+++ /dev/null
-#!/usr/bin/python3
-
-from __future__ import print_function
-
-import sys
-import argparse
-import logging
-
-from socket import socket, AF_INET6, AF_INET
-from ssl import SSLContext, PROTOCOL_TLSv1_2, CERT_REQUIRED
-from unbound import ub_ctx
-
-from check_dane.tlsa import verify_tlsa_record
-from check_dane.cert import verify_certificate, add_certificate_options
-
-def init_connection(sslcontext, family, host, port):
- connection = sslcontext.wrap_socket(socket(family),
- server_hostname=host)
- connection.connect((host, port))
- connection.send(b"HEAD / HTTP/1.1\r\nHost: %s\r\n\r\n" % host.encode())
- answer = connection.recv(512)
- logging.debug(answer)
-
- return connection
-
-
-def close_connection(connection):
- connection.close()
-
-
-def init(args):
- sslcontext = SSLContext(PROTOCOL_TLSv1_2)
- sslcontext.verify_mode = CERT_REQUIRED
- sslcontext.load_verify_locations(args.castore)
-
- resolver = ub_ctx()
- resolver.add_ta_file(args.ancor)
-
- return sslcontext, resolver
-
-
-def main():
- logging.basicConfig(format='%(levelname)5s %(message)s')
- parser = argparse.ArgumentParser()
- parser.add_argument("Host")
-
- parser.add_argument("--verbose", action="store_true")
- parser.add_argument("--quiet", action="store_true")
- parser.add_argument("-p", "--port",
- action="store", type=int, default=443,
- help="HTTPS port")
- parser.add_argument("--check-dane",
- action="store_false",
- help="Verify presented certificate via DANE (default: enabled)")
- parser.add_argument("--check-ca",
- action="store_false",
- help="Verify presented certificate via the CA system (default: enabled)")
- parser.add_argument("--check-expire",
- action="store_false",
- help="Verify presented certificate for expiration (default: enabled)")
-
- parser.add_argument("-a", "--ancor",
- action="store", type=str, default="/etc/unbound/root.key",
- help="DNSSEC root ancor")
- parser.add_argument("--castore", action="store", type=str,
- default="/etc/ssl/certs/ca-certificates.crt",
- help="ca certificate bundle")
-
- group = parser.add_mutually_exclusive_group()
- group.add_argument("-6", "--6", action="store_true", dest="use6", help="check via IPv6 only")
- group.add_argument("-4", "--4", action="store_true", dest="use4", help="check via IPv4 only")
- group.add_argument("--64", action="store_false", dest="use64", help="check via IPv4 and IPv6 (default)")
-
- add_certificate_options(parser)
-
- args = parser.parse_args()
-
- if args.verbose:
- logging.getLogger().setLevel(logging.DEBUG)
- elif args.quiet:
- logging.getLogger().setLevel(logging.WARNING)
- else:
- logging.getLogger().setLevel(logging.INFO)
-
- host = args.Host.encode('idna').decode()
- sslcontext, resolver = init(args)
-
- if args.use6:
- afamilies = [AF_INET6]
- elif args.use4:
- afamilies = [AF_INET6]
- else:
- afamilies = [AF_INET, AF_INET6]
-
- retval = 0
- for afamily in afamilies:
- try:
- connection = init_connection(sslcontext, afamily, host, args.port)
- except ConnectionRefusedError:
- logging.error("Connection refused")
- return 2
-
- nretval = verify_certificate(connection.getpeercert(), args)
- retval = max(retval, nretval)
- nretval = verify_tlsa_record(resolver, "_%d._tcp.%s" % (args.port, host),
- connection.getpeercert(binary_form=True))
- retval = max(retval, nretval)
-
- close_connection(connection)
-
- return retval
-
-
-if __name__ == '__main__':
- sys.exit(main())