diff --git a/mdmcertcheck/mdmcertcheck.sh b/mdmcertcheck/mdmcertcheck.sh index 4d17713..8e90b2f 100644 --- a/mdmcertcheck/mdmcertcheck.sh +++ b/mdmcertcheck/mdmcertcheck.sh @@ -4,15 +4,46 @@ export LC_ALL="" export LANG="en_US.UTF-8" -VERSION="0.1" +VERSION="0.3" CERTLIST="certlist.cfg" +CTIMEOUT="1" + +error(){ + echo "-1" + exit 1 +} JSON="" ##### PARAMETERS##### METRIC="$1" ITEM="$2" +CERT_DOMAIN="" +CERT_IP="" +CERT_PORT="" +CERT_BODY="" + +parse_item(){ + TITEM=$1 + #parse item + #check empty item + if [ -z "$TITEM" ] + then + error + fi + CERT_DOMAIN=`echo $ITEM | awk -F"|" '{print $1}'` + CERT_IP=`echo $ITEM | awk -F"|" '{print $2}'` + CERT_PORT=`echo $ITEM | awk -F"|" '{print $3}'` +} + +get_cert(){ + if ! CERT_BODY=$( echo | timeout "$CTIMEOUT" openssl s_client -servername "$CERT_DOMAIN" -verify_hostname "$CERT_DOMAIN" -connect "$CERT_IP":"$CERT_PORT" 2>/dev/null ) + then + error + fi +} + case "$METRIC" in discovery) #records from the config file @@ -31,6 +62,33 @@ discovery) exit 0 ;; +isexist) + #validating the cert + parse_item $ITEM + get_cert + # if get_cert has not en error then all is ok. + echo 1 +;; + +valid) + #validating the cert + parse_item $ITEM + get_cert + # Note: new openssl versions can print multiple return codes for post-handshake session tickets, so we need to get only the first one + RET=$( echo "$CERT_BODY" | grep -E '^ *Verify return code:' | sed -n 1p | sed 's/^ *//' | tr -s ' ' | cut -d' ' -f4 ) + if [ "$RET" -eq "0" ]; then echo "1"; else echo "0"; fi + +;; + +valid_status) + #validating the cert + parse_item $ITEM + get_cert + # Note: new openssl versions can print multiple return codes for post-handshake session tickets, so we need to get only the first one + RET=$( echo "$CERT_BODY" | grep -E '^ *Verify return code:') + echo $RET; +;; + script.version) echo $VERSION ;; @@ -38,8 +96,11 @@ script.version) help) echo "please use these params { -discovery -script.version +discovery - discovery items from config file +isexist - the script has access to server with cert +valid - the cert is valid (1|0) +valid_status - the cert status in full text +script.version - current version of this script }" ;;