]>
git.siccegge.de Git - tools.git/blob - tls-check
3 from __future__
import print_function
4 from optparse
import OptionParser
5 from ssl
import SSLContext
, PROTOCOL_TLSv1_2
, CERT_REQUIRED
, cert_time_to_seconds
, SSLError
, CertificateError
6 from socket
import socket
, AF_INET6
7 from datetime
import datetime
, timedelta
8 from smtplib
import SMTP
14 def __init__(self
, cafile
, warn
, crit
):
19 def check(self
, proto
, host
, port
):
20 context
= SSLContext(PROTOCOL_TLSv1_2
)
21 context
.verify_mode
= CERT_REQUIRED
22 context
.load_verify_locations(self
.cafile
)
23 if hasattr(self
, 'remote_check_%s' % proto
):
24 getattr(self
, 'remote_check_%s' % proto
)(context
, host
, port
)
26 def remote_check_smtp(self
, context
, host
, port
):
27 smtp
= SMTP(host
, port
)
29 smtp
.starttls(context
=context
)
31 print("CRIT (invalid certificate) %s:%d" % (host
, port
))
34 cert
= smtp
.sock
.getpeercert()
35 return self
.check_cert(cert
, host
, port
)
37 def remote_check_ssl(self
, context
, host
, port
):
38 connection
= context
.wrap_socket(socket(AF_INET6
),
41 connection
.connect((host
, port
))
43 print("CRIT (invalid certificate) %s:%d" % (host
, port
))
46 cert
= connection
.getpeercert()
47 return self
.check_cert(cert
, host
, port
)
49 def check_cert(self
, data
, host
, port
):
50 expiretimestamp
= cert_time_to_seconds(data
['notAfter'])
51 delta
= datetime
.utcfromtimestamp(expiretimestamp
) - datetime
.utcnow()
54 print("CRIT (expires in %s) %s:%d" % (delta
, host
, port
))
56 elif delta
< self
.warn
:
57 print("WARN (expires in %s) %s:%d" % (delta
, host
, port
))
62 parser
= OptionParser()
63 parser
.add_option("--config", action
="store", type="string", dest
="config",
64 help="configuration file to use")
65 parser
.add_option("-n", "--name",
66 action
="append", type="string", dest
="names",
67 help="hostname:port to check for expired certificates")
68 parser
.add_option("-w", "--warning-days",
69 action
="store", type=int, dest
="warn",
70 help="minimum remaining validity in days before a warning is issued")
71 parser
.add_option("-c", "--critical-days",
72 action
="store", type=int, dest
="crit",
73 help="minimum remaining validity in days before a warning is issued")
74 parser
.add_option("-v", action
="store_true", dest
="verbose", default
=False)
75 parser
.add_option("-q", action
="store_false", dest
="verbose")
76 parser
.add_option("--ca", action
="store", type="string", dest
="ca",
77 help="ca certificate bundle")
80 opts
, _args
= parser
.parse_args()
83 configuration
= yaml
.load(open(opts
.config
))
85 configuration
= dict()
88 configuration
['names'] = opts
.names
90 configuration
['warn_days'] = opts
.warn
92 configuration
['crit_days'] = opts
.crit
94 configuration
['cacertificates'] = opts
.ca
96 configuration
['verbose'] = opts
.verbose
98 if 'verbose' in configuration
:
99 VERBOSE
= configuration
['verbose']
101 if not 'names' in configuration
:
102 parser
.error("needs at least one host")
104 verifier
= Verifier(configuration
['cacertificates'] if 'cacertificates' in configuration
else '/etc/ssl/certs/ca-certificates.crt',
105 timedelta(configuration
['warn_days'] if 'warn_days' in configuration
else 15),
106 timedelta(configuration
['crit_days'] if 'crit_days' in configuration
else 5))
109 hosts
= [ (i
[0], i
[1], int(i
[2])) for i
in [ j
.split(':', 2) for j
in configuration
['names'] ] ]
110 except (ValueError, IndexError):
111 parser
.error("names need to be in PROTO:DNSNAME:PORT format")
113 for proto
, host
, port
in hosts
:
114 verifier
.check(proto
, host
, port
)
116 if __name__
== "__main__":