search

matteocorti / check_ssl_cert

A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection.
GNU General Public License v3.0
361 stars 132 forks source link

Unable to run with proxy defined (s_client invocation) #233

Closed cbiedl closed 3 years ago

cbiedl commented 3 years ago

Hello,

with http_proxy and https_proxy set, check_ssl_cert fails here:

./check_ssl_cert -H www.debian.org 
SSL_CERT CRITICAL www.debian.org: SSL error: s_client: -proxy argument malformed or ambiguous

It seems openssl's -proxy parameter takes a different form, just host and port, no protocol specification. Manually patching the script solved that issue (there might be more, will check).

cbiedl commented 3 years ago

FWIW, openssl version is 1.1.1h (as in Debian testing).

cbiedl commented 3 years ago

The second issue I had encountered is the same story: The -host parameter of openssl oscp again just takes host and port. After fixing that, the check passes.

matteocorti commented 3 years ago

Can you please post the full debugging output? With the -d option?

cbiedl commented 3 years ago

Certainly. Setting was:

 export http_proxy=http://127.0.0.1:3128/
export https_proxy=http://127.0.0.1:3128/
./check_ssl_cert -H www.debian.org -d >debug.log 2>&1

Output as follows:

[DBG] Command line arguments: -H www.debian.org -d
[DBG] -c specified: 15
[DBG] ROOT_CA = 
[DBG] file version: file-5.38
[DBG] magic file from /etc/magic:/usr/share/misc/magic
[DBG] cURL binary needed. SSL Labs = , OCSP = 1
[DBG] cURL binary not specified
[DBG] cURL available: /usr/bin/curl
[DBG] curl 7.72.0 (x86_64-pc-linux-gnu) libcurl/7.72.0 OpenSSL/1.1.1h zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.8.0 nghttp2/1.42.0 librtmp/2.3
[DBG] Release-Date: 2020-08-19
[DBG] Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
[DBG] Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
[DBG] nmap binary not needed. No disallowed protocols
expect not available
timeout available (/usr/bin/timeout)
[DBG] perl available: /usr/bin/perl
[DBG] date available: /usr/bin/date
found GNU date with timestamp support: enabling date computations
[DBG] check_ssl_cert version: 1.124.0
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL version: OpenSSL 1.1.1h  22 Sep 2020
[DBG] OpenSSL configuration directory: /usr/lib/ssl
[DBG] 0 root certificates installed by default
[DBG]  System info: Linux hafer 5.4.81 #1 SMP Wed Dec 2 10:59:21 UTC 2020 x86_64 GNU/Linux
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername www.debian.org
[DBG] Adding --proxy http://127.0.0.1:3128/ to the cURL options
[DBG] Adding -proxy http://127.0.0.1:3128/ to the s_client options
[DBG] '/usr/bin/openssl s_client' supports '-name': using hafer
[DBG] '/usr/bin/openssl s_client' supports '-xmpphost': using -xmpphost www.debian.org
[DBG] temporary file /tmp/sBXtpn created
[DBG] temporary file /tmp/NCIt5a created
[DBG] temporary file /tmp/IyGLzO created
[DBG] temporary file /tmp/Y50Q72 created
downloading certificate to /tmp
[DBG] www.debian.org is not an IP address
[DBG] executing with timeout (120s): printf 'HEAD / HTTP/1.1
[DBG] Host: www.debian.org
[DBG] User-Agent: check_ssl_cert/1.124.0
[DBG] Connection: close
[DBG] 
[DBG] ' | /usr/bin/openssl s_client    -crlf -ign_eof  -connect www.debian.org:443 -servername www.debian.org -proxy http://127.0.0.1:3128/ -showcerts -verify 6       2> /tmp/NCIt5a 1> /tmp/sBXtpn
[DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'HEAD / HTTP/1.1
[DBG] Host: www.debian.org
[DBG] User-Agent: check_ssl_cert/1.124.0
[DBG] Connection: close
[DBG] 
[DBG] ' | /usr/bin/openssl s_client    -crlf -ign_eof  -connect www.debian.org:443 -servername www.debian.org -proxy http://127.0.0.1:3128/ -showcerts -verify 6       2> /tmp/NCIt5a 1> /tmp/sBXtpn"
[DBG] storing a copy of the retrieved certificate in www.debian.org.crt
