Skip to content
Commits on Source (3)
Show whitespace changes
Inline Side-by-side
check_mongodb/check_mongodb.py
View file @ cf52b637
......@@ -155,6 +155,8 @@ def main(argv):
p.add_option('--insecure', action='store_true', dest='insecure', default=False, help="Don't verify SSL/TLS certificates")
p.add_option('--ssl-ca-cert-file', action='store', type='string', dest='ssl_ca_cert_file', default=None, help='Path to Certificate Authority file for SSL')
p.add_option('-f', '--ssl-cert-file', action='store', type='string', dest='cert_file', default=None, help='Path to PEM encoded key and cert for client authentication')
p.add_option('-m','--auth-mechanism', action='store', type='choice', dest='auth_mechanism', default=None, help='Auth mechanism used for auth with mongodb',
choices=['MONGODB-X509','SCRAM-SHA-256','SCRAM-SHA-1'])
options, arguments = p.parse_args()
host = options.host
......@@ -185,6 +187,7 @@ def main(argv):
insecure = options.insecure
ssl_ca_cert_file = options.ssl_ca_cert_file
cert_file = options.cert_file
auth_mechanism = options.auth_mechanism
if action == 'replica_primary' and replicaset is None:
return "replicaset must be passed in when using replica_primary check"
......@@ -282,7 +285,7 @@ def main(argv):
return check_connect(host, port, warning, critical, perf_data, user, passwd, conn_time)
def mongo_connect(host=None, port=None, ssl=False, user=None, passwd=None, replica=None, authdb="admin", insecure=False, ssl_ca_cert_file=None, ssl_cert=None):
def mongo_connect(host=None, port=None, ssl=False, user=None, passwd=None, replica=None, authdb="admin", insecure=False, ssl_ca_cert_file=None, ssl_cert=None, auth_mechanism=None):
from pymongo.errors import ConnectionFailure
from pymongo.errors import PyMongoError
import ssl as SSL
......@@ -314,7 +317,11 @@ def mongo_connect(host=None, port=None, ssl=False, user=None, passwd=None, repli
con = pymongo.Connection(host, port, slave_okay=True, network_timeout=10)
# we must authenticate the connection, otherwise we won't be able to perform certain operations
if ssl_cert and ssl_ca_cert_file and user:
if ssl_cert and ssl_ca_cert_file and user and auth_mechanism == 'SCRAM-SHA-256':
con.the_database.authenticate(user, mechanism='SCRAM-SHA-256')
elif ssl_cert and ssl_ca_cert_file and user and auth_mechanism == 'SCRAM-SHA-1':
con.the_database.authenticate(user, mechanism='SCRAM-SHA-1')
elif ssl_cert and ssl_ca_cert_file and user and auth_mechanism == 'MONGODB-X509':
con.the_database.authenticate(user, mechanism='MONGODB-X509')
try:
......
check_mongodb/control
View file @ cf52b637
Uploaders: Jan Wagner <waja@cyconet.org>
Recommends: python-pymongo
Version: 46d27ab
Version: b33e763
Homepage: https://github.com/mzupan/nagios-plugin-mongodb
Watch: https://github.com/mzupan/nagios-plugin-mongodb <a class="commit-tease-sha"[^>]*>\s+([0-9a-f]+)\s+</a>
Description: Plugin script to monitor your MongoDB server(s)
check_ssl_cert/check_ssl_cert-1.80.1/AUTHORS check_ssl_cert/check_ssl_cert-1.81.0/AUTHORS
View file @ cf52b637
......@@ -73,5 +73,10 @@ Thanks:
* Many thanks to Vojtech Horky (https://github.com/vhotspur) for the --format patch
* Many thanks to Markus Frosch (https://github.com/lazyfrosch) for the cleanup patch
* Many thanks to Ricardo Bartels (https://github.com/bb-Ricardo) for the patches fixing unit tests, long output on Linux, extending the issuer checks to the whole chain
* Many thanks to eimamagi (https://github.com/eimamagi) for the client key patch
* Many thanks to eimamagi (https://github.com/eimamagi) for the client key patch and for the CA file and directory support
* Many thanks to Stefan Schlesinger for the HTTP_REQUEST patch
* Many thanks to sokol-44 (https://github.com/sokol-44) for the HTTP request fix
* Many thanks to Jonas Meurer (https://github.com/mejo-) for the IMAP / IMAPS fix
* Many thanks to Mathieu Simon (https://github.com/matsimon) for the IMAPS and POP3S patch
* Many thanks to Nico (https://github.com/nicox) for the SSLlabs patch
* Many thanks to barakAtSoluto (https://github.com/barakAtSoluto) for the SSLlabs warning patch
\ No newline at end of file
check_ssl_cert/check_ssl_cert-1.80.1/COPYRIGHT check_ssl_cert/check_ssl_cert-1.81.0/COPYRIGHT
View file @ cf52b637
Copyright (c) 2007-2013 ETH Zurich
Copyright (c) 2007-2018 Matteo Corti
Copyright (c) 2007-2019 Matteo Corti
with the following individuals added to the list of Contributing Authors
......
