X-Git-Url: https://git.siccegge.de//index.cgi?p=dane-monitoring-plugins.git;a=blobdiff_plain;f=check_dane_https;fp=check_dane_https;h=0000000000000000000000000000000000000000;hp=3d758c240df6617e3c88bc92a40626880eff1c81;hb=19426697a401ad52cf88d88700b3e14f05a9d4a7;hpb=8f220280eec73cc20ea02eb0ea1deae375711b0f diff --git a/check_dane_https b/check_dane_https deleted file mode 100755 index 3d758c2..0000000 --- a/check_dane_https +++ /dev/null @@ -1,115 +0,0 @@ -#!/usr/bin/python3 - -from __future__ import print_function - -import sys -import argparse -import logging - -from socket import socket, AF_INET6, AF_INET -from ssl import SSLContext, PROTOCOL_TLSv1_2, CERT_REQUIRED -from unbound import ub_ctx - -from check_dane.tlsa import verify_tlsa_record -from check_dane.cert import verify_certificate, add_certificate_options - -def init_connection(sslcontext, family, host, port): - connection = sslcontext.wrap_socket(socket(family), - server_hostname=host) - connection.connect((host, port)) - connection.send(b"HEAD / HTTP/1.1\r\nHost: %s\r\n\r\n" % host.encode()) - answer = connection.recv(512) - logging.debug(answer) - - return connection - - -def close_connection(connection): - connection.close() - - -def init(args): - sslcontext = SSLContext(PROTOCOL_TLSv1_2) - sslcontext.verify_mode = CERT_REQUIRED - sslcontext.load_verify_locations(args.castore) - - resolver = ub_ctx() - resolver.add_ta_file(args.ancor) - - return sslcontext, resolver - - -def main(): - logging.basicConfig(format='%(levelname)5s %(message)s') - parser = argparse.ArgumentParser() - parser.add_argument("Host") - - parser.add_argument("--verbose", action="store_true") - parser.add_argument("--quiet", action="store_true") - parser.add_argument("-p", "--port", - action="store", type=int, default=443, - help="HTTPS port") - parser.add_argument("--check-dane", - action="store_false", - help="Verify presented certificate via DANE (default: enabled)") - parser.add_argument("--check-ca", - action="store_false", - help="Verify presented certificate via the CA system (default: enabled)") - parser.add_argument("--check-expire", - action="store_false", - help="Verify presented certificate for expiration (default: enabled)") - - parser.add_argument("-a", "--ancor", - action="store", type=str, default="/etc/unbound/root.key", - help="DNSSEC root ancor") - parser.add_argument("--castore", action="store", type=str, - default="/etc/ssl/certs/ca-certificates.crt", - help="ca certificate bundle") - - group = parser.add_mutually_exclusive_group() - group.add_argument("-6", "--6", action="store_true", dest="use6", help="check via IPv6 only") - group.add_argument("-4", "--4", action="store_true", dest="use4", help="check via IPv4 only") - group.add_argument("--64", action="store_false", dest="use64", help="check via IPv4 and IPv6 (default)") - - add_certificate_options(parser) - - args = parser.parse_args() - - if args.verbose: - logging.getLogger().setLevel(logging.DEBUG) - elif args.quiet: - logging.getLogger().setLevel(logging.WARNING) - else: - logging.getLogger().setLevel(logging.INFO) - - host = args.Host.encode('idna').decode() - sslcontext, resolver = init(args) - - if args.use6: - afamilies = [AF_INET6] - elif args.use4: - afamilies = [AF_INET6] - else: - afamilies = [AF_INET, AF_INET6] - - retval = 0 - for afamily in afamilies: - try: - connection = init_connection(sslcontext, afamily, host, args.port) - except ConnectionRefusedError: - logging.error("Connection refused") - return 2 - - nretval = verify_certificate(connection.getpeercert(), args) - retval = max(retval, nretval) - nretval = verify_tlsa_record(resolver, "_%d._tcp.%s" % (args.port, host), - connection.getpeercert(binary_form=True)) - retval = max(retval, nretval) - - close_connection(connection) - - return retval - - -if __name__ == '__main__': - sys.exit(main())