search

matteocorti / check_ssl_cert

A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection.
GNU General Public License v3.0
360 stars 132 forks source link

Recent version broke proxy support #504

Closed eLvErDe closed 4 months ago

eLvErDe commented 4 months ago

Describe the bug

I'm still using a very old version which is working fine with BOTH proxy support (for external OCSP checks) and Cipher analysis using NMAP. Recent version cannot do both.

To Reproduce

Running 2.35.0 with

check_ssl_cert --host 1.2.3.4 port 443 --warning 60 --critical 30 --all-local --timeout 5 --sni 'name1' --cn 'commnonName' --ignore-sct  --proxy http://proxy.domain-com:3128

Returns proper cipher errors:

SSL_CERT CRITICAL name1: 1.2.3.4 offers ciphers with warnings: Key exchange (dh 2048) of lower strength than certificate key

(also confirmed using --debug)

Version up to 2.36.0 (included) works, 2.37 to 2.41 (included) still perform the check (but reports HSTS is not supported error), version 2.42 to 2.72.0 (included) silently discard NMAP checks while 2.73.0 and newer explicitly warns cipher checks are disabled.

Expected behavior

Not loosing feature that worked in older version :-P

System (please complete the following information):

Not relevant

eLvErDe commented 4 months ago

Btw, I'd happy to sponsor both this ticket and 505 if you are interested in

matteocorti commented 4 months ago

This is because doesn't work properly behind a proxy: https://security.stackexchange.com/questions/120708/nmap-through-proxy

There were several problems and I decided to disable it.

I could add an option to try anyway ...

matteocorti commented 4 months ago

I added an option --nmap-with-proxy to force the use of nmap when a proxy is configured. You can also specify it in the property file to have it as a default.

matteocorti commented 4 months ago

I just published a new version with an additional option to force the old behavior. Would this be an option for you?