refine ssl insecure and client certificate options

* default TLS Protocols are now set to >= TLS1 * --cacert and --cert are no longer mandatory if option -s is used * proper error messages if parsing of cert or key files fails
drewkerrigan · May 9, 2019 · 8437c46 · 8437c46
1 parent df2bbdb
commit 8437c46
Showing 1 changed file with 31 additions and 8 deletions.
diff --git a/check_http_json.py b/check_http_json.py
@@ -390,12 +390,8 @@ def parseArgs():
     parser.add_argument('-k', '--insecure', action='store_true',
                         help='do not check server SSL certificate')
     parser.add_argument('--cacert',
-                        required=('-s' in sys.argv or '--ssl' in sys.argv)
-                        and not ('-k' in sys.argv or '--insecure' in sys.argv),
                         dest='cacert', help='SSL CA certificate')
     parser.add_argument('--cert',
-                        required=('-s' in sys.argv or '--ssl' in sys.argv)
-                        and not ('-k' in sys.argv or '--insecure' in sys.argv),
                         dest='cert', help='SSL client certificate')
     parser.add_argument('--key', dest='key',
                         help='SSL client key ( if not bundled into the cert )')
@@ -680,13 +676,40 @@ def test_separator(self):
     nagios = NagiosHelper()
     if args.ssl:
         url = "https://%s" % args.host
+
+        context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+        context.options |= ssl.OP_NO_SSLv2
+        context.options |= ssl.OP_NO_SSLv3
+
         if args.insecure:
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
+            context.verify_mode = ssl.CERT_NONE
         else:
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
             context.verify_mode = ssl.CERT_OPTIONAL
-            context.load_verify_locations(args.cacert)
-            context.load_cert_chain(args.cert,keyfile=args.key)
+            if args.cacert:
+                try:
+                    context.load_verify_locations(args.cacert)
+                except ssl.SSLError:
+                    nagios.append_unknown(
+                    ''' Error loading SSL CA cert "%s"!'''
+                    % args.cacert)
+
+            if args.cert:
+                try:
+                    context.load_cert_chain(args.cert,keyfile=args.key)
+                except ssl.SSLError:
+                    if args.key:
+                        nagios.append_unknown(
+                        ''' Error loading SSL cert. Make sure key "%s" belongs to cert "%s"!'''
+                        % (args.key, args.cert))
+                    else:
+                        nagios.append_unknown(
+                        ''' Error loading SSL cert. Make sure "%s" contains the key as well!'''
+                        % (args.cert))
+
+        if nagios.getCode() != OK_CODE:
+            print(nagios.getMessage())
+            exit(nagios.getCode())
+
     else:
         url = "http://%s" % args.host
     if args.port: