diff --git a/CITATION.cff b/CITATION.cff index e9df378c..319afd9c 100644 --- a/CITATION.cff +++ b/CITATION.cff @@ -236,8 +236,8 @@ authors: given-names: "Дилян" website: https://github.com/dilyanpalauzov title: "check_ssl_cert" -version: 2.49.0 -date-released: 2022-09-27 +version: 2.50.0 +date-released: 2022-10-06 url: "https://github.com/matteocorti/check_ssl_cert" repository-code: "https://github.com/matteocorti/check_ssl_cert" keywords: diff --git a/ChangeLog b/ChangeLog index 87b83d8c..14f253d5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2022-10-06 Matteo Corti + + * check_ssl_cert: additional chain checks (no root attributes and handling of double certificates + 2022-09-27 Matteo Corti * check_ssl_cert (main): if nmap is not found the plugin continues diff --git a/NEWS.md b/NEWS.md index 5adb52d7..6a09969e 100644 --- a/NEWS.md +++ b/NEWS.md @@ -1,3 +1,5 @@ +* 2022-10-06 Version 2.50.0 + * Additional checks for the certificate chain (see ```--check-chain```) * 2022-09-27 Version 2.49.0 * The plugin is working without nmap (with some limitations) * Fixed a bug in the processing of the --nmap-bin option diff --git a/README.md b/README.md index b16f1a5a..4d8f3fe6 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,8 @@ Options: to be valid to issue a critical status. Can be a floating point number, e.g., 0.5 Default: 15 + --check-chain The certificate chain cannot contain + double or root certificates --check-ciphers grade Check the offered ciphers --check-ciphers-warnings Critical if nmap reports a warning for an offered cipher diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 568d6421..2e0808f2 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,2 +1 @@ - * The plugin is working without nmap (with some limitations) - * Fixed a bug in the processing of the --nmap-bin option +Additional checks for the certificate chain (see ```--check-chain```) diff --git a/VERSION b/VERSION index 132775c2..9e29315a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.49.0 +2.50.0 diff --git a/check_ssl_cert b/check_ssl_cert index 648065aa..db3caefd 100755 --- a/check_ssl_cert +++ b/check_ssl_cert @@ -25,16 +25,10 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -# To do -# -# config file -# just put arguments in it and process the file as input? -# Documentation - ################################################################################ # Constants -VERSION=2.49.0 +VERSION=2.50.0 SHORTNAME="SSL_CERT" VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint," @@ -235,6 +229,8 @@ usage() { echo " to be valid to issue a critical status." echo " Can be a floating point number, e.g., 0.5" echo " Default: ${CRITICAL_DAYS}" + echo " --check-chain The certificate chain cannot contain" + echo " double or root certificates" echo " --check-ciphers grade Check the offered ciphers" echo " --check-ciphers-warnings Critical if nmap reports a warning for an" echo " offered cipher" @@ -2909,6 +2905,11 @@ parse_command_line_options() { shift ;; + --check-chain) + CHECK_CHAIN=1 + shift + ;; + --crl) CRL=1 shift @@ -4074,7 +4075,7 @@ main() { HOST_ADDR="${RESOLVE}" HOST_NAME="${HOST}" -< SNI="${HOST}" + SNI="${HOST}" else @@ -5504,8 +5505,6 @@ EOF fi done - # TODO - # check the certificate chain to see if the root certificate in unnecessarily delivered # and issue a warning if it is the case @@ -5524,6 +5523,9 @@ EOF if [ "${matches}" -eq 1 ] ; then debuglog "The root certificate is present in the chain" verboselog "The root certificate is unnecessarily present in the delivered certificate chain" + if [ -n "${CHECK_CHAIN}" ] ; then + prepend_critical_message "The root certificate is