[DBG] Return value of the command = 1
[DBG] storing a copy of the retrieved certificate in /tmp/www.debian.org-443.crt
[DBG] storing a copy of the OpenSSL errors in /tmp/www.debian.org-443.error
[DBG] SSL error: verify depth is 6
[DBG] SSL error: s_client: -proxy argument malformed or ambiguous
[DBG] CRITICAL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
[DBG] prepend_critical_message: new message    = SSL error: s_client: -proxy argument malformed or ambiguous
[DBG] prepend_critical_message: HOST           = www.debian.org
[DBG] prepend_critical_message: CN             = 
[DBG] prepend_critical_message: SNI            = 
[DBG] prepend_critical_message: FILE           = 
[DBG] prepend_critical_message: SHORTNAME      = SSL_CERT
[DBG] prepend_critical_message: MSG            = 
[DBG] prepend_critical_message: CRITICAL_MSG   = 
[DBG] prepend_critical_message: ALL_MSG 1      = 
[DBG] prepend_critical_message: MSG 2          = SSL_CERT CRITICAL www.debian.org: SSL error: s_client: -proxy argument malformed or ambiguous
[DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL www.debian.org: SSL error: s_client: -proxy argument malformed or ambiguous
[DBG] prepend_critical_message: ALL_MSG 2      = 
[DBG]     SSL_CERT CRITICAL www.debian.org: SSL error: s_client: -proxy argument malformed or ambiguous
[DBG] CRITICAL <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Error: verify depth is 6; s_client: -proxy argument malformed or ambiguous
[DBG] CRITICAL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
[DBG] prepend_critical_message: new message    = No certificate returned
[DBG] prepend_critical_message: HOST           = www.debian.org
[DBG] prepend_critical_message: CN             = 
[DBG] prepend_critical_message: SNI            = 
[DBG] prepend_critical_message: FILE           = 
[DBG] prepend_critical_message: SHORTNAME      = SSL_CERT
[DBG] prepend_critical_message: MSG            = SSL_CERT CRITICAL www.debian.org: SSL error: s_client: -proxy argument malformed or ambiguous
[DBG] prepend_critical_message: CRITICAL_MSG   = SSL_CERT CRITICAL www.debian.org: SSL error: s_client: -proxy argument malformed or ambiguous
[DBG] prepend_critical_message: ALL_MSG 1      = 
[DBG]     SSL_CERT CRITICAL www.debian.org: SSL error: s_client: -proxy argument malformed or ambiguous
[DBG] prepend_critical_message: MSG 2          = SSL_CERT CRITICAL www.debian.org: No certificate returned
[DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL www.debian.org: SSL error: s_client: -proxy argument malformed or ambiguous
[DBG] prepend_critical_message: ALL_MSG 2      = 
[DBG]     SSL_CERT CRITICAL www.debian.org: No certificate returned
[DBG]     SSL_CERT CRITICAL www.debian.org: SSL error: s_client: -proxy argument malformed or ambiguous
[DBG] CRITICAL <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[DBG] cleaning up temporary files
[DBG] 
[DBG] /tmp/sBXtpn
[DBG] /tmp/NCIt5a
[DBG] /tmp/IyGLzO
[DBG] /tmp/Y50Q72
[DBG] exiting with CRITICAL
[DBG] ALL_MSG = 
[DBG]     SSL_CERT CRITICAL www.debian.org: No certificate returned
[DBG]     SSL_CERT CRITICAL www.debian.org: SSL error: s_client: -proxy argument malformed or ambiguous
[DBG] number of errors = 2
SSL_CERT CRITICAL www.debian.org: SSL error: s_client: -proxy argument malformed or ambiguous
Error(s):
    SSL_CERT CRITICAL www.debian.org: No certificate returned
    SSL_CERT CRITICAL www.debian.org: SSL error: s_client: -proxy argument malformed or ambiguous
matteocorti commented 3 years ago

It's a bug. The protocol should be removed from the proxy option. I'll correct it as soon as possible. For the time being, download an older version.

matteocorti commented 3 years ago

Thanks. Can you try with the latest commit?

cbiedl commented 3 years ago

Matteo Corti wrote...