check_ssl_cert/check_ssl_cert-1.80.1/ChangeLog check_ssl_cert/check_ssl_cert-1.81.0/ChangeLog
View file @ cf52b637
2019-02-01 Matteo Corti <matteo@corti.li>
* check_ssl_cert: applied patch for the SSLlabs warning
2019-01-16 Matteo Corti <matteo@corti.li>
* check_ssl_cert: replaced echo -e with printf
2018-12-24 Matteo Corti <corti@macmini.home>
* check_ssl_cert: Better output in case of errors while using SNI
2018-12-19 Matteo Corti <matteo@corti.li>
* check_ssl_cert: Better help about IMAP IMAPS POP3 and POP3S
* check_ssl_cert: Support for SNI and SSL Labs
2018-12-11 Matteo Corti <corti@macmini.home>
* check_ssl_cert: Differentiate IMAP with STARTTLS on port 143 and IMAPS on 993
* check_ssl_cert: Fixed a vulnerability in the parsing of the certificate issuer
2018-11-07 Matteo Corti <matteo@corti.li>
* check_ssl_cert: Fixed a problem with IMAP on port 993
* check_ssl_cert: fixed a problem with newlines in the HTTP request
2018-11-05 Matteo Corti <matteo@corti.li>
* check_ssl_cert: CA file and directory support
2018-10-19 Matteo Corti <matteo@corti.li>
* check_ssl_cert: Fixed the HTTP request string
......
check_ssl_cert/check_ssl_cert-1.80.1/Makefile check_ssl_cert/check_ssl_cert-1.81.0/Makefile
View file @ cf52b637
......@@ -4,7 +4,7 @@ DIST_DIR=$(PLUGIN)-$(VERSION)
DIST_FILES=AUTHORS COPYING ChangeLog INSTALL Makefile NEWS README.md TODO VERSION $(PLUGIN) $(PLUGIN).spec COPYRIGHT ${PLUGIN}.1 test
YEAR=`date +"%Y"`
dist: version_check copyright_check
dist: version_check
rm -rf $(DIST_DIR) $(DIST_DIR).tar.gz
mkdir $(DIST_DIR)
cp -r $(DIST_FILES) $(DIST_DIR)
......@@ -25,12 +25,6 @@ version_check:
grep -q "${VERSION}" NEWS
echo "Version check: OK"
copyright_check:
grep -q "(c) Matteo Corti, 2007-$(YEAR)" README.md
grep -q "Copyright (c) 2007-$(YEAR) Matteo Corti" COPYRIGHT
grep -q "Copyright (c) 2007-$(YEAR) Matteo Corti <matteo@corti.li>" $(PLUGIN)
echo "Copyright year check: OK"
clean:
rm -f *~
rm -rf rpmroot
......@@ -38,9 +32,17 @@ clean:
test: dist
( export SHUNIT2="$$(pwd)/shunit2/shunit2" && cd test && ./unit_tests.sh )
copyright_check:
grep -q "(c) Matteo Corti, 2007-$(YEAR)" README.md
grep -q "Copyright (c) 2007-$(YEAR) Matteo Corti" COPYRIGHT
grep -q "Copyright (c) 2007-$(YEAR) Matteo Corti <matteo@corti.li>" $(PLUGIN)
echo "Copyright year check: OK"
rpm: dist
