blob: 51027721f5a7d3e06496faa8789c65a7a9a3b6c2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
|
2019-02-08 Version 1.82.0: Added a check on the readability of the certificate file
2019-02-01 Version 1.81.0: Added an option to specify a warning level with SSL Labs
2019-01-16 Version 1.80.1: Fixed a problem on systems not supporting echo -e
2018-12-24 Version 1.80.0: Better output in case of errors while using SNI
2018-12-10 Version 1.79.0: Differentiate between IMAP on port 143 and IMAPS on port 993
Fixed a vulnerability in the parsing of the certificate issuer
2018-11-07 Version 1.78.0: Bug fixes in IMAP and HTTP requests
2018-11-05 Version 1.77.0: CA file and directory support
2018-10-19 Version 1.76.0: Sends a correct HTTP request
2018-10-18 Version 1.75.0: Allow to specify a client certificate key
2018-10-15 Version 1.74.0: Fixed a bug generating a confusing error message on timeout
2018-09-10 Version 1.73.0: Fixed a bug in the cleanup of temporary files, fixed a bug with certificates without OCSP
Fixed tests with more reliable hosts
Allows to check against all the issuers in the CA chain
Fixed a bug with --long-output on Linux
Fixed the validation of --critical and --warning
2018-07-01 Version 1.72.0: Corrected a bug introduced in 1.71.0: remove temporary files
2018-07-01 Version 1.71.0: Corrected a bug introduced in 1.70.0: wrong exit codes
2018-06-28 Version 1.70.0: Improved the management of temporary files
2018-06-25 Version 1.69.0: Added an option to require OCSP stapling
2018-04-29 Version 1.68.0: Removed the SNI name check
2018-04-17 Version 1.67.0: Terse output, warning if the specified server name is not found in the certificate and --format option
2018-04-06 Version 1.66.0: UTF-8 output
2018-03-29 Version 1.65.0: Bug fix release
2018-03-28 Version 1.64.0: Remove cURL dependency
2018-03-17 Version 1.63.0: Support for TLS 1.3
2018-03-06 Version 1.62.0: Support for LibreSSL
2018-01-19 Version 1.61.0: Fixed a bug handling more than one OCSP host
2017-12-15 Version 1.60.0: Fixed a bug related to XMPP introduced in the last version
2017-12-14 Version 1.59.0: Added an option to specify the 'to' attribute of the XMPP stream element
2017-11-29 Version 1.58.0: Support for DER encoded CRL files
2017-11-28 Version 1.57.0: Added --fingerprint to check the SHA1 fingerprint of the certificate
2017-11-17 Version 1.56.0: Added support for -xmpphost if available
2017-11-16 Version 1.55.0: Fixed XMPP support and IPv6 addresses as host
2017-09-19 Version 1.54.0: With the -f command line option, you can also specify a certificate revocation list (CRL)
2017-09-10 Version 1.53.0: The timeout is applied to OCSP checks
2017-09-09 Version 1.52.0: The SAN requirement check is now optional
2017-07-28 Version 1.51.0: Use openssl s_client's -help option to test for SNI support
2017-07-24 Version 1.50.0: Fix in the Common Name parsing
2017-07-17 Version 1.49.0: Support for OpenSSL 1.1
2017-06-22 Version 1.48.0: Checks for missing subjectAlternativeName extension (https://support.google.com/chrome/a/answer/7391219?hl=en)
2017-06-15 Version 1.47.0: Fixed an issue with OCSP URI with protocols other than HTTP or HTTPS
2017-05-15 Version 1.46.0: Fixed a problem with the detection of OCSP URLs
2017-05-02 Version 1.45.0: Fixed bugs in the date computation and OCSP checks
2017-04-28 Version 1.44.0: Fixed a bug occurring when more than one issuer URI is present
2017-03-07 Version 1.43.0: Support for LDAP
2017-02-16 Version 1.42.0: Support for OpenSSL > 1.1.0
2017-02-10 Version 1.41.0: Added --sni to specify the server name
2017-02-08 Version 1.40.0: Changed the CN output when --altnames is used
2017-02-02 Version 1.39.0: Fixed a bug related to SNI
2017-02-02 Version 1.38.2: Fixed a bug in the command line argument parsing
2017-01-29 Version 1.38.1: Small corrections in the documentation
2017-01-28 Version 1.38.0: Added support for wildcards in alternative names and caching of the issuer certificate
2016-12-23 Version 1.37.0: Added a patch to specify multiple CNs
2016-12-13 Version 1.36.2: fixed a minor problem with --debug
2016-12-06 Version 1.36.1: fixed a problem when specifying a CN beginning with *
2016-12-04 Version 1.36.0: fixed problem when file is returing PEM certificate on newer
Linux distributions
added an option to specify the location of the file utility
2016-10-18 Version 1.35.0: added support for the selection of the cipher authentication
2016-09-19 Version 1.34.0: added proxy support for the OCSP checks (thanks to Leynos)
2016-08-04 Version 1.33.0: disabling OCSP checks when no issuer URI is found
2016-07-29 Version 1.32.0: added support for date with timestamp calculation and
fixed case sensitive comparison of CN
2016-07-12 Version 1.31.0 Fixed the parsing of the CN field
2016-06-30 Version 1.30.0 OCSP check is fixed and enabled by default
2016-06-15 Version 1.29.0 New option to clear the cached value at SSL Labs
IRC support
2016-06-01 Version 1.28.0 Increased control over which SSL/TLS versions to use
