File skip_crl_validity_check.patch of Package monitoring-plugins-ssl_validity
--- check_ssl_validity.orig 2018-05-17 14:55:08.467324480 +0200
+++ check_ssl_validity 2018-05-17 15:55:50.548777109 +0200
@@ -19,10 +19,10 @@
use Digest::MD5 qw(md5_hex);
use LWP::Simple;
-getopts('p:t:H:dw:c:I:C:d');
+getopts('p:t:H:dw:c:I:C:dS');
sub usage {
- print "check_ssl_validity -H <cert hostname> [-I <IP/host>] [-p <port>]\n[-t <timeout>] [-w <expire warning (days)>] [-c <expire critical (dats)>]\n[-C (CRL update frequency in seconds)] [-d (debug)]\n";
+ print "check_ssl_validity -H <cert hostname> [-I <IP/host>] [-p <port>]\n[-t <timeout>] [-w <expire warning (days)>] [-c <expire critical (dats)>]\n[-C (CRL update frequency in seconds)] [-d (debug)]\n[-S (skip CRL validity check)\n";
print "\nWill look for hostname provided with -H in the certificate, but will contact\n";
print "server with host/IP provided by -I (optional)\n";
exit(1);
@@ -214,90 +214,107 @@
if ($opt_d) {
print "Certificate serial: $serial\n";
}
+
@crldps = @{$decoded->CRLDistributionPoints};
$crlskip = 0;
-foreach $crldp (@crldps) {
+# skip CRL validity check
+if ($opt_S) {
if ($opt_d) {
- print "Checking CRL DP $crldp.\n";
+ print " ... skipping CRL validity check !!!\n";
}
- $cachefile = "/tmp/" . md5_hex($crldp) . "_crl.tmp";
- if (-f $cachefile) {
- $cacheage = $uxtime-(stat($cachefile))[9];
- if ($cacheage > $crlupdatefreq) {
- if ($opt_d) { print "Download update, more than a day old.\n"; }
- updatecrl($crldp, $cachefile);
+} else {
+ foreach $crldp (@crldps) {
+ # skip 'ldap' CRL DistributionPoint URI
+ if ( $crldp =~ /^ldap.*/ ) {
+ next;
+ }
+ if ($opt_d) {
+ print "Checking CRL DP $crldp.\n";
+ }
+ $cachefile = "/tmp/" . md5_hex($crldp) . "_crl.tmp";
+ if (-f $cachefile) {
+ $cacheage = $uxtime-(stat($cachefile))[9];
+ if ($cacheage > $crlupdatefreq) {
+ if ($opt_d) { print "Download update, more than a day old.\n"; }
+ updatecrl($crldp, $cachefile);
+ } else {
+ if ($opt_d) { print "Reusing cached copy of it.\n"; }
+# print "Reuse CRL DP cachefile for $crldp, less than a day old.\n";
+# No need to check CRL, it has already been so? Well we could have many certs to check.
+# $crlskip = 1;
+# next;
+ }
} else {
- if ($opt_d) { print "Reusing cached copy of it.\n"; }
-# print "Reuse CRL DP cachefile for $crldp, less than a day old.\n";
-# No need to check CRL, it has already been so? Well we could have many certs to check.