unnecessarily present in the delivered certificate chain" + fi fi debuglog "Certificate chain check finished" @@ -5947,6 +5949,9 @@ EOF # check if the warning is overridden by another certificate for the same CN if echo "${CN_OK}" | grep -q "${CN_TMP}" ; then verboselog "Both a valid and an expired certificate were found" + if [ -n "${CHECK_CHAIN}" ] ; then + prepend_critical_message "Both a valid and an expired certificate were found" + fi else prepend_critical_message "${MESSAGE_TMP}" "${REPLACE_CURRENT_MESSAGE}" fi @@ -5965,6 +5970,9 @@ INPUT # check if the warning is overridden by another certificate for the same CN if echo "${CN_OK}" | grep -q "${CN_TMP}" ; then verboselog "Both a valid and an expired certificate were found" + if [ -n "${CHECK_CHAIN}" ] ; then + prepend_critical_message "Both a valid and an expired certificate were found" + fi else append_warning_message "${MESSAGE_TMP}" "${REPLACE_CURRENT_MESSAGE}" fi diff --git a/check_ssl_cert.1 b/check_ssl_cert.1 index a46c307f..f52525ac 100644 --- a/check_ssl_cert.1 +++ b/check_ssl_cert.1 @@ -1,7 +1,7 @@ .\" Process this file with .\" groff -man -Tascii check_ssl_cert.1 .\" -.TH "check_ssl_cert" 1 "September, 2022" "2.49.0" "USER COMMANDS" +.TH "check_ssl_cert" 1 "October, 2022" "2.50.0" "USER COMMANDS" .SH NAME check_ssl_cert \- checks the validity of X.509 certificates .SH SYNOPSIS @@ -38,6 +38,9 @@ Use client certificate to authenticate .BR "-c,--critical" " days" Minimum number of days a certificate has to be valid to issue a critical status. Can be a floating point number, e.g., 0.5. Default: 15 .TP +.BR " --check-chain" +The certificate chain cannot contain double or root certificates +.TP .BR " --check-ciphers" " grade" Check the offered ciphers .TP diff --git a/check_ssl_cert.completion b/check_ssl_cert.completion index 2a614b01..eba69854 100644 --- a/check_ssl_cert.completion +++ b/check_ssl_cert.completion @@ -14,7 +14,7 @@ _check_ssl_cert() { # only the autocompletion with long options is implemented: long options are more readable and quick to enter since we are # using autocompletion. # - opts="--file --host --noauth --all --all-local --allow-empty-san --clientcert --configuration --critical --check-ciphers --check-ciphers-warnings --check-http-headers --check-ssl-labs --check-ssl-labs-warn --clientpass --crl --curl-bin --user-agent --custom-http-header --dane --date --debug-cert --debug-file --debug-headers --debug-time --default-format --dig-bin --dtls --dtls1 --dtls1_2 --ecdsa --element --file-bin --fingerprint --first-element-only --force-dconv-date --force-perl-date --format --grep-bin --http-headers-path --http-use-get --ignore-altnames --ignore-connection-problems --ignore-exp --ignore-host-cn --ignore-incomplete-chain --ignore-maximum-validity --ignore-ocsp --ignore-ocsp-errors --ignore-ocsp-timeout --ignore-sct --ignore-sig-alg --ignore-ssl-labs-cache --ignore-tls-renegotiation --inetproto protocol --info --init-host-cache --issuer-cert-cache --long-output --match --maximum-validity --nmap-bin --no-perf --no-proxy --no-proxy-curl --no-proxy-s_client --no-ssl2 --no-ssl3 --no-tls1 --no-tls1_1 --no-tls1_2 --no-tls1_3 --not-issued-by --not-valid-longer-than --ocsp-critical --ocsp-warning --openssl --password --precision --prometheus --proxy --require-client-cert --require-dnssec --require-http-header --require-no-http-header --require-no-ssl2 --require-no-ssl3 --require-no-tls1 --require-no-tls1_1 --require-ocsp-stapling --require-purpose --require-purpose-critical --resolve --rootcert-dir --rootcert-file --rsa --serial --skip-element --sni --ssl2 --ssl3 --temp --terse --tls1 --tls1_1 --tls1_2 --tls1_3 --xmpphost -4 -6 --clientkey --protocol --version --debug --email --help --issuer --cn --org --port port --rootcert --quiet --selfsigned --timeout --url --verbose --warning" + opts="--file --host --noauth --all --all-local --allow-empty-san --clientcert --configuration --critical --check-chain --check-ciphers --check-ciphers-warnings --check-http-headers --check-ssl-labs --check-ssl-labs-warn --clientpass --crl --curl-bin --user-agent --custom-http-header --dane --date --debug-cert --debug-file --debug-headers --debug-time --default-format --dig-bin --dtls --dtls1 --dtls1_2 --ecdsa --element --file-bin --fingerprint --first-element-only --force-dconv-date --force-perl-date --format --grep-bin --http-headers-path --http-use-get --ignore-altnames --ignore-connection-problems --ignore-exp --ignore-host-cn --ignore-incomplete-chain --ignore-maximum-validity --ignore-ocsp --ignore-ocsp-errors --ignore-ocsp-timeout --ignore-sct --ignore-sig-alg --ignore-ssl-labs-cache --ignore-tls-renegotiation --inetproto protocol --info --init-host-cache --issuer-cert-cache --long-output --match --maximum-validity --nmap-bin --no-perf --no-proxy --no-proxy-curl --no-proxy-s_client --no-ssl2 --no-ssl3 --no-tls1 --no-tls1_1 --no-tls1_2 --no-tls1_3 --not-issued-by --not-valid-longer-than --ocsp-critical --ocsp-warning --openssl --password --precision --prometheus --proxy --require-client-cert --require-dnssec --require-http-header --require-no-http-header --require-no-ssl2 --require-no-ssl3 --require-no-tls1 --require-no-tls1_1 --require-ocsp-stapling --require-purpose --require-purpose-critical --resolve --rootcert-dir --rootcert-file --rsa --serial --skip-element --sni --ssl2 --ssl3 --temp --terse --tls1 --tls1_1 --tls1_2 --tls1_3 --xmpphost -4 -6 --clientkey --protocol --version --debug --email --help --issuer --cn --org --port port --rootcert --quiet --selfsigned --timeout --url --verbose --warning" if [[ ${cur} == -* || ${COMP_CWORD} -eq 1 ]]; then # shellcheck disable=2207 diff --git a/check_ssl_cert.spec b/check_ssl_cert.spec index 0f35935e..0eec6980 100644 --- a/check_ssl_cert.spec +++ b/check_ssl_cert.spec @@ -1,4 +1,4 @@ -%global version 2.49.0 +%global version 2.50.0 %global release 0 %global sourcename check_ssl_cert %global packagename nagios-plugins-check_ssl_cert @@ -54,6 +54,9 @@ rm -rf $RPM_BUILD_ROOT %endif %changelog +* Thu Oct 6 2022 Matteo Corti - 2.50.0-0 +- Updated to 2.50.0 + * Tue Sep 27 2022 Matteo Corti - 2.49.0-0 - Updated to 2.49.0 diff --git a/test/unit_tests.sh b/test/unit_tests.sh index ef622c9d..ea5faba4 100755 --- a/test/unit_tests.sh +++ b/test/unit_tests.sh @@ -1885,6 +1885,13 @@ testRootCertInChain() { assertEquals "wrong exit code" "${OK}" "${EXIT_CODE}" } +testRootCertInChainEnforce() { + # shellcheck disable=SC2086 + ${SCRIPT} ${TEST_DEBUG} -H matteo.ethz.ch --check-chain + EXIT_CODE=$? + assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}" +} + testRootCertNotInChainGitHub() { # shellcheck disable=SC2086 ${SCRIPT} ${TEST_DEBUG} -H github.com --verbose | grep -q 'The root certificate is unnecessarily present in the delivered certificate chain' diff --git a/utils/help.txt b/utils/help.txt index ac34be06..c75494d3 100644 --- a/utils/help.txt +++ b/utils/help.txt @@ -7,6 +7,8 @@ --allow-empty-san;Alternative Names (SANs) --altnames;Match the pattern specified in -n with --altnames;alternate names too (enabled by default) +--check-chain;The certificate chain cannot contain +--check-chain;double or root certificates --check-ciphers grade;Check the offered ciphers --check-ciphers-warnings;Critical if nmap reports a warning for an --check-ciphers-warnings;offered cipher