--- /dev/null
+From 596c02d6b9c65fe81e42668f133bb73308f9cecd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= <arekm@maven.pl>
+Date: Tue, 31 Mar 2020 10:05:37 +0200
+Subject: [PATCH] Timeout for OCSP calls and option to ignore timeouts
+
+Call all openssl oscp commands with timeout.
+
+Add option --ignore-ocsp-timeout which will do OCSP check but
+do not fail if timeout occurs during such checks.
+---
+ check_ssl_cert | 50 +++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 31 insertions(+), 19 deletions(-)
+
+diff --git a/check_ssl_cert b/check_ssl_cert
+index 8dd5f07..59e1903 100755
+--- a/check_ssl_cert
++++ b/check_ssl_cert
+@@ -93,6 +93,7 @@ usage() {
+ echo " related checks"
+ echo " --ignore-exp ignore expiration date"
+ echo " --ignore-ocsp do not check revocation with OCSP"
++ echo " --ignore-ocsp-timeout ignore OCSP result when timeout occurs while checking"
+ echo " --ignore-sig-alg do not check if the certificate was signed with SHA1"
+ echo " or MD5"
+ echo " --ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)"
+@@ -898,6 +899,7 @@ main() {
+ REQUIRE_SAN=""
+ REQUIRE_OCSP_STAPLING=""
+ OCSP="1" # enabled by default
++ OCSP_IGNORE_TIMEOUT=""
+ FORMAT=""
+ HTTP_METHOD="HEAD"
+ RSA=""
+@@ -1061,6 +1063,10 @@ main() {
+ OCSP=""
+ shift
+ ;;
++ --ignore-ocsp-timeout)
++ OCSP_IGNORE_TIMEOUT=1
++ shift
++ ;;
+ --terse)
+ TERSE=1
+ shift
+@@ -2877,19 +2883,19 @@ main() {
+ if "${OPENSSL}" version | grep -q '^LibreSSL' || [ "$( ${OPENSSL} version | sed -e 's/OpenSSL \([0-9]\).*/\1/g' )" -gt 0 ] ; then
+
+ if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] ${OPENSSL} ocsp supports the -header option"
++ echo "[DBG] ${OPENSSL} ocsp -timeout ${TIMEOUT} supports the -header option"
+ fi
+
+ # the -header option was first accepting key and value separated by space. The newer versions are using key=value
+ KEYVALUE=""
+- if ${OPENSSL} ocsp -help 2>&1 | grep header | grep -q 'key=value' ; then
++ if ${OPENSSL} ocsp -timeout ${TIMEOUT} -help 2>&1 | grep header | grep -q 'key=value' ; then
+ if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] ${OPENSSL} ocsp -header requires 'key=value'"
++ echo "[DBG] ${OPENSSL} ocsp -timeout ${TIMEOUT} -header requires 'key=value'"
+ fi
+ KEYVALUE=1
+ else
+ if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] ${OPENSSL} ocsp -header requires 'key value'"
++ echo "[DBG] ${OPENSSL} ocsp -timeout ${TIMEOUT} -header requires 'key value'"
+ fi
+ fi
+
+@@ -2903,28 +2909,28 @@ main() {
+
+ if [ -n "${KEYVALUE}" ] ; then
+ if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
++ echo "[DBG] executing ${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST=${OCSP_HOST}"
+ fi
+- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
++ OCSP_RESP="$(${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST="${OCSP_HOST}" 2>&1 )"
+ else
+ if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
++ echo "[DBG] executing ${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -host ${HTTP_PROXY#*://} -path ${OCSP_URI} -header HOST ${OCSP_HOST}"
+ fi
+- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
++ OCSP_RESP="$(${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+ fi
+
+ else
+
+ if [ -n "${KEYVALUE}" ] ; then
+ if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
++ echo "[DBG] executing ${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST=${OCSP_HOST}"
+ fi
+- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
++ OCSP_RESP="$(${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header "HOST=${OCSP_HOST}" 2>&1 )"
+ else
+ if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
++ echo "[DBG] executing ${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer ${ISSUER_CERT} -cert ${CERT} -url ${OCSP_URI} ${OCSP_HEADER} -header HOST ${OCSP_HOST}"
+ fi
+- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
++ OCSP_RESP="$(${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" -header HOST "${OCSP_HOST}" 2>&1 )"
+ fi
+
+ fi
+@@ -2933,7 +2939,13 @@ main() {
+ echo "${OCSP_RESP}" | sed 's/^/[DBG] OCSP: response = /'
+ fi
+
+- if echo "${OCSP_RESP}" | grep -qi "revoked" ; then
++ if [ -n "${OCSP_IGNORE_TIMEOUT}" ] && echo "${OCSP_RESP}" | grep -qi "timeout on connect" ; then
++
++ if [ -n "${DEBUG}" ] ; then
++ echo '[DBG] OCSP: Timeout on connect'
++ fi
++
++ elif echo "${OCSP_RESP}" | grep -qi "revoked" ; then
+
+ if [ -n "${DEBUG}" ] ; then
+ echo '[DBG] OCSP: revoked'
+@@ -2950,25 +2962,25 @@ main() {
+ if [ -n "${HTTP_PROXY:-}" ] ; then
+
+ if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}]\" -host \"${HTTP_PROXY#*://}\" -path \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
++ echo "[DBG] executing ${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}]\" -host \"${HTTP_PROXY#*://}\" -path \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
+ fi
+
+ if [ -n "${OCSP_HEADER}" ] ; then
+- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
++ OCSP_RESP="$(${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+ else
+- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" 2>&1 )"
++ OCSP_RESP="$(${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -host "${HTTP_PROXY#*://}" -path "${OCSP_URI}" 2>&1 )"
+ fi
+
+ else
+
+ if [ -n "${DEBUG}" ] ; then
+- echo "[DBG] executing ${OPENSSL} ocsp -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}\" -url \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
++ echo "[DBG] executing ${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer \"${ISSUER_CERT}\" -cert \"${CERT}\" -url \"${OCSP_URI}\" \"${OCSP_HEADER}\" 2>&1"
+ fi
+
+ if [ -n "${OCSP_HEADER}" ] ; then
+- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
++ OCSP_RESP="$(${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" "${OCSP_HEADER}" 2>&1 )"
+ else
+- OCSP_RESP="$(${OPENSSL} ocsp -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" 2>&1 )"
++ OCSP_RESP="$(${OPENSSL} ocsp -timeout ${TIMEOUT} -no_nonce -issuer "${ISSUER_CERT}" -cert "${CERT}" -url "${OCSP_URI}" 2>&1 )"
+ fi
+
+ fi
projects / packages / nagios-plugin-check_ssl_cert.git / commitdiff