-# $crlskip = 1;
-# next;
+ if ($opt_d) { print "Download initial copy.\n"; }
+ updatecrl($crldp, $cachefile);
+ }
+# print "Check CRL DP $crldp $cachefile\n";
+ $crl = "";
+ my $format;
+ open(my $cachefile_io, '<', $cachefile);
+ $format = <$cachefile_io> =~ /-----BEGIN X509 CRL-----/ ? 'PEM' : 'DER';
+ close $cachefile_io;
+ open(CMD, "openssl crl -inform $format -text -in $cachefile -noout 2>&1 |");
+ while (<CMD>) {
+ $crl .= $_;
+ }
+ close(CMD);
+ $ret = $?;
+ if ($ret != 0) {
+ $crl =~ s@\n@ @g;
+ $crl =~ s@\s+$@@;
+ doexit(2, "Could not parse $format from URL $crldp while checking $hosttxt: $crl");
}
- } else {
- if ($opt_d) { print "Download initial copy.\n"; }
- updatecrl($crldp, $cachefile);
- }
-# print "Check CRL DP $crldp $cachefile\n";
- $crl = "";
- my $format;
- open(my $cachefile_io, '<', $cachefile);
- $format = <$cachefile_io> =~ /-----BEGIN X509 CRL-----/ ? 'PEM' : 'DER';
- close $cachefile_io;
- open(CMD, "openssl crl -inform $format -text -in $cachefile -noout 2>&1 |");
- while (<CMD>) {
- $crl .= $_;
- }
- close(CMD);
- $ret = $?;
- if ($ret != 0) {
- $crl =~ s@\n@ @g;
- $crl =~ s@\s+$@@;
- doexit(2, "Could not parse $format from URL $crldp while checking $hosttxt: $crl");
- }
- # Crude CRL parsing goes here
- $mode = 0;
- foreach $cline (split(/\n/, $crl)) {
-# print "cline=$cline\n";
- if ($cline =~ /.*Next Update: (.+)/) {
- $nextup = $1;
- $nextuptime = str2time($nextup);
- $crlvalid = $nextuptime-$uxtime;
- if ($opt_d) { print "Next CRL update: $nextup\n"; }
-# print "crlvalid: $crlvalid\n";
- if ($crlvalid < 0) {
- doexit(2, "Could not use CRL from $crldp, it expired past next update on $nextup");
+ # Crude CRL parsing goes here
+ $mode = 0;
+ foreach $cline (split(/\n/, $crl)) {
+# print "cline=$cline\n";
+ if ($cline =~ /.*Next Update: (.+)/) {
+ $nextup = $1;
+ $nextuptime = str2time($nextup);
+ $crlvalid = $nextuptime-$uxtime;
+ if ($opt_d) { print "Next CRL update: $nextup\n"; }
+# print "crlvalid: $crlvalid\n";
+ if ($crlvalid < 0) {
+ doexit(2, "Could not use CRL from $crldp, it expired past next update on $nextup");
+ }
+# print "nextuptime $nextuptime nextup $nextup X\n";
+ } elsif ($cline =~ /.*Last Update: (.+)/) {
+ $lastup = $1;
+ if ($opt_d) { print "Last CRL update: $lastup\n"; }
+# $lastuptime = str2time($lastup);
+# print "lastuptime $lastuptime lastup $lastup X\n";
+ } elsif ($mode == 0) {
+ if ($cline =~ /.*Serial Number: (\S+)/i) {
+ ckserial;
+ $crserial = lc($1);
+ $crrev = "";
+ } elsif ($cline =~ /.*Revocation Date: (.+)/i) {
+ $crrev = $1;
+ }
+ } elsif ($cline =~ /Signature Algorithm/) {
+ last;
}
-# print "nextuptime $nextuptime nextup $nextup X\n";
- } elsif ($cline =~ /.*Last Update: (.+)/) {
- $lastup = $1;
- if ($opt_d) { print "Last CRL update: $lastup\n"; }
-# $lastuptime = str2time($lastup);
-# print "lastuptime $lastuptime lastup $lastup X\n";
- } elsif ($mode == 0) {
- if ($cline =~ /.*Serial Number: (\S+)/i) {
- ckserial;
- $crserial = lc($1);
- $crrev = "";
- } elsif ($cline =~ /.*Revocation Date: (.+)/i) {
- $crrev = $1;
- }
- } elsif ($cline =~ /Signature Algorithm/) {
- last;
}
+ ckserial;
}
- ckserial;
}
+
if (-f $tempfile) {
unlink ($tempfile);
}
$oktxt =~ s@\s+$@@;
print "$oktxt, still valid for $certdaysfmt days. ";
-if ($crlskip == 0) {
- print "Serial $serial not found on any Certificate Revokation Lists.\n";
+if (!$opt_S) {
+ if ($crlskip == 0) {
+ print "Serial $serial not found on any Certificate Revokation Lists.\n";
+ } else {
+ print "CRL checks skipped, next check in " . ($crlupdatefreq - $cacheage) . " seconds.\n";
+ }
} else {
- print "CRL checks skipped, next check in " . ($crlupdatefreq - $cacheage) . " seconds.\n";
+ print "\n";
}
exit 0;