mkdir -p rpmroot/SOURCES rpmroot/BUILD
cp $(DIST_DIR).tar.gz rpmroot/SOURCES
rpmbuild --define "_topdir `pwd`/rpmroot" -ba check_ssl_cert.spec
.PHONY: install clean test rpm
check_ssl_cert/check_ssl_cert-1.80.1/NEWS check_ssl_cert/check_ssl_cert-1.81.0/NEWS
View file @ cf52b637
2019-02-01 Version 1.81.0: Added an option to specify a warning level with SSL Labs
2019-01-16 Version 1.80.1: Fixed a problem on systems not supporting echo -e
2018-12-24 Version 1.80.0: Better output in case of errors while using SNI
2018-12-10 Version 1.79.0: Differentiate between IMAP on port 143 and IMAPS on port 993
Fixed a vulnerability in the parsing of the certificate issuer
2018-11-07 Version 1.78.0: Bug fixes in IMAP and HTTP requests
2018-11-05 Version 1.77.0: CA file and directory support
2018-10-19 Version 1.76.0: Sends a correct HTTP request
2018-10-18 Version 1.75.0: Allow to specify a client certificate key
2018-10-15 Version 1.74.0: Fixed a bug generating a confusing error message on timeout
......
check_ssl_cert/check_ssl_cert-1.80.1/README.md check_ssl_cert/check_ssl_cert-1.81.0/README.md
View file @ cf52b637
(c) Matteo Corti, ETH Zurich, 2007-2012
(c) Matteo Corti, 2007-2018
(c) Matteo Corti, 2007-2019
see AUTHORS for the complete list of contributors
# check_ssl_cert
......@@ -71,9 +70,9 @@ Options:
--openssl path path of the openssl binary to be used
-p,--port port TCP port
-P,--protocol protocol use the specific protocol
{http|smtp|pop3|imap|ftp|xmpp|irc|ldap}
{http|smtp|pop3|pop3s|imap|imaps|ftp|xmpp|irc|ldap}
http: default
smtp,pop3,imap,ftp,ldap: switch to TLS
smtp,pop3,imap,imaps,ftp,ldap: switch to TLS
-s,--selfsigned allows self-signed certificates
--serial serialnum pattern to match the serial number
--sni name sets the TLS SNI (Server Name Indication) extension
......@@ -85,6 +84,8 @@ Options:
extension
-r,--rootcert path root certificate or directory to be used for
certificate validation
--rootcert-dir path root directory to be used for certificate validation
--rootcert-file path root certificate to be used for certificate validation
--rsa cipher selection: force RSA authentication
--temp dir directory where to store the temporary files
--terse terse output
......
check_ssl_cert/check_ssl_cert-1.80.1/check_ssl_cert check_ssl_cert/check_ssl_cert-1.81.0/check_ssl_cert
