check_httpd_status/check_httpd_status

@@ -235,6 +235,10 @@ logD("Web content :\n----------------------------\n".$webcontent."\n------------
 my $patternFound = 0;
 
 my $Uptime = 0;
+# if ( $webcontent =~ m/Uptime: (.*?)\n/) {
+	# $Uptime = $1;
+	# $patternFound++;
+# }
 ### FIXME XH 20171204 catch ServerUptimeSeconds, not [Server]Uptime. Change in server-status between 2.2 & 2.4
 if ( $webcontent =~ m/\b(ServerUptimeSeconds|Uptime): (\d+)\n/) {
     $Uptime = $2;

check_httpd_status/control

 Homepage: http://cvs.orion.education.fr/viewvc/viewvc.cgi/nagios-plugins-perl/trunk/plugins/check_httpd_status.pl?view=log
 Watch: http://cvs.orion.education.fr/viewvc/viewvc.cgi/nagios-plugins-perl/trunk/plugins/check_httpd_status.pl?view=log <a name="(rev[^"]+)"></a>
 Recommends: liblocale-gettext-perl, libmonitoring-plugin-perl | libnagios-plugin-perl, liblwp-useragent-determined-perl
-Version: rev193
+Version: rev204
 Uploaders: Jan Wagner <waja@cyconet.org>
 Description: plugin checking Apache or Lighthttpd
  server-status page (using mod_status)

check_ssl_cert/check_ssl_cert-1.73.0/VERSION

-1.73.0

check_ssl_cert/check_ssl_cert-1.73.0/AUTHORS → check_ssl_cert/check_ssl_cert-1.76.0/AUTHORS

@@ -73,3 +73,5 @@ Thanks:
 * Many thanks to Vojtech Horky (https://github.com/vhotspur) for the --format patch
 * Many thanks to Markus Frosch (https://github.com/lazyfrosch) for the cleanup patch
 * Many thanks to Ricardo Bartels (https://github.com/bb-Ricardo) for the patches fixing unit tests, long output on Linux, extending the issuer checks to the whole chain
+* Many thanks to eimamagi (https://github.com/eimamagi) for the client key patch
+* Many thanks to Stefan Schlesinger for the HTTP_REQUEST patch
\ No newline at end of file

check_ssl_cert/check_ssl_cert-1.73.0/ChangeLog → check_ssl_cert/check_ssl_cert-1.76.0/ChangeLog

+2018-10-19  Matteo Corti  <matteo@corti.li>
+
+	* check_ssl_cert: Fixed the HTTP request string
+
+2018-10-18  eimamagi  <https://github.com/eimamagi>
+
+	* check_ssl_cert: Allow to specify a client certificate key
+
+2018-10-15  Matteo Corti  <matteo@corti.li>
+
+	* check_ssl_cert (exec_with_timeout): fixed the check on the the return value
+
 2018-08-10  Matteo Corti  <matteo@corti.li>
 
 	* check_ssl_cert: disabling OCSP checks if no OCSP host is found

check_ssl_cert/check_ssl_cert-1.73.0/NEWS → check_ssl_cert/check_ssl_cert-1.76.0/NEWS

+2018-10-19 Version 1.76.0: Sends a correct HTTP request
+2018-10-18 Version 1.75.0: Allow to specify a client certificate key
+2018-10-15 Version 1.74.0: Fixed a bug generating a confusing error message on timeout
 2018-09-10 Version 1.73.0: Fixed a bug in the cleanup of temporary files, fixed a bug with certificates without OCSP
                            Fixed tests with more reliable hosts
                            Allows to check against all the issuers in the CA chain

check_ssl_cert/check_ssl_cert-1.76.0/VERSION

+1.76.0

check_ssl_cert/check_ssl_cert-1.73.0/check_ssl_cert → check_ssl_cert/check_ssl_cert-1.76.0/check_ssl_cert

@@ -19,7 +19,7 @@
 ################################################################################
 # Constants
 
-VERSION=1.73.0
+VERSION=1.76.0
 SHORTNAME="SSL_CERT"
 
 VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,serial,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -81,6 +81,7 @@ usage() {
     echo "      --ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)"
     echo "   -i,--issuer issuer         pattern to match the issuer of the certificate"
     echo "      --issuer-cert-cache dir directory where to store issuer certificates cache"
+    echo "   -K,--clientkey path        use client certificate key to authenticate"
     echo "   -L,--check-ssl-labs grade  SSL Labs assessment"
     echo "                              (please check https://www.ssllabs.com/about/terms.html)"
     echo "      --long-output list      append the specified comma separated (no spaces) list"
@@ -264,15 +265,25 @@ exec_with_timeout() {
 
         eval "${TIMEOUT_BIN} $time $command" > /dev/null 2>&1
 
-        if [ $? = 137 ] ; then
+        if [ $? -eq 137 ] ; then
             critical "Timeout after ${time} seconds"
         fi
 
     elif [ -n "${EXPECT}" ] ; then
 
+        if [ -n "${DEBUG}" ] ; then
+            echo "[DBG]   expect -c \"set echo \\\"-noecho\\\"; set timeout $time; spawn -noecho $command; expect timeout { exit 1 } eof { exit 0 }\""
+        fi
+	
         expect -c "set echo \"-noecho\"; set timeout $time; spawn -noecho $command; expect timeout { exit 1 } eof { exit 0 }"
 
-        if [ $? = 1 ] ; then
+	RET=$?
+
+        if [ -n "${DEBUG}" ] ; then
+            echo "[DBG]   expect returned ${RET}"
+        fi	
+	
+        if [ "${RET}" -eq 1 ] ; then
             critical "Timeout after ${time} seconds"
         fi
 
@@ -435,7 +446,7 @@ fetch_certificate() {
 
     else
 	
-        exec_with_timeout "$TIMEOUT" "echo 'Q' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -connect $HOST:$PORT ${SERVERNAME} -showcerts -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} 2> ${ERROR} 1> ${CERT}"
+        exec_with_timeout "$TIMEOUT" "echo '${HTTP_REQUEST}' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -crlf -ign_eof -connect $HOST:$PORT ${SERVERNAME} -showcerts -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} 2> ${ERROR} 1> ${CERT}"
         RET=$?
 
     fi
@@ -829,6 +840,14 @@ main() {
                     unknown "-c,--clientcert requires an argument"
                 fi
                 ;;
+            -K|--clientkey)
+                if [ $# -gt 1 ]; then
+                    CLIENT_KEY="$2"
+                    shift 2
+                else
+                    unknown "-K,--clientkey requires an argument"
+                fi
+                ;;
             --clientpass)
                 if [ $# -gt 1 ]; then
                     CLIENT_PASS="$2"
@@ -964,6 +983,14 @@ main() {
 
     fi
 
+    if [ -n "${CLIENT_KEY}" ] ; then
+
+        if [ ! -r "${CLIENT_KEY}" ] ; then
+            unknown "Cannot read client certificate key ${CLIENT_KEY}"
+        fi
+
+    fi
+
     if [ -n "${CRITICAL}" ] ; then
 
         if ! echo "${CRITICAL}" | grep -q '^[0-9][0-9]*$' ; then
@@ -1224,6 +1251,15 @@ main() {
 	fi
     fi
 
+    ################################################################################
+    # define the HTTP request string
+    if [ -n "${SNI}" ]; then
+        HOST_HEADER="${SNI}"
+    else
+        HOST_HEADER="${HOST}"
+    fi
+    HTTP_REQUEST="HEAD / HTTP/1.1\\nHost: ${HOST_HEADER}\\nUser-Agent: check_ssl_cert/${VERSION}\\nConnection: close\\n\\n"
+    
     ################################################################################
     # Fetch the X.509 certificate
 
@@ -1250,6 +1286,9 @@ main() {
     if [ -n "${CLIENT_CERT}" ] ; then
         CLIENT="-cert ${CLIENT_CERT}"
     fi
+    if [ -n "${CLIENT_KEY}" ] ; then
+        CLIENT="${CLIENT} -key ${CLIENT_KEY}"
+    fi
 
     CLIENTPASS=""
     if [ -n "${CLIENT_PASS}" ] ; then
@@ -1415,7 +1454,7 @@ main() {
        	    echo "checking OCSP stapling"
 	fi
 
-	exec_with_timeout "$TIMEOUT" "echo QUIT | openssl s_client -connect ${HOST}:${PORT} ${SERVERNAME} -status 2> /dev/null | grep -A 17 'OCSP response:' > $OCSP_RESPONSE_TMP"
+	exec_with_timeout "$TIMEOUT" "echo '${HTTP_REQUEST}' | openssl s_client -connect ${HOST}:${PORT} ${SERVERNAME} -status 2> /dev/null | grep -A 17 'OCSP response:' > $OCSP_RESPONSE_TMP"
 
 	if [ -n "${DEBUG}" ] ; then
 	    sed 's/^/[DBG]\ /' "${OCSP_RESPONSE_TMP}"

check_ssl_cert/check_ssl_cert-1.73.0/check_ssl_cert.1 → check_ssl_cert/check_ssl_cert-1.76.0/check_ssl_cert.1

 .\" Process this file with
 .\" groff -man -Tascii foo.1
 .\"
-.TH "check_ssl_cert" 1 "September, 2018" "1.73.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "October, 2018" "1.76.0" "USER COMMANDS"
 .SH NAME
 check_ssl_cert \- checks the validity of X.509 certificates
 .SH SYNOPSIS
@@ -81,6 +81,9 @@ directory where to store issuer certificates cache
 .BR "-i,--issuer" " issuer"
 pattern to match the issuer of the certificate
 .TP
+.BR "-K,--clientkey" " path"
+use client certificate key to authenticate
+.TP
 .BR "-L,--check-ssl-labs grade"
 SSL Labs assestment (please check https://www.ssllabs.com/about/terms.html)
 .TP

check_ssl_cert/check_ssl_cert-1.73.0/check_ssl_cert.spec → check_ssl_cert/check_ssl_cert-1.76.0/check_ssl_cert.spec

-%define version          1.73.0
+%define version          1.76.0
 %define release          0
 %define sourcename       check_ssl_cert
 %define packagename      nagios-plugins-check_ssl_cert
@@ -45,6 +45,15 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/%{sourcename}.1*
 
 %changelog
+* Thu Oct 19 2018 Matteo Corti <matteo@corti.li> - 1.76.0-0
+- Updated to 1.76.0
+
+* Thu Oct 18 2018 Matteo Corti <matteo@corti.li> - 1.75.0-0
+- Updated to 1.75.0
+
+* Mon Oct 15 2018 Matteo Corti <matteo@corti.li> - 1.74.0-0
+- Updated to 1.74.0
+
 * Mon Sep 10 2018 Matteo Corti <matteo@corti.li> - 1.73.0-0
 - Updated to 1.73.0