--- a/lib/Nagios/Check/DNS/check_tlsa_record.pm Wed Jun 08 22:32:36 2016 +0200
+++ b/lib/Nagios/Check/DNS/check_tlsa_record.pm Thu Jun 16 19:52:58 2016 +0200
@@ -55,13 +55,10 @@
for ( my $i = 0; $i < $return_length; $i++)
{
- if ($dns_return[$i] eq '') {
- $dns_return[$i] = "No TLSA Record for $domain:$port";
- }
-
if ($dns_return[$i] =~ /^[_a-z]+[a-z0-9]+/i) {
- $dns_return[$i] = "CNAME: $dns_return[$i]";
- #$dns_return[$i] = $dns_return[$i++];
+ #$dns_return[$i] = "CNAME: $dns_return[$i]";
+ #$dns_return[$i-1] = $dns_return[$i];
+ $dns_return[$i] = $dns_return[$i+1];
}
}
@@ -85,6 +82,10 @@
$query = "$query $same";
$cert = qx($query);
+
+ if ($cert =~ /.*unable.*/gi) {
+ $cert = 'unable NO'; ## @TODO google.de returns unable to write..
+ }
return $cert;
}
@@ -209,17 +210,11 @@
}
-# @TODO
-# bad-hash.dane.verisignlabs.com -> The TLSA record for this server has an incorrect hash value, although it is correctly signed with DNSSEC
-# bad-params.dane.verisignlabs.com -> The TLSA record for this server has a correct hash value, incorrect TLSA parameters, and is correctly signed with DNSSEC. NOTE: The current Firefox plugin accepts these TLSA records as valid.
-# bad-sig.dane.verisignlabs.com -> The TLSA record for this server is correct, but the DNSSEC chain-of-trust is broken and/or has a bad signature. NOTE: If you have validation enabled you won't be able to look up the hostname anyway.
-# source: http://dane.verisignlabs.com/
sub validate_tlsa {
my $domain = shift;
my $port = shift;
my $protocol = shift;
- my $cert = get_cert($domain, $port);
my @dns_return = get_tlsa_from_dns($domain, $port, $protocol);
my $length = @dns_return;
my $fail_selector = 0;
@@ -231,7 +226,12 @@
my @tlsa_match_type;
my @return;
my @cname;
- #my $cert_tlsa;
+
+ if ($length == 0) {
+ return 'WARNING: No TLSA to check';
+ }
+
+ my $cert = get_cert($domain, $port);
if ($cert =~ /.*unable to load certificate.*/) {
return "WARNING: No SSL-Certificate for $domain:$port";
--- a/t/check_tlsa_record.t Wed Jun 08 22:32:36 2016 +0200
+++ b/t/check_tlsa_record.t Thu Jun 16 19:52:58 2016 +0200
@@ -3,6 +3,11 @@
use strict;
use warnings;
use Test::More qw(no_plan);
+# @TODO write tests for
+# bad-hash.dane.verisignlabs.com -> The TLSA record for this server has an incorrect hash value, although it is correctly signed with DNSSEC
+# bad-params.dane.verisignlabs.com -> The TLSA record for this server has a correct hash value, incorrect TLSA parameters, and is correctly signed with DNSSEC. NOTE: The current Firefox plugin accepts these TLSA records as valid.
+# bad-sig.dane.verisignlabs.com -> The TLSA record for this server is correct, but the DNSSEC chain-of-trust is broken and/or has a bad signature. NOTE: If you have validation enabled you won't be able to look up the hostname anyway.
+# source: http://dane.verisignlabs.com/
BEGIN { use_ok('Nagios::Check::DNS::check_tlsa_record') };
@@ -28,8 +33,8 @@
my $test_main_domain_port_protocol = Nagios::Check::DNS::check_tlsa_record::main(($domain3, 443, 'tcp'));
like($test_main_domain_port_protocol, qr(OK: .* is valid), 'main() ok with domain, port and protocol');
- my $test_main_no_tlsa = Nagios::Check::DNS::check_tlsa_record::main(('google.com'));
- like($test_main_no_tlsa, qr(WARNING: .*), 'main() warning when no SSL-Certificate or no TLSA-Record/DANE is available');
+ my $test_main_no_tlsa = Nagios::Check::DNS::check_tlsa_record::main(('google.com'));
+ like($test_main_no_tlsa, qr(WARNING: .*), 'main() warning when no SSL-Certificate or no TLSA-Record/DANE is available');
my $test_main_default_port2 = Nagios::Check::DNS::check_tlsa_record::main(($domain4));
like($test_main_default_port2, qr(CRITICAL: .* valid), 'main() critical when DANE not valid.');