X-Git-Url: https://git.siccegge.de//index.cgi?p=dane-monitoring-plugins.git;a=blobdiff_plain;f=check_dane_smtp;h=28c6efeeac6fd5ebade43b3726736eba44162c4d;hp=57f352d825b34a0d08a3c1afc4e7c5718c1bed19;hb=51ee958a71b32d2dd88041612db5faee43cb69f3;hpb=d753e7fe2c11c8afa93a6194cb9e03ff10155841 diff --git a/check_dane_smtp b/check_dane_smtp index 57f352d..28c6efe 100755 --- a/check_dane_smtp +++ b/check_dane_smtp @@ -9,24 +9,33 @@ import argparse import logging from socket import socket, AF_INET6, AF_INET, create_connection -from ssl import SSLContext, PROTOCOL_TLSv1_2, CERT_REQUIRED, cert_time_to_seconds, SSLError, CertificateError, create_default_context -from unbound import ub_ctx, idn2dname, ub_strerror +from ssl import SSLError, CertificateError, SSLContext +from ssl import PROTOCOL_TLSv1_2, CERT_REQUIRED +from unbound import ub_ctx from check_dane.tlsa import verify_tlsa_record +from check_dane.cert import verify_certificate, add_certificate_options -def init_connection(sslcontext, args): +def init_connection(sslcontext, args, family): host = args.Host if args.ssl: port = 465 if args.port == 0 else args.port - connection = sslcontext.wrap_socket(socket(AF_INET), + connection = sslcontext.wrap_socket(socket(family), server_hostname=host) connection.connect((host, port)) + answer = connection.recv(512) + logging.debug(answer) + + connection.send(b"EHLO localhost\r\n") + answer = connection.recv(512) + logging.debug(answer) else: port = 25 if args.port == 0 else args.port - connection = create_connection((host, port)) + connection = socket(family=family) + connection.connect((host, port)) answer = connection.recv(512) logging.debug(answer) @@ -41,6 +50,10 @@ def init_connection(sslcontext, args): connection = sslcontext.wrap_socket(connection, server_hostname=host) connection.do_handshake() + connection.send(b"EHLO localhost\r\n") + answer = connection.recv(512) + logging.debug(answer) + return connection @@ -92,9 +105,11 @@ def main(): help="ca certificate bundle") group = parser.add_mutually_exclusive_group() - group.add_argument("-6", "--6", action="store_true", help="check via IPv6 only") - group.add_argument("-4", "--4", action="store_true", help="check via IPv4 only") - group.add_argument("--64", action="store_false", help="check via IPv4 and IPv6 (default)") + group.add_argument("-6", "--6", action="store_true", dest="use6", help="check via IPv6 only") + group.add_argument("-4", "--4", action="store_true", dest="use4", help="check via IPv4 only") + group.add_argument("--64", action="store_false", dest="use64", help="check via IPv4 and IPv6 (default)") + + add_certificate_options(parser) args = parser.parse_args() @@ -111,17 +126,32 @@ def main(): host = args.Host.encode('idna').decode() sslcontext, resolver = init(args) - try: - connection = init_connection(sslcontext, args) - except ConnectionRefusedError: - logging.error("Connection refused") - return 2 - retval = verify_tlsa_record(resolver, "_%d._tcp.%s" % (port, host), connection.getpeercert(binary_form=True)) + if args.use6: + afamilies = [AF_INET6] + elif args.use4: + afamilies = [AF_INET6] + else: + afamilies = [AF_INET, AF_INET6] + + retval = 0 + for afamily in afamilies: + try: + connection = init_connection(sslcontext, args, afamily) + except ConnectionRefusedError: + logging.error("Connection refused") + return 2 + + nretval = verify_certificate(connection.getpeercert(), args) + retval = max(retval, nretval) + nretval = verify_tlsa_record(resolver, "_%d._tcp.%s" % (port, host), + connection.getpeercert(binary_form=True)) + retval = max(retval, nretval) + + close_connection(connection) - close_connection(connection) return retval if __name__ == '__main__': - main() + sys.exit(main())