Projet

Général

Profil

Révision bba98f95

IDbba98f95b3aecdd62a9c88c0cc5b8bd49d2ca206
Parent 81bdedaf
Enfant 32264463

Ajouté par Martin Schobert il y a environ 5 ans

ssl-certificate-expiry: Feature added: checking intermediate certs as well (#1088)

Voir les différences:

plugins/ssl/ssl-certificate-expiry
57 57 

  		




  58
  58
  
    
 * Pactrick Domack (ssl_)


  		




  59
  59
  
    
 * Olivier Mehani (ssl-certificate-expiry)


  		




  60
  
  
    

  		




  
  60
  
    
 * Martin Schobert (check for intermediate certs)


  		




  
  61
  
    
 


  		




  61
  62
  
    
 * Copyright (C) 2013 Patrick Domack <patrickdk@patrickdk.com>


  		




  62
  63
  
    
 * Copyright (C) 2017, 2019 Olivier Mehani <shtrom+munin@ssji.net>


  		




  
  64
  
    
 * Copyright (C) 2020 Martin Schobert <martin@schobert.cc> 


  		




  63
  65
  
    

  		




  64
  66
  
    
=head1 LICENSE


  		




  65
  67
  
    

  		




  ......




  90
  92
  
    
    local now_epoch


  		




  91
  93
  
    
    local input_data


  		




  92
  94
  
    
    input_data=$(cat)


  		




  
  95
  
    

  		




  93
  96
  
    
    if echo "$input_data" | grep -q -- "-----BEGIN CERTIFICATE-----"; then


  		




  94
  97
  
    
        valid_until_string=$(echo "$input_data" | openssl x509 -noout -enddate \


  		




  95
  98
  
    
            | grep "^notAfter=" | cut -f 2 -d "=")


  		




  ......




  122
  125
  
    
    local s_client_args=


  		




  123
  126
  
    
    [ -n "$starttls" ] && s_client_args="-starttls $starttls"


  		




  124
  127
  
    

  		




  
  128
  
    
    # We extract and check the server certificate,


  		




  
  129
  
    
    # but the end date also depends on intermediate certs. Therefore


  		




  
  130
  
    
    # we want to check intermediate certs as well.


  		




  
  131
  
    
    #


  		




  
  132
  
    
    # The following cryptic lines do:


  		




  
  133
  
    
    # - invoke openssl and connect to a port


  		




  
  134
  
    
    # - print certs, not only the server cert


  		




  
  135
  
    
    # - extract each certificate as a single line


  		




  
  136
  
    
    # - pipe each cert to the parse_valid_days_from_certificate


  		




  
  137
  
    
    #   function, which basically is 'openssl x509 -enddate'


  		




  
  138
  
    
    # - get a list of the parse_valid_days_from_certificate


  		




  
  139
  
    
    #   results and sort them


  		




  
  140
  
    
    


  		




  125
  141
  
    
    # shellcheck disable=SC2086


  		




  126
  142
  
    
    echo "" | openssl s_client \


  		




  127
  
  
    
            -servername "$host" -connect "${host}:${port}" \


  		




  128
  
  
    
            $s_client_args 2>/dev/null \


  		




  129
  
  
    
        | parse_valid_days_from_certificate


  		




  
  143
  
    
	-servername "$host" -connect "${host}:${port}" \


  		




  
  144
  
    
	-showcerts \


  		




  
  145
  
    
	$s_client_args 2>/dev/null | \


  		




  
  146
  
    
	awk '{


  		




  
  147
  
    
  	  if ($0 == "-----BEGIN CERTIFICATE-----") cert=""


  		




  
  148
  
    
  	  else if ($0 == "-----END CERTIFICATE-----") print cert


  		




  
  149
  
    
  	  else cert=cert$0


  		




  
  150
  
    
	  }' | \


  		




  
  151
  
    
	  while read -r CERT; do


  		




  
  152
  
    
	      (printf '\n-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "$CERT") | \


  		




  
  153
  
    
	  	  parse_valid_days_from_certificate


  		




  
  154
  
    
          done | sort -n | head -n 1


  		




  
  155
  
    
	


  		




  130
  156
  
    
}


  		




  131
  157
  
    

  		




  132
  158
  
    
main() {


  		












Formats disponibles :  Unified diff