# HG changeset patch # User pesch # Date 1466099578 -7200 # Node ID 3190e55f104ba50ed0d9654d7063ec899f820666 # Parent e97dd97b582c278ba79dd3e92a6aecfac1cbf010 fixed check if no TLSA is available + testfails diff -r e97dd97b582c -r 3190e55f104b lib/Nagios/Check/DNS/check_tlsa_record.pm --- a/lib/Nagios/Check/DNS/check_tlsa_record.pm Wed Jun 08 22:32:36 2016 +0200 +++ b/lib/Nagios/Check/DNS/check_tlsa_record.pm Thu Jun 16 19:52:58 2016 +0200 @@ -55,13 +55,10 @@ for ( my $i = 0; $i < $return_length; $i++) { - if ($dns_return[$i] eq '') { - $dns_return[$i] = "No TLSA Record for $domain:$port"; - } - if ($dns_return[$i] =~ /^[_a-z]+[a-z0-9]+/i) { - $dns_return[$i] = "CNAME: $dns_return[$i]"; - #$dns_return[$i] = $dns_return[$i++]; + #$dns_return[$i] = "CNAME: $dns_return[$i]"; + #$dns_return[$i-1] = $dns_return[$i]; + $dns_return[$i] = $dns_return[$i+1]; } } @@ -85,6 +82,10 @@ $query = "$query $same"; $cert = qx($query); + + if ($cert =~ /.*unable.*/gi) { + $cert = 'unable NO'; ## @TODO google.de returns unable to write.. + } return $cert; } @@ -209,17 +210,11 @@ } -# @TODO -# bad-hash.dane.verisignlabs.com -> The TLSA record for this server has an incorrect hash value, although it is correctly signed with DNSSEC -# bad-params.dane.verisignlabs.com -> The TLSA record for this server has a correct hash value, incorrect TLSA parameters, and is correctly signed with DNSSEC. NOTE: The current Firefox plugin accepts these TLSA records as valid. -# bad-sig.dane.verisignlabs.com -> The TLSA record for this server is correct, but the DNSSEC chain-of-trust is broken and/or has a bad signature. NOTE: If you have validation enabled you won't be able to look up the hostname anyway. -# source: http://dane.verisignlabs.com/ sub validate_tlsa { my $domain = shift; my $port = shift; my $protocol = shift; - my $cert = get_cert($domain, $port); my @dns_return = get_tlsa_from_dns($domain, $port, $protocol); my $length = @dns_return; my $fail_selector = 0; @@ -231,7 +226,12 @@ my @tlsa_match_type; my @return; my @cname; - #my $cert_tlsa; + + if ($length == 0) { + return 'WARNING: No TLSA to check'; + } + + my $cert = get_cert($domain, $port); if ($cert =~ /.*unable to load certificate.*/) { return "WARNING: No SSL-Certificate for $domain:$port"; diff -r e97dd97b582c -r 3190e55f104b t/check_tlsa_record.t --- a/t/check_tlsa_record.t Wed Jun 08 22:32:36 2016 +0200 +++ b/t/check_tlsa_record.t Thu Jun 16 19:52:58 2016 +0200 @@ -3,6 +3,11 @@ use strict; use warnings; use Test::More qw(no_plan); +# @TODO write tests for +# bad-hash.dane.verisignlabs.com -> The TLSA record for this server has an incorrect hash value, although it is correctly signed with DNSSEC +# bad-params.dane.verisignlabs.com -> The TLSA record for this server has a correct hash value, incorrect TLSA parameters, and is correctly signed with DNSSEC. NOTE: The current Firefox plugin accepts these TLSA records as valid. +# bad-sig.dane.verisignlabs.com -> The TLSA record for this server is correct, but the DNSSEC chain-of-trust is broken and/or has a bad signature. NOTE: If you have validation enabled you won't be able to look up the hostname anyway. +# source: http://dane.verisignlabs.com/ BEGIN { use_ok('Nagios::Check::DNS::check_tlsa_record') }; @@ -28,8 +33,8 @@ my $test_main_domain_port_protocol = Nagios::Check::DNS::check_tlsa_record::main(($domain3, 443, 'tcp')); like($test_main_domain_port_protocol, qr(OK: .* is valid), 'main() ok with domain, port and protocol'); - my $test_main_no_tlsa = Nagios::Check::DNS::check_tlsa_record::main(('google.com')); - like($test_main_no_tlsa, qr(WARNING: .*), 'main() warning when no SSL-Certificate or no TLSA-Record/DANE is available'); + my $test_main_no_tlsa = Nagios::Check::DNS::check_tlsa_record::main(('google.com')); + like($test_main_no_tlsa, qr(WARNING: .*), 'main() warning when no SSL-Certificate or no TLSA-Record/DANE is available'); my $test_main_default_port2 = Nagios::Check::DNS::check_tlsa_record::main(($domain4)); like($test_main_default_port2, qr(CRITICAL: .* valid), 'main() critical when DANE not valid.');