Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
server:monitoring
monitoring-plugins-ssl_validity
skip_crl_validity_check.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File skip_crl_validity_check.patch of Package monitoring-plugins-ssl_validity
--- check_ssl_validity.orig 2018-05-17 14:55:08.467324480 +0200 +++ check_ssl_validity 2018-05-17 15:55:50.548777109 +0200 @@ -19,10 +19,10 @@ use Digest::MD5 qw(md5_hex); use LWP::Simple; -getopts('p:t:H:dw:c:I:C:d'); +getopts('p:t:H:dw:c:I:C:dS'); sub usage { - print "check_ssl_validity -H <cert hostname> [-I <IP/host>] [-p <port>]\n[-t <timeout>] [-w <expire warning (days)>] [-c <expire critical (dats)>]\n[-C (CRL update frequency in seconds)] [-d (debug)]\n"; + print "check_ssl_validity -H <cert hostname> [-I <IP/host>] [-p <port>]\n[-t <timeout>] [-w <expire warning (days)>] [-c <expire critical (dats)>]\n[-C (CRL update frequency in seconds)] [-d (debug)]\n[-S (skip CRL validity check)\n"; print "\nWill look for hostname provided with -H in the certificate, but will contact\n"; print "server with host/IP provided by -I (optional)\n"; exit(1); @@ -214,90 +214,107 @@ if ($opt_d) { print "Certificate serial: $serial\n"; } + @crldps = @{$decoded->CRLDistributionPoints}; $crlskip = 0; -foreach $crldp (@crldps) { +# skip CRL validity check +if ($opt_S) { if ($opt_d) { - print "Checking CRL DP $crldp.\n"; + print " ... skipping CRL validity check !!!\n"; } - $cachefile = "/tmp/" . md5_hex($crldp) . "_crl.tmp"; - if (-f $cachefile) { - $cacheage = $uxtime-(stat($cachefile))[9]; - if ($cacheage > $crlupdatefreq) { - if ($opt_d) { print "Download update, more than a day old.\n"; } - updatecrl($crldp, $cachefile); +} else { + foreach $crldp (@crldps) { + # skip 'ldap' CRL DistributionPoint URI + if ( $crldp =~ /^ldap.*/ ) { + next; + } + if ($opt_d) { + print "Checking CRL DP $crldp.\n"; + } + $cachefile = "/tmp/" . md5_hex($crldp) . "_crl.tmp"; + if (-f $cachefile) { + $cacheage = $uxtime-(stat($cachefile))[9]; + if ($cacheage > $crlupdatefreq) { + if ($opt_d) { print "Download update, more than a day old.\n"; } + updatecrl($crldp, $cachefile); + } else { + if ($opt_d) { print "Reusing cached copy of it.\n"; } +# print "Reuse CRL DP cachefile for $crldp, less than a day old.\n"; +# No need to check CRL, it has already been so? Well we could have many certs to check. +# $crlskip = 1; +# next; + } } else { - if ($opt_d) { print "Reusing cached copy of it.\n"; } -# print "Reuse CRL DP cachefile for $crldp, less than a day old.\n"; -# No need to check CRL, it has already been so? Well we could have many certs to check. -# $crlskip = 1; -# next; + if ($opt_d) { print "Download initial copy.\n"; } + updatecrl($crldp, $cachefile); + } +# print "Check CRL DP $crldp $cachefile\n"; + $crl = ""; + my $format; + open(my $cachefile_io, '<', $cachefile); + $format = <$cachefile_io> =~ /-----BEGIN X509 CRL-----/ ? 'PEM' : 'DER'; + close $cachefile_io; + open(CMD, "openssl crl -inform $format -text -in $cachefile -noout 2>&1 |"); + while (<CMD>) { + $crl .= $_; + } + close(CMD); + $ret = $?; + if ($ret != 0) { + $crl =~ s@\n@ @g; + $crl =~ s@\s+$@@; + doexit(2, "Could not parse $format from URL $crldp while checking $hosttxt: $crl"); } - } else { - if ($opt_d) { print "Download initial copy.