View file @ cf52b637
......@@ -10,7 +10,7 @@
# See the INSTALL file for installation instructions
#
# Copyright (c) 2007-2012 ETH Zurich.
# Copyright (c) 2007-2018 Matteo Corti <matteo@corti.li>
# Copyright (c) 2007-2019 Matteo Corti <matteo@corti.li>
#
# This module is free software; you can redistribute it and/or modify it
# under the terms of GNU general public license (gpl) version 3.
......@@ -19,7 +19,7 @@
################################################################################
# Constants
VERSION=1.76.0
VERSION=1.81.0
SHORTNAME="SSL_CERT"
VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,serial,modulus,serial,hash,email,ocsp_uri,fingerprint,"
......@@ -84,6 +84,7 @@ usage() {
echo " -K,--clientkey path use client certificate key to authenticate"
echo " -L,--check-ssl-labs grade SSL Labs assessment"
echo " (please check https://www.ssllabs.com/about/terms.html)"
echo " --check-ssl-labs-warn-grade SSL-Labs grade on which to warn"
echo " --long-output list append the specified comma separated (no spaces) list"
echo " of attributes to the plugin output on additional lines"
echo " Valid attributes are:"
......@@ -102,7 +103,7 @@ usage() {
echo " --openssl path path of the openssl binary to be used"
echo " -p,--port port TCP port"
echo " -P,--protocol protocol use the specific protocol"
echo " {http|smtp|pop3|imap|ftp|xmpp|irc|ldap}"
echo " {http|smtp|pop3|pops3s|imap|imaps|ftp|xmpp|irc|ldap}"
echo " http: default"
echo " smtp,pop3,imap,ftp,ldap: switch to TLS"
echo " -s,--selfsigned allows self-signed certificates"
......@@ -116,6 +117,8 @@ usage() {
echo " extension"
echo " -r,--rootcert path root certificate or directory to be used for"
echo " certificate validation"
echo " --rootcert-dir path root directory to be used for certificate validation"
echo " --rootcert-file path root certificate to be used for certificate validation"
echo " --rsa cipher selection: force RSA authentication"
echo " --temp dir directory where to store the temporary files"
echo " --terse terse output"
......@@ -206,8 +209,12 @@ create_temporary_file() {
# $1 error message
critical() {
if [ -n "${HOST}" ] ; then
if [ -n "${SNI}" ] ; then
tmp=" ${SNI}"
else
tmp=" ${HOST}"
fi
fi
remove_temporary_files
printf '%s CRITICAL%s: %s%s%s\n' "${SHORTNAME}" "${tmp}" "$1" "${PERFORMANCE_DATA}" "${LONG_OUTPUT}"
exit 2
......@@ -219,8 +226,12 @@ critical() {
# $1 warning message
warning() {
if [ -n "${HOST}" ] ; then
if [ -n "${SNI}" ] ; then
tmp=" ${SNI}"
else
tmp=" ${HOST}"
fi
fi
remove_temporary_files
printf '%s WARN%s: %s%s%s\n' "${SHORTNAME}" "${tmp}" "$1" "${PERFORMANCE_DATA}" "${LONG_OUTPUT}"
exit 1
......@@ -232,8 +243,12 @@ warning() {
# $1 message
unknown() {
if [ -n "${HOST}" ] ; then
if [ -n "${SNI}" ] ; then
tmp=" ${SNI}"
else
tmp=" ${HOST}"
fi
fi
remove_temporary_files
printf '%s UNKNOWN%s: %s\n' "${SHORTNAME}" "${tmp}" "$1"
exit 3
......@@ -426,6 +441,10 @@ fetch_certificate() {
exec_with_timeout "$TIMEOUT" "echo 'Q' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
pop3s|imaps)
exec_with_timeout "$TIMEOUT" "echo 'Q' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
xmpp)
exec_with_timeout "$TIMEOUT" "echo 'Q' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect $HOST:$XMPPPORT ${XMPPHOST} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} 2> ${ERROR} 1> ${CERT}"
RET=$?
