]>
git.siccegge.de Git - tools.git/blob - tls-check
3 from __future__
import print_function
4 from optparse
import OptionParser
5 from ssl
import SSLContext
, PROTOCOL_TLSv1_2
, CERT_REQUIRED
, cert_time_to_seconds
, SSLError
6 from socket
import socket
, AF_INET6
7 from datetime
import datetime
, timedelta
11 def check_cert(host
, port
, ca
, warn
, crit
):
12 context
= SSLContext(PROTOCOL_TLSv1_2
)
13 context
.verify_mode
= CERT_REQUIRED
14 context
.load_verify_locations(ca
)
15 connection
= context
.wrap_socket(socket(AF_INET6
),
18 connection
.connect((host
, port
))
20 print("CRIT (invalid certificate) %s:%d" % (host
, port
))
23 expiretimestamp
= cert_time_to_seconds(connection
.getpeercert()['notAfter'])
24 delta
= datetime
.utcfromtimestamp(expiretimestamp
) - datetime
.utcnow()
27 print("CRIT (expires in %s) %s:%d" % (delta
, host
, port
))
30 print("WARN (expires in %s) %s:%d" % (delta
, host
, port
))
36 parser
= OptionParser()
37 parser
.add_option("-n", "--name",
38 action
="append", type="string", dest
="hosts",
39 help="hostname:port to check for expired certificates")
40 parser
.add_option("-w", "--warning-days",
41 action
="store", type=int, dest
="warn", default
=15,
42 help="minimum remaining validity in days before a warning is issued")
43 parser
.add_option("-c", "--critical-days",
44 action
="store", type=int, dest
="crit", default
=5,
45 help="minimum remaining validity in days before a warning is issued")
46 parser
.add_option("-v", action
="store_true", dest
="verbose", default
=False)
47 parser
.add_option("-q", action
="store_false", dest
="verbose")
48 parser
.add_option("--ca", action
="store", type="string", dest
="ca",
49 default
="/etc/ssl/certs/ca-certificates.crt",
50 help="ca certificate bundle")
53 opts
, _args
= parser
.parse_args()
55 VERBOSE
= opts
.verbose
57 parser
.error("needs at least one host")
60 hosts
= [ (i
[0], int(i
[1])) for i
in [ j
.split(':', 1) for j
in opts
.hosts
] ]
61 except (ValueError, IndexError):
62 parser
.error("names need to be in DNSNAME:PORT format")
64 for host
, port
in hosts
:
65 check_cert(host
, port
, opts
.ca
, timedelta(opts
.warn
), timedelta(opts
.crit
))
67 if __name__
== "__main__":