New version where the CN must always match

Fixes #271
matteocorti · Apr 1, 2021 · 3518c6e · 3518c6e
1 parent 918a8a8
commit 3518c6e
Show file tree

Hide file tree

Showing 9 changed files with 92 additions and 46 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,7 @@
+2021-04-01  Matteo Corti  <matteo@corti.li>
+
+	* check_ssl_cert: The host name must now always match with the certificate
+
 2021-03-31  Matteo Corti  <matteo@corti.li>
 
 	* check_ssl_cert (main): Added the --resolve option

diff --git a/NEWS b/NEWS
@@ -1,4 +1,5 @@
-2021-03-29 Version 1.147.0: Fixed the documentation of various options
+2021-03-29 Version   2.0.0: Fixed the documentation of various options
+                            The host name must now always match with the certificate
                             Short options can be grouped (e.g., -vs -c 10 -w 15)
                             Different verbosity levels can now be specified (-v can be used more than once)
                             Added the --resolve option to specify a custom IP for the checked host

diff --git a/README.md b/README.md
@@ -60,7 +60,9 @@ Options:
    -h,--help,-?                    this help message
       --http-use-get               use GET instead of HEAD (default) for the HTTP
                                    related checks
+      --ignore-altnames            ignores alternative names when matching pattern specified in -n (or the host name)
       --ignore-exp                 ignore expiration date
+      --ignore-host-cn             do not complain if the CN does not match the host name
       --ignore-ocsp                do not check revocation with OCSP
       --ignore-ocsp-timeout        ignore OCSP result when timeout occurs while checking
       --ignore-sig-alg             do not check if the certificate was signed with SHA1

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -1,3 +1,4 @@
+ * The host name must now always match with the certificate
  * Fixed the man page, ```README.md``` and ```--help``` output (some options were missing)
  * Short options can be grouped (e.g., ```-vs -c 10 -w 15```)
  * Different verbosity levels can be specified (```-v``` can be used more than once)

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.147.0
+2.0.0
diff --git a/check_ssl_cert b/check_ssl_cert
@@ -19,7 +19,7 @@
 ################################################################################
 # Constants
 
-VERSION=1.147.0
+VERSION=2.0.0
 SHORTNAME="SSL_CERT"
 
 VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -67,8 +67,6 @@ usage() {
     echo "Options:"
     echo "   -A,--noauth                     ignore authority warnings (expiration only)"
     echo "      --all                        enables all the possible optional checks at the maximum level"
-    echo "      --altnames                   matches the pattern specified in -n with"
-    echo "                                   alternate names too"
     echo "      --check-ciphers grade        checks the offered ciphers"
     echo "      --check-ciphers-warnings     critical if nmap reports a warning for an offered cipher"
     echo "   -C,--clientcert path            use client certificate to authenticate"
@@ -107,7 +105,9 @@ usage() {
     echo "   -h,--help,-?                    this help message"
     echo "      --http-use-get               use GET instead of HEAD (default) for the HTTP"
     echo "                                   related checks"
+    echo "      --ignore-altnames            ignores alternative names when matching pattern specified in -n (or the host name)"
     echo "      --ignore-exp                 ignore expiration date"
+    echo "      --ignore-host-cn             do not complain if the CN does not match the host name"
     echo "      --ignore-ocsp                do not check revocation with OCSP"
     echo "      --ignore-ocsp-timeout        ignore OCSP result when timeout occurs while checking"
     echo "      --ignore-sig-alg             do not check if the certificate was signed with SHA1"
@@ -142,7 +142,6 @@ usage() {
     echo "                                   the given pattern"
     echo "      --not-valid-longer-than days critical if the certificate validity is longer than"
     echo "                                   the specified period"
-    echo "   -N,--host-cn                    match CN with the host name"
     echo "      --ocsp-critical hours        minimum number of hours an OCSP response has to be valid to"
     echo "                                   issue a critical status"
     echo "      --ocsp-warning hours         minimum number of hours an OCSP response has to be valid to"
@@ -198,9 +197,12 @@ usage() {
     echo "   -6                              force IPv6"
     echo
     echo "Deprecated options:"
+    echo "      --altnames                   matches the pattern specified in -n with"
+    echo "                                   alternate names too (enabled by default)"
     echo "      --days days                  minimum number of days a certificate has to be valid"
     echo "                                   (see --critical and --warning)"
-    echo "      --ocsp                       check revocation via OCSP"
+    echo "   -N,--host-cn                    match CN with the host name (enabled by default)"
+    echo "      --ocsp                       check revocation via OCSP (enabled by default)"
     echo "   -S,--ssl version                force SSL version (2,3)"
     echo "                                   (see: --ssl2 or --ssl3)"
     echo
@@ -1482,6 +1484,13 @@ fetch_certificate() {
 
             prepend_critical_message 'No TLS connection possible'
 