......@@ -749,12 +768,20 @@ main() {
;;
-L|--check-ssl-labs)
if [ $# -gt 1 ]; then
SSL_LAB_ASSESSMENT="$2"
SSL_LAB_CRIT_ASSESSMENT="$2"
shift 2
else
unknown "-L|--check-ssl-labs requires an argument"
fi
;;
--check-ssl-labs-warn-grade)
if [ $# -gt 1 ]; then
SSL_LAB_WARN_ASSESTMENT="$2"
shift 2
else
unknown "--check-ssl-labs-warn-grade requires an argument"
fi
;;
--serial)
if [ $# -gt 1 ]; then
SERIAL_LOCK="$2"
......@@ -832,6 +859,22 @@ main() {
unknown "-r,--rootcert requires an argument"
fi
;;
--rootcert-dir)
if [ $# -gt 1 ]; then
ROOT_CA_DIR="$2"
shift 2
else
unknown "--rootcert-dir requires an argument"
fi
;;
--rootcert-file)
if [ $# -gt 1 ]; then
ROOT_CA_FILE="$2"
shift 2
else
unknown "--rootcert-file requires an argument"
fi
;;
-C|--clientcert)
if [ $# -gt 1 ]; then
CLIENT_CERT="$2"
......@@ -975,6 +1018,32 @@ main() {
fi
if [ -n "${ROOT_CA_DIR}" ] ; then
if [ ! -d "${ROOT_CA_DIR}" ] ; then
unknown "${ROOT_CA_DIR} is not a directory";
fi
if [ ! -r "${ROOT_CA_DIR}" ] ; then
unknown "Cannot read root directory ${ROOT_CA_DIR}"
fi
ROOT_CA_DIR="-CApath ${ROOT_CA_DIR}"
fi
if [ -n "${ROOT_CA_FILE}" ] ; then
if [ ! -r "${ROOT_CA_FILE}" ] ; then
unknown "Cannot read root certificate ${ROOT_CA_FILE}"
fi
ROOT_CA_FILE="-CAfile ${ROOT_CA_FILE}"
fi
if [ -n "${ROOT_CA_DIR}" ] || [ -n "${ROOT_CA_FILE}" ]; then
ROOT_CA="${ROOT_CA_DIR} ${ROOT_CA_FILE}"
fi
if [ -n "${CLIENT_CERT}" ] ; then
if [ ! -r "${CLIENT_CERT}" ] ; then
......@@ -1039,9 +1108,17 @@ main() {
fi
if [ -n "${SSL_LAB_ASSESSMENT}" ] ; then
convert_ssl_lab_grade "${SSL_LAB_ASSESSMENT}"
SSL_LAB_ASSESSMENT_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] ; then
convert_ssl_lab_grade "${SSL_LAB_CRIT_ASSESSMENT}"
SSL_LAB_CRIT_ASSESSMENT_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
fi
if [ -n "${SSL_LAB_WARN_ASSESTMENT}" ] ; then
convert_ssl_lab_grade "${SSL_LAB_WARN_ASSESTMENT}"
SSL_LAB_WARN_ASSESTMENT_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
if ( $SSL_LAB_WARN_ASSESTMENT_NUMERIC < $SSL_LAB_CRIT_ASSESSMENT_NUMERIC ); then
unknown "--check-ssl-labs-warn-grade must be greater than -L|--check-ssl-labs"
fi
fi
if [ -n "${DEBUG}" ] ; then
......@@ -1065,9 +1142,9 @@ main() {
# curl
if [ -z "${CURL_BIN}" ] ; then
if [ -n "${SSL_LAB_ASSESSMENT}" ] || [ -n "${OCSP}" ] ; then
if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] || [ -n "${OCSP}" ] ; then
if [ -n "${DEBUG}" ] ; then
echo "[DBG] cURL binary needed. SSL Labs = ${SSL_LAB_ASSESSMENT}, OCSP = ${OCSP}"
echo "[DBG] cURL binary needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}"
echo "[DBG] cURL binary not specified"
fi
check_required_prog curl
......@@ -1077,7 +1154,7 @@ main() {
fi
else
if [ -n "${DEBUG}" ] ; then
echo "[DBG] cURL binary not needed. SSL Labs = ${SSL_LAB_ASSESSMENT}, OCSP = ${OCSP}"
