Jan Wagner · Jan Wagner · Jan Wagner · Jan Wagner · Jan Wagner · Jan Wagner
--- a/check_ssl_cert/check_ssl_cert_1.97.0/VERSION
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/VERSION
-1.97.0
--- a/check_ssl_cert/check_ssl_cert_1.97.0/._COPYRIGHT
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/._COPYRIGHT
--- a/check_ssl_cert/check_ssl_cert_1.97.0/._Makefile
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/._Makefile
--- a/check_ssl_cert/check_ssl_cert_1.97.0/._NEWS
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/._NEWS
--- a/check_ssl_cert/check_ssl_cert_1.97.0/._check_ssl_cert
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/._check_ssl_cert
--- a/check_ssl_cert/check_ssl_cert_1.97.0/AUTHORS
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/AUTHORS
--- a/check_ssl_cert/check_ssl_cert_1.97.0/COPYING
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/COPYING
--- a/check_ssl_cert/check_ssl_cert_1.97.0/COPYRIGHT
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/COPYRIGHT
--- a/check_ssl_cert/check_ssl_cert_1.97.0/ChangeLog
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/ChangeLog
+2019-10-10  Matteo Corti  <corti@Matteo-Cortis-Mac-mini.local>
+
+	* check_ssl_cert (main): do not disable TLS 1.3 if --rsa is specified
+
+2019-10-10  Matteo Corti  <matteo@corti.li>
+
+	* check_ssl_cert (main): fixes the ciphers for --rsa and --ecdsa
+
+2019-10-10  Matteo Corti  <matteo@corti.li>
+
+	* check_ssl_cert (check_attr): a wildcard certificate does not match the 'main' domain
+
 2019-10-09  Matteo Corti  <matteo@corti.li>

 	* check_ssl_cert: disables TLS 1.3 with --rsa

--- a/check_ssl_cert/check_ssl_cert_1.97.0/INSTALL
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/INSTALL
--- a/check_ssl_cert/check_ssl_cert_1.97.0/Makefile
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/Makefile
--- a/check_ssl_cert/check_ssl_cert_1.97.0/NEWS
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/NEWS
+2019-10-10 Version 1.98.0: Bug fix release: A wildcard certificate does not match the 'main' domain, ciphers and TLS 1.3
 2019-10-09 Version 1.97.0: Validate OCSP stapling expiring date, option to disable TLS 1.3
 2019-09-25 Version 1.96.0: Bug fixes
 2019-09-24 Version 1.95.0: Bug fixes

--- a/check_ssl_cert/check_ssl_cert_1.97.0/README.md
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/README.md
@@ -99,7 +99,7 @@ Options:
                                   certificate validation
      --rootcert-dir path          root directory to be used for certificate validation
      --rootcert-file path         root certificate to be used for certificate validation
-      --rsa                        cipher selection: force RSA authentication (disables TLS 1.3)
+      --rsa                        cipher selection: force RSA authentication
      --temp dir                   directory where to store the temporary files
      --terse                      terse output
   -t,--timeout                    seconds timeout after the specified time

--- a/check_ssl_cert/check_ssl_cert_1.97.0/TODO
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/TODO
--- a/check_ssl_cert/check_ssl_cert_1.98.0/VERSION
+++ b/check_ssl_cert/check_ssl_cert_1.98.0/VERSION
+1.98.0
--- a/check_ssl_cert/check_ssl_cert_1.97.0/check_ssl_cert
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/check_ssl_cert
@@ -19,7 +19,7 @@
 ################################################################################
 # Constants

-VERSION=1.97.0
+VERSION=1.98.0
 SHORTNAME="SSL_CERT"

 VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,serial,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -136,7 +136,7 @@ usage() {
    echo "                                   certificate validation"
    echo "      --rootcert-dir path          root directory to be used for certificate validation"
    echo "      --rootcert-file path         root certificate to be used for certificate validation"
-    echo "      --rsa                        cipher selection: force RSA authentication (disables TLS 1.3)"
+    echo "      --rsa                        cipher selection: force RSA authentication"
    echo "      --temp dir                   directory where to store the temporary files"
    echo "      --terse                      terse output"
    echo "   -t,--timeout                    seconds timeout after the specified time"
@@ -856,13 +856,13 @@ main() {
                shift
                ;;
            --rsa)
-                SSL_AU="-cipher aRSA"
-		# https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/ says “RSA encryption was removed from TLS 1.3”. 
-		SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_tls1_3"
+		# see https://github.com/matteocorti/check_ssl_cert/issues/164#issuecomment-540623344
+                SSL_AU="-sigalgs 'RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256:RSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA224:RSA+SHA1'"		
                shift
                ;;
            --ecdsa)
-                SSL_AU="-cipher aECDSA"
+		# see https://github.com/matteocorti/check_ssl_cert/issues/164#issuecomment-540623344
+                SSL_AU="-sigalgs 'ECDSA+SHA1:ECDSA+SHA224:ECDSA+SHA384:ECDSA+SHA256:ECDSA+SHA512'"
                shift
                ;;
            --ssl2)
@@ -2010,25 +2010,13 @@ main() {

        if [ -n "${DEBUG}" ] ; then
            echo "[DBG] check CN: ${CN}"
+	    echo "[DBG] COMMON_NAME = ${COMMON_NAME}"
        fi

        # Common name is case insensitive: using grep for comparison (and not 'case' with 'shopt -s nocasematch' as not defined in POSIX

        if echo "${CN}" | grep -q -i "^\\*\\." ; then

-            # Match the domain
-            if [ -n "${DEBUG}" ] ; then
-                echo "[DBG] the common name ${CN} begins with a '*'"
-                echo "[DBG] checking if the common name matches ^$(echo "${CN}" | cut -c 3-)\$"
-            fi
-            if echo "${COMMON_NAME}" | grep -q -i "^$(echo "${CN}" | cut -c 3-)\$" ; then
-                if [ -n "${DEBUG}" ] ; then
-                    echo "[DBG] the common name ${COMMON_NAME} matches ^$( echo "${CN}" | cut -c 3- )\$"
-                fi
-                ok="true"
-
-            fi
-
            # Or the literal with the wildcard
            if [ -n "${DEBUG}" ] ; then
                echo "[DBG] checking if the common name matches ^$(echo "${CN}" | sed -e 's/[.]/[.]/g' -e 's/[*]/[A-Za-z0-9\-]*/' )\$"

--- a/check_ssl_cert/check_ssl_cert_1.97.0/check_ssl_cert.1
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/check_ssl_cert.1
 .\" Process this file with
 .\" groff -man -Tascii check_ssl_cert.1
 .\"
-.TH "check_ssl_cert" 1 "October, 2019" "1.97.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "October, 2019" "1.98.0" "USER COMMANDS"
 .SH NAME
 check_ssl_cert \- checks the validity of X.509 certificates
 .SH SYNOPSIS
@@ -177,7 +177,7 @@ root certificate to be used for certificate validation (passed to openssl's -CAf
 overrides option -r,--rootcert
 .TP
 .BR "   --rsa"
-cipher selection: force RSA authentication (disables TLS 1.3)
+cipher selection: force RSA authentication
 .TP
 .BR "   --temp" " dir"
 directory where to store the temporary files

--- a/check_ssl_cert/check_ssl_cert_1.97.0/check_ssl_cert.spec
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/check_ssl_cert.spec
-%define version          1.97.0
+%define version          1.98.0
 %define release          0
 %define sourcename       check_ssl_cert
 %define packagename      nagios-plugins-check_ssl_cert
@@ -45,6 +45,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/%{sourcename}.1*

 %changelog
+* Thu Oct 10 2019 Matteo Corti <matteo@corti.li> - 1.98.0-0
+- Updated to 1.98.0
+
 * Wed Oct  9 2019 Matteo Corti <matteo@corti.li> - 1.97.0-0
 - Updated to 1.97.0


--- a/check_ssl_cert/check_ssl_cert_1.97.0/test/cabundle.crt
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/test/cabundle.crt
--- a/check_ssl_cert/check_ssl_cert_1.97.0/test/cacert.crt
+++ b/check_ssl_cert/check_ssl_cert_1.97.0/test/cacert.crt