+        elif ascii_grep 'write:errno=54' "${ERROR}" ; then
+
+            ERROR='No certificate returned (SNI reqired?)'
+            SHORTNAME="${HOST_NAME}"
+            prepend_critical_message "${ERROR}"
+            critical "${SHORTNAME} CRITICAL: ${ERROR}"
+
         else
 
             # Try to clean up the error message
@@ -1618,6 +1627,15 @@ parse_command_line_options() {
                 NOEXP=1
                 shift
                 ;;
+            --ignore-altnames)
+                ALTNAMES=
+                shift
+                ;;
+            --ignore-host-cn)
+                COMMON_NAME=
+                ALTNAMES=
+                shift
+                ;;
             --ignore-sig-alg)
                 NOSIGALG=1
                 shift
@@ -1821,6 +1839,8 @@ parse_command_line_options() {
             -f|--file)
                 check_option_argument ' -f|--file' "$2"
                 FILE="$2"
+                COMMON_NAME=
+                ALTNAMES=
                 shift 2
                 ;;
             --file-bin)
@@ -1885,11 +1905,7 @@ parse_command_line_options() {
                 ;;
             -n|--cn)
                 check_option_argument ' -n|--cn' "$2"
-                if [ -n "${COMMON_NAME}" ]; then
-                    COMMON_NAME="${COMMON_NAME} ${2}"
-                else
-                    COMMON_NAME="${2}"
-                fi
+                COMMON_NAME="${2}"
                 shift 2
                 ;;
             --not-issued-by)
@@ -2127,6 +2143,9 @@ main() {
     SCT="1" # enabled by default
     HTTP_REQUEST_URL="/"
 
+    COMMON_NAME="__HOST__" # enabled by default
+    ALTNAMES=1 # enabled by default
+
     # after 2020-09-01 we could set the default to 398 days because of Apple
     # https://support.apple.com/en-us/HT211025
     NOT_VALID_LONGER_THAN=""
@@ -2270,9 +2289,15 @@ main() {
     # Set COMMON_NAME to hostname if -N was given as argument.
     # COMMON_NAME may be a space separated list of hostnames.
     case ${COMMON_NAME} in
-        *__HOST__*) COMMON_NAME=$(echo "${COMMON_NAME}" | sed "s/__HOST__/${HOST_NAME}/") ;;
+        *__HOST__*)
+            # localhost is used for files to be checked: we ignore it
+            if [ "${HOST_NAME}" != 'localhost' ] ; then
+                COMMON_NAME=$(echo "${COMMON_NAME}" | sed "s/__HOST__/${HOST_NAME}/")
+            fi
+            ;;
         *) ;;
     esac
+    debuglog "COMMON_NAME = ${COMMON_NAME}"
 
     if [ -n "${ALTNAMES}" ] && [ -z "${COMMON_NAME}" ] ; then
         unknown "--altnames requires a common name to match (--cn or --host-cn)"
@@ -3256,6 +3281,7 @@ main() {
 
         debuglog "check CN: ${CN}"
         debuglog "COMMON_NAME = ${COMMON_NAME}"
+        debuglog "ALTNAMES    = ${ALTNAMES}"
 
         # Common name is case insensitive: using grep for comparison (and not 'case' with 'shopt -s nocasematch' as not defined in POSIX
 

diff --git a/check_ssl_cert.1 b/check_ssl_cert.1
@@ -1,7 +1,7 @@
 .\" Process this file with
 .\" groff -man -Tascii check_ssl_cert.1
 .\"
-.TH "check_ssl_cert" 1 "March, 2021" "1.147.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "April, 2021" "2.0.0" "USER COMMANDS"
 .SH NAME
 check_ssl_cert \- checks the validity of X.509 certificates
 .SH SYNOPSIS
@@ -111,9 +111,15 @@ this help message
 .BR "   --http-use-get"
 use GET instead of HEAD (default) for the HTTP related checks
 .TP
+.BR "  --ignore-altnames"
+ignores alternative names when matching pattern specified in -n (or the host name)
+.TP
 .BR "   --ignore-exp"
 ignore expiration date
 .TP
+.BR "   --ignore-host-cn"
+do not complain if the CN does not match the host name
+.TP
 .BR "   --ignore-ocsp"
 do not check revocation with OCSP
 .TP

diff --git a/check_ssl_cert.spec b/check_ssl_cert.spec
@@ -1,4 +1,4 @@
-%define version          1.147.0
+%define version          2.0.0
 %define release          0
 %define sourcename       check_ssl_cert
 %define packagename      nagios-plugins-check_ssl_cert
@@ -45,6 +45,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/%{sourcename}.1*
 
 %changelog
+* Mon Apr   1 2021 Matteo Corti <matteo@corti.li> - 2.0.0-0
+- Updated to 2.0.0
+
 * Mon Mar  29 2021 Matteo Corti <matteo@corti.li> - 1.147.0-0
 - Updated to 1.147.0