/lib/nagios 7 @@ -42,6 +42,9 @@ 8 %{_mandir}/man1/check_ssl_cert.1* 9 10 %changelog 11 +* Thu Mar 05 2012 Carsten Schoene <cs@linux-administrator.com> - 1.13.0-1 12 +- update to release 1.13.0 13 + 14 * Wed Mar 04 2012 Carsten Schoene <cs@linux-administrator.com> - 1.12.0-1 15 - update to release 1.12.0 16 17
[-] [+]	Changed	check_ssl_cert-1.13.0.tar.bz2/AUTHORS ^
@@ -25,6 +25,8 @@ * Many thanks to Raphael Thoma for the patch allowing HTTP to be specified as protocol and the fix on -N with wildcards * Many thanks to Sven Nierlein for the client certificate authentication patch +* Many thanks to Rob Yamry for the help in debugging a problem with + certain versions of OpenSSL and TLS extensions # File version information: # $Id: AUTHORS 1103 2009-12-07 07:49:19Z corti $
[-] [+]	Changed	check_ssl_cert-1.13.0.tar.bz2/ChangeLog ^
@@ -1,3 +1,7 @@ +2012-04-05 Matteo Corti <matteo.corti@id.ethz.ch> + + * check_ssl_cert: handle broken OpenSSL clients (-servername not working) + 2012-04-04 Matteo Corti <matteo.corti@id.ethz.ch> * check_ssl_cert: removed an hard coded reference to the error number by the
[-] [+]	Changed	check_ssl_cert-1.13.0.tar.bz2/NEWS ^
@@ -1,3 +1,5 @@ +2012-04-05 Version 1.13.0 The plugin will now try to fetch the certificate without + without TLS extensions in case of error 2012-04-04 Version 1.12.0 Fixed a bug in the chain verification (hard coded error number) 2011-10-22 Version 1.11.0 --altname option 2011-09-01 Version 1.10.0 Applied a patch from Sven Nierlein to authenicate
[-] [+]	Changed	check_ssl_cert-1.13.0.tar.bz2/VERSION ^
@@ -1 +1 @@ -1.12.0 +1.13.0
[-] [+]	Changed	check_ssl_cert-1.13.0.tar.bz2/check_ssl_cert ^
@@ -19,15 +19,15 @@ # enable substitution with: # $ svn propset svn:keywords "Id Revision HeadURL Source Date" # -# $Id: check_ssl_cert 1291 2012-04-04 14:39:57Z corti $ -# $Revision: 1291 $ +# $Id: check_ssl_cert 1292 2012-04-05 09:30:27Z corti $ +# $Revision: 1292 $ # $HeadURL: https://svn.id.ethz.ch/nagios_plugins/check_ssl_cert/check_ssl_cert $ -# $Date: 2012-04-04 16:39:57 +0200 (Wed, 04 Apr 2012) $ +# $Date: 2012-04-05 11:30:27 +0200 (Thu, 05 Apr 2012) $ ################################################################################ # Constants -VERSION=1.12.0 +VERSION=1.13.0 SHORTNAME="SSL_CERT" ################################################################################ @@ -178,6 +178,53 @@ } ################################################################################ +# Tries to fetch the certificate + +fetch_certificate() { + + # check if a protocol was specified (if not HTTP switch to TLS) + if [ -n "${PROTOCOL}" -a "${PROTOCOL}" != "http" -a "${PROTOCOL}" != "https" ] ; then + + case "${PROTOCOL}" in + + smtp\|pop3\|imap\|ftp) + +timeout $TIMEOUT "echo 'Q' \| $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}" +;; + +) + +unknown "Error: unsupported protocol ${PROTOCOL}" + +esac + +elif [ -n "${FILE}" ] ; then + +if [ "${HOST}" = "localhost" ] ; then + + timeout $TIMEOUT "/bin/cat '${FILE}' 2> ${ERROR} 1> ${CERT}" + +else + + unknown "Error: option 'file' works with -H localhost only" + +fi + +else + +timeout $TIMEOUT "echo 'Q' \| $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}" + +fi + +if [ $? -ne 0 ] ; then + critical "Error: $(head -n 1 ${ERROR})" +fi + + +} + + +################################################################################ # Main ################################################################################ @@ -482,42 +529,29 @@ # using named signals to be POSIX compliant trap "rm -f $CERT $ERROR" EXIT HUP INT QUIT TERM -# check if a protocol was specified (if not HTTP switch to TLS) -if [ -n "${PROTOCOL}" -a "${PROTOCOL}" != "http" -a "${PROTOCOL}" != "https" ] ; then +fetch_certificate - case "${PROTOCOL}" in +if grep -q 'sslv3\ alert\ unexpected\ message' ${ERROR} ; then - smtp\|pop3\|imap\|ftp) + if [ -n "${SERVERNAME}" ] ; then - timeout $TIMEOUT "echo 'Q' \| $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}" - ;; - - ) - - unknown "Error: unsupported protocol ${PROTOCOL}" - - esac - -elif [ -n "${FILE}" ] ; then - - if [ "${HOST}" = "localhost" ] ; then + # some OpenSSL versions have problems with the -servername option + # we try without + if [ -n "${VERBOSE}" ] ; then + echo "'${OPENSSL} s_client' returned an error: trying without '-servername'" + fi + + SERVERNAME= + fetch_certificate - timeout $TIMEOUT "/bin/cat '${FILE}' 2> ${ERROR} 1> ${CERT}" + fi - else + if grep -q 'sslv3\ alert\ unexpected\ message' ${ERROR} ; then - unknown "Error: option 'file' works with -H localhost only" + critical "cannot fetch certificate: OpenSSL got an unexpected message" fi -else - - timeout $TIMEOUT "echo 'Q' \| $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}" - -fi - -if [ $? -ne 0 ] ; then - critical "Error: $(head -n 1 ${ERROR})" fi if ! grep -q "CERTIFICATE" ${CERT} ; then
[-] [+]	Changed	check_ssl_cert-1.13.0.tar.bz2/check_ssl_cert.1 ^
@@ -1,7 +1,7 @@ .\" Process this file with .\" groff -man -Tascii foo.1 .\" -.TH "check_ssl_cert" 1 "April, 2012" "1.12.0" "USER COMMANDS" +.TH "check_ssl_cert" 1 "April, 2012" "1.13.0" "USER COMMANDS" .SH NAME check_ssl_cert \- checks the validity of X.509 certificates .SH SYNOPSIS
[-] [+]	Changed	check_ssl_cert-1.13.0.tar.bz2/check_ssl_cert.spec ^
@@ -6,7 +6,7 @@ # $Date: 2010-02-16 21:06:11 +0100 (Tue, 16 Feb 2010) $ ################################################################################ -%define version 1.12.0 +%define version 1.13.0 %define release 0 %define sourcename check_ssl_cert %define packagename nagios-plugins-check_ssl_cert @@ -53,6 +53,9 @@ %{_mandir}/man1/%{sourcename}.1* %changelog +* Thu Apr 5 2012 Matteo Corti <matteo.corti@id.ethz.ch> - 1.13.0-0 +- updated to 1.13.0 + * Wed Apr 4 2012 Matteo Corti <matteo.corti@id.ethz.ch> - 1.12.0-0 - updated to 1.12.0 (bug fix release)