2016-03-29 Version 1.27.0 Fixes a bug in the OpenSSL error parsing
2016-03-29 Version 1.26.0 Fixes a bug in wildcard match
2016-03-21 Version 1.25.0 Fixes a bug on CN parsing on non-GNU systems
Handle wildcard certificates
2016-03-09 Version 1.24.0 Waits for SSL Labs Results
2016-03-07 Version 1.23.0 Supports SNI even when not checking CN and does not
issue a critical when SSL Labs is still checking a host
2016-03-03 Version 1.22.0 Initial support for SSL Labs checks
Support for UTF output (thanks to Konstantin Shalygin)
2016-03-01 Version 1.21.0 Fixed a bug which prevented the check on the expiration date
2016-02-26 Version 1.20.0 Added debugging output (-d or --debug)
Improved the handling of OpenSSL error messages
Does not stop the validation if the server requires a
client certificate
2016-02-25 Version 1.19.0 Added a check for certificates signed with SHA-1 or MD5
Added an option to disable the expiration date check
2015-10-31 Version 1.18.0 Added an option to check the certificate's serial number
(thanks to Milan Koudelka)
2015-10-20 Version 1.17.2 Fixed a bug with OCSP
2015-04-07 Version 1.17.1 Fixed the check on the openssl binary
2014-10-21 Version 1.17.0 Added an option to check revocation via OCSP
2014-06-06 Version 1.16.2 Fixed a problem with -servername when -n was not specified
2014-02-28 Version 1.16.1 Added a Make target for the RPM package
2013-12-23 Version 1.16.0 Added an option to force TLS version 1
2013-07-29 Version 1.15.0 Added an option to force a certain SSL version (thanks
to Max Winterstein)
2013-05-12 Version 1.14.6 Added XMPP and timeout support (thanks to Christian
Ruppert and Robin H. Johnson)
2013-03-02 Version 1.14.5 Fixed a bug occuring with TLS and multiple names in
the certificate
2012-12-07 Version 1.14.4 Fixed a bug causing -N to always compare the CN
with 'localhost'
2012-09-19 Version 1.14.3 Improved the error message in case of a failure in
the certificate download
2012-07-13 Version 1.14.2 Added the name since or to expiration in the plugin
output.
2012-07-11 Version 1.14.1 FIxed a bug with Perl date computation on some systems
2012-07-06 Version 1.14.0 The status now includes performance data in days until
expiration (requires perl with Date::Parse).
It is now possible to print additional information in
the plugins long output (multiline, Nagios 3 only)
2012-04-05 Version 1.13.0 The plugin will now try to fetch the certificate without
without TLS extensions in case of error
2012-04-04 Version 1.12.0 Fixed a bug in the chain verification (hard coded
error number)
2011-10-22 Version 1.11.0 --altname option
2011-09-01 Version 1.10.0 Applied a patch from Sven Nierlein to authenicate
using a client certificate
2011-03-10 Version 1.9.1 Allows HTTP as protocol and fixes -N with wildcards
2011-01-24 Version 1.9.0 Added an option to specify the openssl executable
2010-12-16 Version 1.8.1 Fixed bugs with environment bleeding & shell globbing
2010-12-08 Version 1.8.0 Added support for TLS servername extension in
ClientHello
2010-10-28 Version 1.7.7 Fixed a bug in the signal specification introduced
in 1.7.6
2010-10-28 Version 1.7.6 Better temporary file clean up (thanks to Lawren
Quigley-Jones)
2010-10-14 Version 1.7.5 Applied a patch from Yannick Gravel fixing the test
order
2010-10-01 Version 1.7.4 Applied a patch from Lawren Quigley-Jones adding the
-A option
2010-09-15 Version 1.7.3 Fixed a bug in the option processing
2010-08-26 Version 1.7.2 Removes useless use of cat, better test for expect
utility
2010-08-26 Version 1.7.1 Replaces "-verify 6" which was erroneously removed in
the previous version
2010-08-26 Version 1.7.0 Overloaded --rootcert option to allow -CApath as well
as -CAfile
2010-07-21 Version 1.6.1 Added an option to specify where to temporarily
store the certificate
2010-07-09 Version 1.6.0 Added long command line options and substituted
-days with --critical and --warning
2010-07-07 Version 1.5.2 Added the -f option to check a local file
2010-07-01 Version 1.5.1 Fixed the plugin output
2010-03-11 Version 1.4.4 Fixed bug #64 (== bashism)
2010-03-09 Version 1.4.3 -N and -n options to compare the CN to an hostname
2009-12-02 Version 1.4.2 the -i ISSUER option now checks if the O= or the
CN= fields of the root certificate match
2009-11-30 Version 1.4.1 -r to specify the root cert to be used for
verification
2009-11-30 Version 1.4.0 certificate chain verification
2009-03-30 Version 1.3.0 -P option to check TLS certificates
(SMTP, FTP, POP3, ...)
2008-05-13 Version 1.2.2 include the CN in the messages (D. Wallis)
2008-02-25 Version 1.2.1 better error handling
2008-02-25 Version 1.2.0 general cleanup (POSIX compliance, removed
nmap dependency, ...) from Dan Wallis
2007-08-31 Version 1.1.0 - option to enforce a given email address
- option to enforce a given organization
- temporary files cleanup upon exit
2007-08-15 Bug fix: openssl did not close the connection cleanly
2007-08-10 First release (1.0)
|