from socket import socket, AF_INET6, AF_INET, create_connection
from ssl import SSLContext, PROTOCOL_TLSv1_2, CERT_REQUIRED, cert_time_to_seconds, SSLError, CertificateError, create_default_context
-from unbound import ub_ctx, idn2dname, ub_strerror
+from unbound import ub_ctx, ub_strerror
from check_dane.tlsa import verify_tlsa_record
+from check_dane.cert import verify_certificate, add_certificate_options
def init_connection(sslcontext, args):
host = args.Host
group.add_argument("-4", "--4", action="store_true", help="check via IPv4 only")
group.add_argument("--64", action="store_false", help="check via IPv4 and IPv6 (default)")
+ add_certificate_options(parser)
+
args = parser.parse_args()
if args.verbose:
logging.error("Connection refused")
return 2
- retval = verify_tlsa_record(resolver, "_%d._tcp.%s" % (port, host), connection.getpeercert(binary_form=True))
+ retval = verify_certificate(connection.getpeercert(), args)
+ nretval = verify_tlsa_record(resolver, "_%d._tcp.%s" % (port, host), connection.getpeercert(binary_form=True))
+ retval = max(retval, nretval)
close_connection(connection)
return retval
if __name__ == '__main__':
- main()
+ sys.exit(main())