Recent version broke proxy support
eLvErDe opened this issue · 4 comments
Describe the bug
I'm still using a very old version which is working fine with BOTH proxy support (for external OCSP checks) and Cipher analysis using NMAP. Recent version cannot do both.
To Reproduce
Running 2.35.0 with
check_ssl_cert --host 1.2.3.4 port 443 --warning 60 --critical 30 --all-local --timeout 5 --sni 'name1' --cn 'commnonName' --ignore-sct --proxy http://proxy.domain-com:3128
Returns proper cipher errors:
SSL_CERT CRITICAL name1: 1.2.3.4 offers ciphers with warnings: Key exchange (dh 2048) of lower strength than certificate key
(also confirmed using --debug)
Version up to 2.36.0 (included) works, 2.37 to 2.41 (included) still perform the check (but reports HSTS is not supported error), version 2.42 to 2.72.0 (included) silently discard NMAP checks while 2.73.0 and newer explicitly warns cipher checks are disabled.
Expected behavior
Not loosing feature that worked in older version :-P
System (please complete the following information):
Not relevant
Btw, I'd happy to sponsor both this ticket and 505 if you are interested in
This is because doesn't work properly behind a proxy: https://security.stackexchange.com/questions/120708/nmap-through-proxy
There were several problems and I decided to disable it.
I could add an option to try anyway ...
I added an option --nmap-with-proxy
to force the use of nmap when a proxy is configured. You can also specify it in the property file to have it as a default.
I just published a new version with an additional option to force the old behavior. Would this be an option for you?