]>
git.siccegge.de Git - dane-monitoring-plugins.git/blob - check_dane_https
3 from __future__
import print_function
9 from socket
import socket
, AF_INET6
, AF_INET
10 from ssl
import SSLContext
, PROTOCOL_TLSv1_2
, CERT_REQUIRED
11 from unbound
import ub_ctx
13 from check_dane
.tlsa
import verify_tlsa_record
14 from check_dane
.cert
import verify_certificate
, add_certificate_options
16 def init_connection(sslcontext
, family
, host
, port
):
17 connection
= sslcontext
.wrap_socket(socket(family
),
19 connection
.connect((host
, port
))
20 connection
.send(b
"HEAD / HTTP/1.1\r\nHost: %s\r\n\r\n" % host
.encode())
21 answer
= connection
.recv(512)
27 def close_connection(connection
):
32 sslcontext
= SSLContext(PROTOCOL_TLSv1_2
)
33 sslcontext
.verify_mode
= CERT_REQUIRED
34 sslcontext
.load_verify_locations(args
.castore
)
37 resolver
.add_ta_file(args
.ancor
)
39 return sslcontext
, resolver
43 logging
.basicConfig(format
='%(levelname)5s %(message)s')
44 parser
= argparse
.ArgumentParser()
45 parser
.add_argument("Host")
47 parser
.add_argument("--verbose", action
="store_true")
48 parser
.add_argument("--quiet", action
="store_true")
49 parser
.add_argument("-p", "--port",
50 action
="store", type=int, default
=443,
52 parser
.add_argument("--check-dane",
54 help="Verify presented certificate via DANE (default: enabled)")
55 parser
.add_argument("--check-ca",
57 help="Verify presented certificate via the CA system (default: enabled)")
58 parser
.add_argument("--check-expire",
60 help="Verify presented certificate for expiration (default: enabled)")
62 parser
.add_argument("-a", "--ancor",
63 action
="store", type=str, default
="/etc/unbound/root.key",
64 help="DNSSEC root ancor")
65 parser
.add_argument("--castore", action
="store", type=str,
66 default
="/etc/ssl/certs/ca-certificates.crt",
67 help="ca certificate bundle")
69 group
= parser
.add_mutually_exclusive_group()
70 group
.add_argument("-6", "--6", action
="store_true", dest
="use6", help="check via IPv6 only")
71 group
.add_argument("-4", "--4", action
="store_true", dest
="use4", help="check via IPv4 only")
72 group
.add_argument("--64", action
="store_false", dest
="use64", help="check via IPv4 and IPv6 (default)")
74 add_certificate_options(parser
)
76 args
= parser
.parse_args()
79 logging
.getLogger().setLevel(logging
.DEBUG
)
81 logging
.getLogger().setLevel(logging
.WARNING
)
83 logging
.getLogger().setLevel(logging
.INFO
)
85 host
= args
.Host
.encode('idna').decode()
86 sslcontext
, resolver
= init(args
)
89 afamilies
= [AF_INET6
]
91 afamilies
= [AF_INET6
]
93 afamilies
= [AF_INET
, AF_INET6
]
96 for afamily
in afamilies
:
98 connection
= init_connection(sslcontext
, afamily
, host
, args
.port
)
99 except ConnectionRefusedError
:
100 logging
.error("Connection refused")
103 nretval
= verify_certificate(connection
.getpeercert(), args
)
104 retval
= max(retval
, nretval
)
105 nretval
= verify_tlsa_record(resolver
, "_%d._tcp.%s" % (args
.port
, host
),
106 connection
.getpeercert(binary_form
=True))
107 retval
= max(retval
, nretval
)
109 close_connection(connection
)
114 if __name__
== '__main__':