Thanks. Can you try with the latest commit?

Negative (full output below):

[DBG] ' | /usr/bin/openssl s_client    -crlf -ign_eof  -connect www.debian.org:443 -servername www.debian.org -proxy 127.0.0.1:3128/ -showcerts -verify 6       2> /tmp/iOvMsE 1> /tmp/a5ctPH"
(...)
[DBG] SSL error: 139899918447936:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:7 26:Servname not supported for ai_socktype

Problem is stripping the protocol specifier is not sufficient, resulting in the trailing slash. However, curl can handle that very well, and this is the bar we should follow. Setting the environment variables to "http://127.0.0.1:3128" (without trailing slash) makes the check pass.

Checking the --proxy options of curl is search of a specification of the proxy setting, this seems like Pandora's box. A robust solution was to accept only values that start with "http://" and do not contain user/pass.

Oh, and just in case ... my tests also include IPv6, so "http://[::1]:3128" must work as well, it currently does.

Christoph
[DBG] Command line arguments: -H www.debian.org -d
[DBG] -c specified: 15
[DBG] ROOT_CA = 
[DBG] file version: file-5.38
[DBG] magic file from /etc/magic:/usr/share/misc/magic
[DBG] cURL binary needed. SSL Labs = , OCSP = 1
[DBG] cURL binary not specified
[DBG] cURL available: /usr/bin/curl
[DBG] curl 7.72.0 (x86_64-pc-linux-gnu) libcurl/7.72.0 OpenSSL/1.1.1h zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.8.0 nghttp2/1.42.0 librtmp/2.3
[DBG] Release-Date: 2020-08-19
[DBG] Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
[DBG] Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
[DBG] nmap binary not needed. No disallowed protocols
expect not available
timeout available (/usr/bin/timeout)
[DBG] perl available: /usr/bin/perl
[DBG] date available: /usr/bin/date
found GNU date with timestamp support: enabling date computations
[DBG] check_ssl_cert version: 1.124.0
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL version: OpenSSL 1.1.1h  22 Sep 2020
[DBG] OpenSSL configuration directory: /usr/lib/ssl
[DBG] 0 root certificates installed by default
[DBG]  System info: Linux hafer 5.4.81 #1 SMP Wed Dec 2 10:59:21 UTC 2020 x86_64 GNU/Linux
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername www.debian.org
[DBG] Adding --proxy http://127.0.0.1:3128/ to the cURL options
[DBG] Adding -proxy 127.0.0.1:3128/ to the s_client options
[DBG] '/usr/bin/openssl s_client' supports '-name': using hafer
[DBG] '/usr/bin/openssl s_client' supports '-xmpphost': using -xmpphost www.debian.org
[DBG] temporary file /tmp/a5ctPH created
[DBG] temporary file /tmp/iOvMsE created
[DBG] temporary file /tmp/bBrlDi created
[DBG] temporary file /tmp/RAk2Oa created
downloading certificate to /tmp
[DBG] www.debian.org is not an IP address
[DBG] executing with timeout (120s): printf 'HEAD / HTTP/1.1
[DBG] Host: www.debian.org
[DBG] User-Agent: check_ssl_cert/1.124.0
[DBG] Connection: close
[DBG] 
[DBG] ' | /usr/bin/openssl s_client    -crlf -ign_eof  -connect www.debian.org:443 -servername www.debian.org -proxy 127.0.0.1:3128/ -showcerts -verify 6       2> /tmp/iOvMsE 1> /tmp/a5ctPH
[DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'HEAD / HTTP/1.1
[DBG] Host: www.debian.org
[DBG] User-Agent: check_ssl_cert/1.124.0
[DBG] Connection: close
[DBG] 
[DBG] ' | /usr/bin/openssl s_client    -crlf -ign_eof  -connect www.debian.org:443 -servername www.debian.org -proxy 127.0.0.1:3128/ -showcerts -verify 6       2> /tmp/iOvMsE 1> /tmp/a5ctPH"
[DBG] storing a copy of the retrieved certificate in www.debian.org.crt
[DBG] Return value of the command = 1
[DBG] storing a copy of the retrieved certificate in /tmp/www.debian.org-443.crt
[DBG] storing a copy of the OpenSSL errors in /tmp/www.debian.org-443.error
[DBG] SSL error: verify depth is 6
[DBG] SSL error: 139899918447936:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Servname not supported for ai_socktype
[DBG] SSL error: connect:errno=0
[DBG] CRITICAL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
[DBG] prepend_critical_message: new message    = SSL error: 139899918447936:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Servname not supported for ai_socktype
[DBG] prepend_critical_message: HOST           = www.debian.org
[DBG] prepend_critical_message: CN             = 
[DBG] prepend_critical_message: SNI            = 
[DBG] prepend_critical_message: FILE           = 
[DBG] prepend_critical_message: SHORTNAME      = SSL_CERT
[DBG] prepend_critical_message: MSG            = 
[DBG] prepend_critical_message: CRITICAL_MSG   = 
[DBG] prepend_critical_message: ALL_MSG 1      = 
[DBG] prepend_critical_message: MSG 2          = SSL_CERT CRITICAL www.debian.org: SSL error: 139899918447936:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Servname not supported for ai_socktype
[DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL www.debian.org: SSL error: 139899918447936:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Servname not supported for ai_socktype
[DBG] prepend_critical_message: ALL_MSG 2      = 
[DBG]     SSL_CERT CRITICAL www.debian.org: SSL error: 139899918447936:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Servname not supported for ai_socktype
[DBG] CRITICAL <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Error: verify depth is 6; 139899918447936:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Servname not supported for ai_socktype; connect:errno=0
[DBG] CRITICAL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
[DBG] prepend_critical_message: new message    = No certificate returned
[DBG] prepend_critical_message: HOST           = www.debian.org
[DBG] prepend_critical_message: CN             = 
[DBG] prepend_critical_message: SNI            = 
[DBG] prepend_critical_message: FILE           = 
[DBG] prepend_critical_message: SHORTNAME      = SSL_CERT
[DBG] prepend_critical_message: MSG            = SSL_CERT CRITICAL www.debian.org: SSL error: 139899918447936:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Servname not supported for ai_socktype
[DBG] prepend_critical_message: CRITICAL_MSG   = SSL_CERT CRITICAL www.debian.org: SSL error: 139899918447936:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Servname not supported for ai_socktype
[DBG] prepend_critical_message: ALL_MSG 1      = 
[DBG]     SSL_CERT CRITICAL www.debian.org: SSL error: 139899918447936:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Servname not supported for ai_socktype
[DBG] prepend_critical_message: MSG 2          = SSL_CERT CRITICAL www.debian.org: No certificate returned
[DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL www.debian.org: SSL error: 139899918447936:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Servname not supported for ai_socktype
[DBG] prepend_critical_message: ALL_MSG 2      = 
[DBG]     SSL_CERT CRITICAL www.debian.org: No certificate returned
[DBG]     SSL_CERT CRITICAL www.debian.org: SSL error: 139899918447936:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Servname not supported for ai_socktype
[DBG] CRITICAL <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[DBG] cleaning up temporary files
[DBG] 
[DBG] /tmp/a5ctPH
[DBG] /tmp/iOvMsE
[DBG] /tmp/bBrlDi
[DBG] /tmp/RAk2Oa
[DBG] exiting with CRITICAL
[DBG] ALL_MSG = 
[DBG]     SSL_CERT CRITICAL www.debian.org: No certificate returned
[DBG]     SSL_CERT CRITICAL www.debian.org: SSL error: 139899918447936:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Servname not supported for ai_socktype
[DBG] number of errors = 2
SSL_CERT CRITICAL www.debian.org: SSL error: 139899918447936:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Servname not supported for ai_socktype
Error(s):
    SSL_CERT CRITICAL www.debian.org: No certificate returned
    SSL_CERT CRITICAL www.debian.org: SSL error: 139899918447936:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Servname not supported for ai_socktype
matteocorti commented 3 years ago

I committed another change. Can you please test again? (sorry I don't have a proxy to test)

cbiedl commented 3 years ago

A few more changes were necessary so I figured a pull request based on a working solution will be easier.

Aside, tinyproxy and squid are two solutions for a proxy that should just work in an installation on localhost.

All the best,