Skip to content
Commits on Source (6)
2019-10-10 Matteo Corti <corti@Matteo-Cortis-Mac-mini.local>
* check_ssl_cert (main): do not disable TLS 1.3 if --rsa is specified
2019-10-10 Matteo Corti <matteo@corti.li>
* check_ssl_cert (main): fixes the ciphers for --rsa and --ecdsa
2019-10-10 Matteo Corti <matteo@corti.li>
* check_ssl_cert (check_attr): a wildcard certificate does not match the 'main' domain
2019-10-09 Matteo Corti <matteo@corti.li>
* check_ssl_cert: disables TLS 1.3 with --rsa
......
2019-10-10 Version 1.98.0: Bug fix release: A wildcard certificate does not match the 'main' domain, ciphers and TLS 1.3
2019-10-09 Version 1.97.0: Validate OCSP stapling expiring date, option to disable TLS 1.3
2019-09-25 Version 1.96.0: Bug fixes
2019-09-24 Version 1.95.0: Bug fixes
......
......@@ -99,7 +99,7 @@ Options:
certificate validation
--rootcert-dir path root directory to be used for certificate validation
--rootcert-file path root certificate to be used for certificate validation
--rsa cipher selection: force RSA authentication (disables TLS 1.3)
--rsa cipher selection: force RSA authentication
--temp dir directory where to store the temporary files
--terse terse output
-t,--timeout seconds timeout after the specified time
......
......@@ -19,7 +19,7 @@
################################################################################
# Constants
VERSION=1.97.0
VERSION=1.98.0
SHORTNAME="SSL_CERT"
VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,serial,modulus,serial,hash,email,ocsp_uri,fingerprint,"
......@@ -136,7 +136,7 @@ usage() {
echo " certificate validation"
echo " --rootcert-dir path root directory to be used for certificate validation"
echo " --rootcert-file path root certificate to be used for certificate validation"
echo " --rsa cipher selection: force RSA authentication (disables TLS 1.3)"
echo " --rsa cipher selection: force RSA authentication"
echo " --temp dir directory where to store the temporary files"
echo " --terse terse output"
echo " -t,--timeout seconds timeout after the specified time"
......@@ -856,13 +856,13 @@ main() {
shift
;;
--rsa)
SSL_AU="-cipher aRSA"
# https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/ says “RSA encryption was removed from TLS 1.3”.
SSL_VERSION_DISABLED="${SSL_VERSION_DISABLED} -no_tls1_3"
# see https://github.com/matteocorti/check_ssl_cert/issues/164#issuecomment-540623344
SSL_AU="-sigalgs 'RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256:RSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA224:RSA+SHA1'"
shift
;;
--ecdsa)
SSL_AU="-cipher aECDSA"
# see https://github.com/matteocorti/check_ssl_cert/issues/164#issuecomment-540623344
SSL_AU="-sigalgs 'ECDSA+SHA1:ECDSA+SHA224:ECDSA+SHA384:ECDSA+SHA256:ECDSA+SHA512'"
shift
;;
--ssl2)
......@@ -2010,25 +2010,13 @@ main() {
if [ -n "${DEBUG}" ] ; then
echo "[DBG] check CN: ${CN}"
echo "[DBG] COMMON_NAME = ${COMMON_NAME}"
fi
# Common name is case insensitive: using grep for comparison (and not 'case' with 'shopt -s nocasematch' as not defined in POSIX
if echo "${CN}" | grep -q -i "^\\*\\." ; then
# Match the domain
if [ -n "${DEBUG}" ] ; then
echo "[DBG] the common name ${CN} begins with a '*'"
echo "[DBG] checking if the common name matches ^$(echo "${CN}" | cut -c 3-)\$"
fi
if echo "${COMMON_NAME}" | grep -q -i "^$(echo "${CN}" | cut -c 3-)\$" ; then
if [ -n "${DEBUG}" ] ; then
echo "[DBG] the common name ${COMMON_NAME} matches ^$( echo "${CN}" | cut -c 3- )\$"
fi
ok="true"
fi
# Or the literal with the wildcard
if [ -n "${DEBUG}" ] ; then
echo "[DBG] checking if the common name matches ^$(echo "${CN}" | sed -e 's/[.]/[.]/g' -e 's/[*]/[A-Za-z0-9\-]*/' )\$"
......
.\" Process this file with
.\" groff -man -Tascii check_ssl_cert.1
.\"
.TH "check_ssl_cert" 1 "October, 2019" "1.97.0" "USER COMMANDS"
.TH "check_ssl_cert" 1 "October, 2019" "1.98.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
......@@ -177,7 +177,7 @@ root certificate to be used for certificate validation (passed to openssl's -CAf
overrides option -r,--rootcert
.TP
.BR " --rsa"
cipher selection: force RSA authentication (disables TLS 1.3)
cipher selection: force RSA authentication
.TP
.BR " --temp" " dir"
directory where to store the temporary files
......
%define version 1.97.0
%define version 1.98.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
......@@ -45,6 +45,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/%{sourcename}.1*
%changelog
* Thu Oct 10 2019 Matteo Corti <matteo@corti.li> - 1.98.0-0
- Updated to 1.98.0
* Wed Oct 9 2019 Matteo Corti <matteo@corti.li> - 1.97.0-0
- Updated to 1.97.0
......