Package: monitoring-plugins-contrib
Version: 35.20210512
Severity: normal
Tags: patch
For "normal" https/ssl checks, check_ssl_cert checks the entire chain,
but for checks for a given protocol (openssl s_client -starttls <X>),
this is not being done. However, it should.
} weasel@sarek:~/ssl$ ./check_ssl_cert.1.1 --ignore-ocsp -H
'2600:3c01::f03c:91ff:fe2c:2b9f' -p 25 -P smtp --cn ms.lwn.net
} SSL_CERT OK - x509 certificate 'ms.lwn.net' from 'R3' valid until Nov 16
00:39:50 2021 GMT (expires in 46 days)|days_chain_elem1=46;20;15;;
} weasel@sarek:~/ssl$ ./check_ssl_cert.2.1 --ignore-ocsp -H
'2600:3c01::f03c:91ff:fe2c:2b9f' -p 25 -P smtp --cn ms.lwn.net
} SSL_CERT OK - x509 certificate 'ms.lwn.net' from 'R3' valid until Nov 16
00:39:50 2021 GMT (expires in 46 days)|days_chain_elem1=46;20;15;;
days_chain_elem2=1446;20;15;; days_chain_elem3=1096;20;15;;
Patch attached.
[This is on top the patched version in #995372]
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `- https://www.debian.org/
--- check_ssl_cert.1.1 2021-09-30 13:22:51.765139931 +0000
+++ check_ssl_cert.2.1 2021-09-30 13:33:02.675979505 +0000
@@ -1345,51 +1345,51 @@
if [ -n "${PROTOCOL}" ] && [ "${PROTOCOL}" != 'http' ] && [ "${PROTOCOL}"
!= 'https' ] && [ "${PROTOCOL}" != 'h2' ] ; then
case "${PROTOCOL}" in
pop3|ftp)
- exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client
${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -starttls ${PROTOCOL}
-connect ${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client
${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -starttls ${PROTOCOL}
-showcerts -connect ${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
pop3s|ftps)
- exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client
${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -connect
${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client
${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -showcerts -connect
${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
smtp)
- exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client
${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -starttls ${PROTOCOL}
-connect ${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${S_CLIENT_NAME} 2>
${ERROR} 1> ${CERT}"
+ exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client
${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -starttls ${PROTOCOL}
-showcerts -connect ${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${S_CLIENT_NAME} 2>
${ERROR} 1> ${CERT}"
RET=$?
;;
smtps)
- exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client
${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -connect
${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${S_CLIENT_NAME} 2>
${ERROR} 1> ${CERT}"
+ exec_with_timeout "printf 'QUIT\\n' | ${OPENSSL} s_client
${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -showcerts -connect
${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${S_CLIENT_NAME} 2>
${ERROR} 1> ${CERT}"
RET=$?
;;
irc|ldap)
- exec_with_timeout "echo | ${OPENSSL} s_client ${INETPROTO}
${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect
${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "echo | ${OPENSSL} s_client ${INETPROTO}
${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect
${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
ircs|ldaps)
- exec_with_timeout "echo | ${OPENSSL} s_client ${INETPROTO}
${CLIENT} ${CLIENTPASS} -connect ${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME}
${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "echo | ${OPENSSL} s_client ${INETPROTO}
${CLIENT} ${CLIENTPASS} -showcerts -connect ${HOST_ADDR_SCLIENT}:${PORT}
${SERVERNAME} ${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA}
${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR}
1> ${CERT}"
RET=$?
;;
imap)
- exec_with_timeout "printf 'A01 LOGOUT\\n' | ${OPENSSL}
s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -starttls
${PROTOCOL} -connect ${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME}
${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "printf 'A01 LOGOUT\\n' | ${OPENSSL}
s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -starttls
${PROTOCOL} -showcerts -connect ${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME}
${SCLIENT_PROXY} ${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
imaps)
- exec_with_timeout "printf 'A01 LOGOUT\\n' | ${OPENSSL}
s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -connect
${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "printf 'A01 LOGOUT\\n' | ${OPENSSL}
s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -crlf ${IGN_EOF} -showcerts
-connect ${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
postgres)
- exec_with_timeout "printf 'X\\0\\0\\0\\4' | ${OPENSSL}
s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect
${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "printf 'X\\0\\0\\0\\4' | ${OPENSSL}
s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts
-connect ${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
sieve)
- exec_with_timeout "echo 'LOGOUT' | ${OPENSSL} s_client
${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect
${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "echo 'LOGOUT' | ${OPENSSL} s_client
${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect
${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
xmpp|xmpp-server)
- exec_with_timeout "echo 'Q' | ${OPENSSL} s_client ${INETPROTO}
${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect
${HOST_ADDR_SCLIENT}:${XMPPPORT} ${XMPPHOST} -verify 6 ${ROOT_CA}
${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR}
1> ${CERT}"
+ exec_with_timeout "echo 'Q' | ${OPENSSL} s_client ${INETPROTO}
${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect
${HOST_ADDR_SCLIENT}:${XMPPPORT} ${XMPPHOST} -verify 6 ${ROOT_CA}
${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR}
1> ${CERT}"
RET=$?
;;
mysql)
- exec_with_timeout "echo | ${OPENSSL} s_client ${INETPROTO}
${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -connect
${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
+ exec_with_timeout "echo | ${OPENSSL} s_client ${INETPROTO}
${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect
${HOST_ADDR_SCLIENT}:${PORT} ${SERVERNAME} ${SCLIENT_PROXY}
${SCLIENT_PROXY_ARGUMENT} -verify 6 ${ROOT_CA} ${SSL_VERSION}
${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} 2> ${ERROR} 1> ${CERT}"
RET=$?
;;
*)
