[packages/nagios-plugin-check_ssl_cert] - rel 2; add option --ignore-ocsp-timeout

Tue Mar 31 10:12:36 CEST 2020

commit c00d40a2b67c8b6abef20ad1510c65a8f2c1e671
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Tue Mar 31 10:12:28 2020 +0200

    - rel 2; add option --ignore-ocsp-timeout

 nagios-plugin-check_ssl_cert.spec |   4 +-
 ocsp.patch                        | 152 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 155 insertions(+), 1 deletion(-)
---

diff --git a/nagios-plugin-check_ssl_cert.spec b/nagios-plugin-check_ssl_cert.spec
index 19dcde1..d05790d 100644
--- a/nagios-plugin-check_ssl_cert.spec
+++ b/nagios-plugin-check_ssl_cert.spec
@@ -3,12 +3,13 @@ Summary:	Nagios plugin to check the CA and validity of an X.509 certificate
 Summary(pl.UTF-8):	Wtyczka Nagiosa sprawdzająca CA i ważność certyfikatu X.509
 Name:		nagios-plugin-%{plugin}
 Version:	1.110.0
-Release:	1
+Release:	2
 License:	GPL v3
 Group:		Networking
 Source0:	https://github.com/matteocorti/check_ssl_cert/releases/download/v%{version}/check_ssl_cert-%{version}.tar.gz
 # Source0-md5:	bb0d3fd5a35a1bb97bfb5c1d63169591
 Source1:	check_ssl_cert.cfg
+Patch0:		ocsp.patch
 URL:		https://github.com/matteocorti/check_ssl_cert/wiki
 BuildRequires:	rpm >= 4.4.9-56
 Requires:	expect
@@ -40,6 +41,7 @@ jego poprawność.
 
 %prep
 %setup -q -n %{plugin}-%{version}
+%patch0 -p1
 
 %install
 rm -rf $RPM_BUILD_ROOT
diff --git a/ocsp.patch b/ocsp.patch
new file mode 100644
index 0000000..93fab60
--- /dev/null
+++ b/ocsp.patch
@@ -0,0 +1,152 @@
+From 596c02d6b9c65fe81e42668f133bb73308f9cecd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= <arekm at maven.pl>
+Date: Tue, 31 Mar 2020 10:05:37 +0200
+Subject: [PATCH] Timeout for OCSP calls and option to ignore timeouts
+
+Call all openssl oscp commands with timeout.
+
+Add option --ignore-ocsp-timeout which will do OCSP check but
+do not fail if timeout occurs during such checks.
+---
+ check_ssl_cert | 50 +++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 31 insertions(+), 19 deletions(-)
+
+diff --git a/check_ssl_cert b/check_ssl_cert
+index 8dd5f07..59e1903 100755
+--- a/check_ssl_cert
++++ b/check_ssl_cert
+@@ -93,6 +93,7 @@ usage() {
+     echo "                                   related checks"
+     echo "      --ignore-exp                 ignore expiration date"
+     echo "      --ignore-ocsp                do not check revocation with OCSP"
++    echo "      --ignore-ocsp-timeout        ignore OCSP result when timeout occurs while checking"
+     echo "      --ignore-sig-alg             do not check if the certificate was signed with SHA1"
+     echo "                                   or MD5"
+     echo "      --ignore-ssl-labs-cache      Forces a new check by SSL Labs (see -L)"
+@@ -898,6 +899,7 @@ main() {
+     REQUIRE_SAN=""
+     REQUIRE_OCSP_STAPLING=""
+     OCSP="1" # enabled by default
++    OCSP_IGNORE_TIMEOUT=""
+     FORMAT=""
+     HTTP_METHOD="HEAD"
+     RSA=""
+@@ -1061,6 +1063,10 @@ main() {
+                 OCSP=""
+                 shift
+                 ;;
++            --ignore-ocsp-timeout)
++                OCSP_IGNORE_TIMEOUT=1
++                shift
++                ;;
+             --terse)
+                 TERSE=1
+                 shift
+@@ -2877,19 +2883,19 @@ main() {
+             if "${OPENSSL}" version | grep -q '^LibreSSL' || [ "$( ${OPENSSL} version | sed -e 's/OpenSSL \([0-9]\).*/\1/g' )" -gt 0 ] ; then
+ 
+                 if [ -n "${DEBUG}" ] ; then
+-                    echo "[DBG] ${OPENSSL} ocsp supports the -header option"
++                    echo "[DBG] ${OPENSSL} ocsp -timeout ${TIMEOUT} supports the -header option"
+                 fi
+ 
+                 # the -header option was first accepting key and value separated by space. The newer versions are using key=value
+                 KEYVALUE=""
+-                if ${OPENSSL} ocsp -help 2>&1 | grep header | grep -q 'key=value' ; then
++                if ${OPENSSL} ocsp -timeout ${TIMEOUT} -help 2>&1 | grep header | grep -q 'key=value' ; then
+                     if [ -n "${DEBUG}" ] ; then
+-                        echo "[DBG] ${OPENSSL} ocsp -header requires 'key=value'"
++                        echo "[DBG] ${OPENSSL} ocsp -timeout ${TIMEOUT} -header requires 'key=value'"
+                     fi
+                     KEYVALUE=1
+                 else
+                     if [ -n "${DEBUG}" ] ; then
+-                        echo "[DBG] ${OPENSSL} ocsp -header requires 'key value'"
++                        echo "[DBG] ${OPENSSL} ocsp -timeout ${TIMEOUT} -header requires 'key value'"
+                     fi
+                 fi
+ 
+@@ -2903,28 +2909,28 @@ main() {
+ 
+                     if [ -n "${KEYVALUE}" ] ; then
+                         if [ -n "${DEBUG}" ] ; then
+-                            echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
++                            echo "[DBG] executing ${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
+                         fi
+-                        OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
++                        OCSP_RESP="$(${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
+                     else
+                         if [ -n "${DEBUG}" ] ; then
+-                            echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
++                            echo "[DBG] executing ${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
+                         fi
+-                        OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
++                        OCSP_RESP="$(${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+                     fi
+ 
+                 else
+ 
+                     if [ -n "${KEYVALUE}" ] ; then
+                         if [ -n "${DEBUG}" ] ; then
+-                            echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT}  -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
++                            echo "[DBG] executing ${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT}  -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
+                         fi
+-                        OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
++                        OCSP_RESP="$(${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
+                     else
+                         if [ -n "${DEBUG}" ] ; then
+-                            echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT}  -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
++                            echo "[DBG] executing ${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT}  -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
+                         fi
+-                        OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
++                        OCSP_RESP="$(${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+                     fi
+ 
+                 fi
+@@ -2933,7 +2939,13 @@ main() {
+                     echo "${OCSP_RESP}" | sed 's/^/[DBG] OCSP: response = /'
+                 fi
+ 
+-                if echo "${OCSP_RESP}" | grep -qi "revoked" ; then
++                if [ -n "${OCSP_IGNORE_TIMEOUT}" ] && echo "${OCSP_RESP}" | grep -qi "timeout on connect" ; then
++
++                   if [ -n "${DEBUG}" ] ; then
++                        echo '[DBG] OCSP: Timeout on connect'
++                   fi
++
++                elif echo "${OCSP_RESP}" | grep -qi "revoked" ; then
+ 
+                     if [ -n "${DEBUG}" ] ; then
+                         echo '[DBG] OCSP: revoked'
+@@ -2950,25 +2962,25 @@ main() {
+                     if [ -n "${HTTP_PROXY:-}" ] ; then
+ 
+                         if [ -n "${DEBUG}" ] ; then
+-                            echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}]\" -host \"${HTTP_PROXY#*://}\" -path \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
++                            echo "[DBG] executing ${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}]\" -host \"${HTTP_PROXY#*://}\" -path \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
+                         fi
+ 
+                         if [ -n "${OCSP_HEADER}" ] ; then
+-                            OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
++                            OCSP_RESP="$(${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+                         else
+-                            OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" 2>&1 )"
++                            OCSP_RESP="$(${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" 2>&1 )"
+                         fi
+ 
+                     else
+ 
+                         if [ -n "${DEBUG}" ] ; then
+-                            echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}\" -url \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
++                            echo "[DBG] executing ${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}\" -url \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
+                         fi
+ 
+                         if [ -n "${OCSP_HEADER}" ] ; then
+-                            OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
++                            OCSP_RESP="$(${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+                         else
+-                            OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" 2>&1 )"
++                            OCSP_RESP="$(${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" 2>&1 )"
+                         fi
+ 
+                     fi
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/nagios-plugin-check_ssl_cert.git/commitdiff/c00d40a2b67c8b6abef20ad1510c65a8f2c1e671