echo "[DBG] cURL binary not needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}"
fi
fi
fi
......@@ -1258,6 +1335,7 @@ main() {
else
HOST_HEADER="${HOST}"
fi
HTTP_REQUEST="HEAD / HTTP/1.1\\nHost: ${HOST_HEADER}\\nUser-Agent: check_ssl_cert/${VERSION}\\nConnection: close\\n\\n"
################################################################################
......@@ -1432,14 +1510,22 @@ main() {
ISSUERS=$(echo "$ISSUERS" | sed 's/\\n/\n/g' | sed -e "s/^.*\\/CN=//" -e "s/^.* CN = //" -e "s/^.*, O = //" -e "s/\\/[A-Za-z][A-Za-z]*=.*\$//" -e "s/, [A-Za-z][A-Za-z]* =.*\$//")
# we just consider the first URI
# shellcheck disable=SC2086
ISSUER_URI="$($OPENSSL "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -text -noout | grep "CA Issuers" | head -n 1 | sed -e "s/^.*CA Issuers - URI://")"
# TODO check SC2016
# shellcheck disable=SC2086,SC2016
ISSUER_URI="$($OPENSSL "${OPENSSL_COMMAND}" ${OPENSSL_PARAMS} -in "${CERT}" -text -noout | grep "CA Issuers" | head -n 1 | sed -e "s/^.*CA Issuers - URI://" | tr -d '"!|;$(){}<>`&')"
# TODO: should be checked
# shellcheck disable=SC2021
if [ -z "${ISSUER_URI}" ] ; then
if [ -n "${VERBOSE}" ] ; then
echo "cannot find the CA Issuers in the certificate: disabling OCSP checks"
fi
OCSP=""
elif [ "${ISSUER_URI}" != "$(echo "${ISSUER_URI}" | tr -d '[[:space:]]')" ]; then
if [ -n "${VERBOSE}" ] ; then
echo "unable to fetch the CA issuer certificate (spaces in URI)"
fi
OCSP=""
elif ! echo "${ISSUER_URI}" | grep -qi '^http' ; then
if [ -n "${VERBOSE}" ] ; then
echo "unable to fetch the CA issuer certificate (unsupported protocol)"
......@@ -1454,7 +1540,7 @@ main() {
echo "checking OCSP stapling"
fi
exec_with_timeout "$TIMEOUT" "echo '${HTTP_REQUEST}' | openssl s_client -connect ${HOST}:${PORT} ${SERVERNAME} -status 2> /dev/null | grep -A 17 'OCSP response:' > $OCSP_RESPONSE_TMP"
exec_with_timeout "$TIMEOUT" "printf '${HTTP_REQUEST}' | openssl s_client -connect ${HOST}:${PORT} ${SERVERNAME} -status 2> /dev/null | grep -A 17 'OCSP response:' > $OCSP_RESPONSE_TMP"
if [ -n "${DEBUG}" ] ; then
sed 's/^/[DBG]\ /' "${OCSP_RESPONSE_TMP}"
......@@ -1891,7 +1977,7 @@ EOF
################################################################################
# Check SSL Labs
if [ -n "${SSL_LAB_ASSESSMENT}" ] ; then
if [ -n "${SSL_LAB_CRIT_ASSESSMENT}" ] ; then
if [ -n "${VERBOSE}" ] ; then
echo "Checking SSL Labs assessment"
......@@ -1903,8 +1989,13 @@ EOF
echo "[DBG] executing ${CURL_BIN} --silent \"https://api.ssllabs.com/api/v2/analyze?host=${HOST}${IGNORE_SSL_LABS_CACHE}\""
fi
if [ -n "${SNI}" ] ; then
JSON="$(${CURL_BIN} --silent "https://api.ssllabs.com/api/v2/analyze?host=${SNI}${IGNORE_SSL_LABS_CACHE}")"
CURL_RETURN_CODE=$?
else
JSON="$(${CURL_BIN} --silent "https://api.ssllabs.com/api/v2/analyze?host=${HOST}${IGNORE_SSL_LABS_CACHE}")"
CURL_RETURN_CODE=$?
fi
if [ ${CURL_RETURN_CODE} -ne 0 ] ; then
......@@ -1963,11 +2054,15 @@ EOF
convert_ssl_lab_grade "${SSL_LABS_HOST_GRADE}"
SSL_LABS_HOST_GRADE_NUMERIC="${NUMERIC_SSL_LAB_GRADE}"
add_performance_data "ssllabs=${SSL_LABS_HOST_GRADE_NUMERIC}%;;${SSL_LAB_ASSESSMENT_NUMERIC}"
add_performance_data "ssllabs=${SSL_LABS_HOST_GRADE_NUMERIC}%;;${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}"
# Check the grade
if [ "${SSL_LABS_HOST_GRADE_NUMERIC}" -lt "${SSL_LAB_ASSESSMENT_NUMERIC}" ] ; then
critical "SSL Labs grade is ${SSL_LABS_HOST_GRADE} (instead of ${SSL_LAB_ASSESSMENT})"
if [ "${SSL_LABS_HOST_GRADE_NUMERIC}" -lt "${SSL_LAB_CRIT_ASSESSMENT_NUMERIC}" ] ; then
critical "SSL Labs grade is ${SSL_LABS_HOST_GRADE} (instead of ${SSL_LAB_CRIT_ASSESSMENT})"
elif [ -n "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" ]; then
if [ "${SSL_LABS_HOST_GRADE_NUMERIC}" -lt "${SSL_LAB_WARN_ASSESTMENT_NUMERIC}" ] ; then
warning "SSL Labs grade is ${SSL_LABS_HOST_GRADE} (instead of ${SSL_LAB_WARN_ASSESTMENT})"
fi
fi
if [ -n "${DEBUG}" ] ; then
......
check_ssl_cert/check_ssl_cert-1.80.1/check_ssl_cert.1 check_ssl_cert/check_ssl_cert-1.81.0/check_ssl_cert.1
View file @ cf52b637
.\" Process this file with
.\" groff -man -Tascii foo.1
.\"
.TH "check_ssl_cert" 1 "October, 2018" "1.76.0" "USER COMMANDS"
.TH "check_ssl_cert" 1 "February, 2019" "1.81.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
......@@ -87,6 +87,9 @@ use client certificate key to authenticate
.BR "-L,--check-ssl-labs grade"
SSL Labs assestment (please check https://www.ssllabs.com/about/terms.html)
.TP
.BR " --check-ssl-warn-labs grade"
SSL Labs grade on which to warn
.TP
.BR " --long-output" " list"
append the specified comma separated (no spaces) list of attributes to the plugin output on additional lines.
Valid attributes are: enddate, startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include all the available attributes.
......@@ -148,6 +151,14 @@ require the presence of a Subject Alternative Name extension
.BR "-r,--rootcert" " cert"
root certificate or directory to be used for certficate validation (passed to openssl's -CAfile or -CApath)
.TP
.BR " --rootcert-dir" " dir"
root directory to be used for certficate validation (passed to openssl's -CApath)
overrides option -r,--rootcert
.TP
.BR " --rootcert-file" " cert"
root certificate to be used for certficate validation (passed to openssl's -CAfile)
overrides option -r,--rootcert
.TP
.BR " --rsa"
cipher selection: force RSA authentication
.TP
......
check_ssl_cert/check_ssl_cert-1.80.1/check_ssl_cert.spec check_ssl_cert/check_ssl_cert-1.81.0/check_ssl_cert.spec
View file @ cf52b637
%define version 1.76.0
%define version 1.81.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
......@@ -45,6 +45,24 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/%{sourcename}.1*
%changelog
* Fri Feb 2 2019 Matteo Corti <matteo@corti.li> - 1.81.0-0
- Updated to 1.81.0
* Wed Jan 16 2019 Matteo Corti <matteo@corti.li> - 1.80.1-0
- Updated to 1.80.1
* Mon Dec 24 2018 Matteo Corti <matteo@corti.li> - 1.80.0-0
- Updated to 1.80.0
* Tue Dec 11 2018 Matteo Corti <matteo@corti.li> - 1.79.0-0
- Updated to 1.79.0
* Thu Nov 7 2018 Matteo Corti <matteo@corti.li> - 1.78.0-0
- Updated to 1.78.0
* Thu Nov 5 2018 Matteo Corti <matteo@corti.li> - 1.77.0-0
- Updated to 1.77.0
* Thu Oct 19 2018 Matteo Corti <matteo@corti.li> - 1.76.0-0
- Updated to 1.76.0
......