\n"; } - updatecrl($crldp, $cachefile); - } -# print "Check CRL DP $crldp $cachefile\n"; - $crl = ""; - my $format; - open(my $cachefile_io, '<', $cachefile); - $format = <$cachefile_io> =~ /-----BEGIN X509 CRL-----/ ? 'PEM' : 'DER'; - close $cachefile_io; - open(CMD, "openssl crl -inform $format -text -in $cachefile -noout 2>&1 |"); - while (<CMD>) { - $crl .= $_; - } - close(CMD); - $ret = $?; - if ($ret != 0) { - $crl =~ s@\n@ @g; - $crl =~ s@\s+$@@; - doexit(2, "Could not parse $format from URL $crldp while checking $hosttxt: $crl"); - } - # Crude CRL parsing goes here - $mode = 0; - foreach $cline (split(/\n/, $crl)) { -# print "cline=$cline\n"; - if ($cline =~ /.*Next Update: (.+)/) { - $nextup = $1; - $nextuptime = str2time($nextup); - $crlvalid = $nextuptime-$uxtime; - if ($opt_d) { print "Next CRL update: $nextup\n"; } -# print "crlvalid: $crlvalid\n"; - if ($crlvalid < 0) { - doexit(2, "Could not use CRL from $crldp, it expired past next update on $nextup"); + # Crude CRL parsing goes here + $mode = 0; + foreach $cline (split(/\n/, $crl)) { +# print "cline=$cline\n"; + if ($cline =~ /.*Next Update: (.+)/) { + $nextup = $1; + $nextuptime = str2time($nextup); + $crlvalid = $nextuptime-$uxtime; + if ($opt_d) { print "Next CRL update: $nextup\n"; } +# print "crlvalid: $crlvalid\n"; + if ($crlvalid < 0) { + doexit(2, "Could not use CRL from $crldp, it expired past next update on $nextup"); + } +# print "nextuptime $nextuptime nextup $nextup X\n"; + } elsif ($cline =~ /.*Last Update: (.+)/) { + $lastup = $1; + if ($opt_d) { print "Last CRL update: $lastup\n"; } +# $lastuptime = str2time($lastup); +# print "lastuptime $lastuptime lastup $lastup X\n"; + } elsif ($mode == 0) { + if ($cline =~ /.*Serial Number: (\S+)/i) { + ckserial; + $crserial = lc($1); + $crrev = ""; + } elsif ($cline =~ /.*Revocation Date: (.+)/i) { + $crrev = $1; + } + } elsif ($cline =~ /Signature Algorithm/) { + last; } -# print "nextuptime $nextuptime nextup $nextup X\n"; - } elsif ($cline =~ /.*Last Update: (.+)/) { - $lastup = $1; - if ($opt_d) { print "Last CRL update: $lastup\n"; } -# $lastuptime = str2time($lastup); -# print "lastuptime $lastuptime lastup $lastup X\n"; - } elsif ($mode == 0) { - if ($cline =~ /.*Serial Number: (\S+)/i) { - ckserial; - $crserial = lc($1); - $crrev = ""; - } elsif ($cline =~ /.*Revocation Date: (.+)/i) { - $crrev = $1; - } - } elsif ($cline =~ /Signature Algorithm/) { - last; } + ckserial; } - ckserial; } + if (-f $tempfile) { unlink ($tempfile); } $oktxt =~ s@\s+$@@; print "$oktxt, still valid for $certdaysfmt days. "; -if ($crlskip == 0) { - print "Serial $serial not found on any Certificate Revokation Lists.\n"; +if (!$opt_S) { + if ($crlskip == 0) { + print "Serial $serial not found on any Certificate Revokation Lists.\n"; + } else { + print "CRL checks skipped, next check in " . ($crlupdatefreq - $cacheage) . " seconds.\n"; + } } else { - print "CRL checks skipped, next check in " . ($crlupdatefreq - $cacheage) . " seconds.\n"; + print "\n"; } exit 0;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor