search

matteocorti / check_ssl_cert

A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection.
GNU General Public License v3.0
368 stars 132 forks source link

Add the proxy options during the renegotiation checks #367

Closed peternewman closed 2 years ago

peternewman commented 2 years ago

I'm unclear if SERVERNAME is actually required or not, but I figured it might be...

Also FWIW I get the following:

printf 'R
' | /usr/bin/openssl s_client  -crlf -connect www.github.com:443 -servername www.github.com -proxy proxy.example.com:80 2>&1 | grep -F err
140385676227904:error:1420410A:SSL routines:SSL_renegotiate:wrong ssl version:../ssl/ssl_lib.c:2133:

/usr/bin/timeout 120 /bin/sh -c "printf 'R
' | /usr/bin/openssl s_client  -crlf -connect www.github.com:443 -servername www.github.com -proxy proxy.example.com:80 2>&1 | grep -F -q err"; echo $?
0

/usr/bin/timeout 120 /bin/sh -c "printf 'R
' | /usr/bin/openssl s_client  -crlf -connect www.github.com:443 -servername www.github.com -proxy proxy.example.com:80 2>&1 | grep -F -q errINVALID"; echo $?
1

I'm a bit unclear if that line should actually be matching the grep and counting as success rather than failure? Or maybe it's my proxy causing that issue anyway...

Run as:

./check_ssl_cert -H www.github.com --proxy proxy.example.com:80
SSL_CERT OK - www.github.com:443, https, x509 certificate 'github.com' (www.github.com) from 'DigiCert Inc' valid until Mar 15 23:59:59 2023 GMT (expires in 361 days)|days_chain_elem1=361;20;15;; days_chain_elem2=3312;20;15;;
matteocorti commented 2 years ago

Thanks, I completely forgot. There might be other places where I did not specify the proxy (I cannot easily test)

peternewman commented 2 years ago

Thanks, I completely forgot. There might be other places where I did not specify the proxy

A low tech grep finds one other possible place:

grep -n -i "s_client " check_ssl_cert | grep -i host | grep -vi sclient_proxy
2146:            exec_with_timeout "echo 'Q' | ${OPENSSL} s_client ${INETPROTO} ${CLIENT} ${CLIENTPASS} -starttls ${PROTOCOL} -showcerts -connect ${HOST_ADDR}:${XMPPPORT} ${XMPPHOST} -verify 6 ${ROOT_CA} ${SSL_VERSION} ${SSL_VERSION_DISABLED} ${SSL_AU} ${STATUS} ${DANE} ${RENEGOTIATION} 2> ${ERROR} 1> ${CERT}"
4071:    # Check if openssl s_client supports the -xmpphost option
4073:    if ${OPENSSL} s_client -help 2>&1 | grep -F -q -- -xmpphost; then

Should/can xmpp go through a proxy?

Likewise:

grep -n -i "curl" check_ssl_cert | egrep -i "host|file|location" | grep -vi proxy
3564:            debuglog "curl binary needed. SSL Labs = ${SSL_LAB_CRIT_ASSESSMENT}, OCSP = ${OCSP}, CURL = ${CRL}, IGNORE_CONNECTION_STATE=${IGNORE_CONNECTION_STATE}, FILE_URI=${FILE_URI}"
4272:        debuglog "Executing: ${CURL_BIN} --silent --connect-timeout ${TIMEOUT} ${HOST}:${PORT}"
4274:        "${CURL_BIN}" --silent --connect-timeout "${TIMEOUT}" "${HOST}":"${PORT}" >/dev/null

It looks like that curl connection test should probably have one?

(I cannot easily test)

It shouldn't be too hard to spin up a proxy, but I guess you've got to block your direct access too. I wonder if we could do it as part of the GitHub action tests somehow...

matteocorti commented 2 years ago

It's not difficult to install a proxy but I would need a network where a proxy is needed and where without a proxy the connections fail. Otherwise I will miss the problems.

matteocorti commented 2 years ago

xmpp should work with a proxy ...