Fixed the HSTS check

matteocorti · Sep 1, 2022 · 64b12f6 · 64b12f6
1 parent 229873f
commit 64b12f6
Show file tree

Hide file tree

Showing 8 changed files with 33 additions and 10 deletions.
diff --git a/CITATION.cff b/CITATION.cff
@@ -236,8 +236,8 @@ authors:
   given-names: "Дилян"
   website: https://github.com/dilyanpalauzov
 title: "check_ssl_cert"
-version: 2.40.0
-date-released: 2022-08-24
+version: 2.41.0
+date-released: 2022-09-01
 url: "https://github.com/matteocorti/check_ssl_cert"
 repository-code: "https://github.com/matteocorti/check_ssl_cert"
 keywords:

diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,11 @@
+2022-09-01  Matteo Corti  <[email protected]>
+
+        * check_ssl_cert (main): follow redirects when checking HSTS
+
+2022-08-31  Matteo Corti  <[email protected]>
+
+        * check_ssl_cert (fetch_certificate): parsing 'excessive message size' errors
+
 2022-08-25  Matteo Corti  <[email protected]>
 
         * check_ssl_cert (extract_cert_attribute): Parse UTF-8 attributes (e.g., Location, ...)

diff --git a/NEWS.md b/NEWS.md
@@ -1,5 +1,7 @@
-* Fixed the parsing of UTF-8 certificate subjects
-
+* 2022-09-01 Version 2.41.0
+  * Fixed the parsing of UTF-8 certificate subjects
+  * Better OpenSSL error handling
+  * Fixed the HSTS check
 * 2022-08-24 Version 2.40.0
   * Fixed the parsing of the signature algorithm
 * 2022-08-24 Version 2.39.0

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -1 +1,3 @@
-Fixed the parsing of the signature algorithm
+ * Fixed the parsing of UTF-8 certificate subjects
+ * Better OpenSSL error handling
+ * Fixed the HSTS check
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-2.40.0
+2.41.0
diff --git a/check_ssl_cert b/check_ssl_cert
@@ -28,7 +28,7 @@
 ################################################################################
 # Constants
 
-VERSION=2.40.0
+VERSION=2.41.0
 SHORTNAME="SSL_CERT"
 
 VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -2500,6 +2500,10 @@ fetch_certificate() {
 
             prepend_critical_message 'Error decoding certificate'
 
+        elif ascii_grep 'excessive message size' "${ERROR}"; then
+
+            prepend_critical_message 'Error fetching the certificate (excessive message size)'
+
         elif ascii_grep 'gethostbyname failure' "${ERROR}"; then
 
             ERROR='Invalid host name'
@@ -4754,7 +4758,11 @@ main() {
 
         debuglog "Checking HSTS"
 
-        exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent -D- --user-agent '${HTTP_USER_AGENT}' https://${HOST} | grep -i ^strict-transport-security:"
+        # -s (--silent)
+        # -D (--dump-header)
+        # -A (--user-agent)
+        # -L (--location): follow redirects
+        exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} -s -D- -A '${HTTP_USER_AGENT}' -L https://${HOST} | grep -i ^strict-transport-security:"
         RET=$?
 
         if [ "${RET}" -eq 1 ] ; then

diff --git a/check_ssl_cert.1 b/check_ssl_cert.1
@@ -1,7 +1,7 @@
 .\" Process this file with
 .\" groff -man -Tascii check_ssl_cert.1
 .\"
-.TH "check_ssl_cert" 1 "August, 2022" "2.40.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "September, 2022" "2.41.0" "USER COMMANDS"
 .SH NAME
 check_ssl_cert \- checks the validity of X.509 certificates
 .SH SYNOPSIS

diff --git a/check_ssl_cert.spec b/check_ssl_cert.spec
@@ -1,4 +1,4 @@
-%global version          2.40.0
+%global version          2.41.0
 %global release          0
 %global sourcename       check_ssl_cert
 %global packagename      nagios-plugins-check_ssl_cert
@@ -54,6 +54,9 @@ rm -rf $RPM_BUILD_ROOT
 %endif
 
 %changelog
+* Thu Sep   1 2022 Matteo Corti <[email protected]> - 2.41.0-0
+- Updated to 2.41.0
+
 * Wed Aug  24 2022 Matteo Corti <[email protected]> - 2.40.0-0
 - Updated to 2.40.0