X-Git-Url: https://git.siccegge.de//index.cgi?p=tools.git;a=blobdiff_plain;f=tls-check;h=19a8dfc65d061f4c7e5d5e5dd6db4de564a8d906;hp=92b1b83b129fea3f2f19394b8a15af0d60e43b11;hb=HEAD;hpb=1f73719477ce15cdc097fd0089c01aaa6e7758f3 diff --git a/tls-check b/tls-check index 92b1b83..19a8dfc 100644 --- a/tls-check +++ b/tls-check @@ -3,7 +3,7 @@ from __future__ import print_function from optparse import OptionParser from ssl import SSLContext, PROTOCOL_TLSv1_2, CERT_REQUIRED, cert_time_to_seconds, SSLError, CertificateError -from socket import socket, AF_INET6 +from socket import socket, AF_INET6, create_connection from datetime import datetime, timedelta from smtplib import SMTP import yaml @@ -16,14 +16,36 @@ class Verifier: self.crit = crit self.warn = warn - def check(self, proto, host, port): + def check(self, proto, host, port, name): context = SSLContext(PROTOCOL_TLSv1_2) context.verify_mode = CERT_REQUIRED context.load_verify_locations(self.cafile) if hasattr(self, 'remote_check_%s' % proto): - getattr(self, 'remote_check_%s' % proto)(context, host, port) + getattr(self, 'remote_check_%s' % proto)(context, host, port, name) - def remote_check_smtp(self, context, host, port): + def remote_check_xmpp(self, context, host, port, name): + xmpp_open = ("" ) + xmpp_starttls = "" + + connection = create_connection((host, port)) + connection.sendall(xmpp_open.format(name).encode('utf-8')) + response = connection.recv(4096).decode('utf-8') + + if not '' in response: + connection.recv(4096) + + connection.sendall(xmpp_starttls.encode('utf-8')) + connection.recv(4096) + + connection = context.wrap_socket(connection, server_hostname=name) + connection.do_handshake() + + cert = connection.getpeercert() + return self.check_cert(cert, host, port, name) + + def remote_check_smtp(self, context, host, port, name): smtp = SMTP(host, port) try: smtp.starttls(context=context) @@ -32,11 +54,11 @@ class Verifier: return 2 cert = smtp.sock.getpeercert() - return self.check_cert(cert, host, port) + return self.check_cert(cert, host, port, name) - def remote_check_ssl(self, context, host, port): + def remote_check_ssl(self, context, host, port, name): connection = context.wrap_socket(socket(AF_INET6), - server_hostname=host) + server_hostname=name) try: connection.connect((host, port)) except SSLError: @@ -44,17 +66,18 @@ class Verifier: return 2 cert = connection.getpeercert() - return self.check_cert(cert, host, port) + return self.check_cert(cert, host, port, name) - def check_cert(self, data, host, port): + def check_cert(self, data, host, port, name): expiretimestamp = cert_time_to_seconds(data['notAfter']) delta = datetime.utcfromtimestamp(expiretimestamp) - datetime.utcnow() + deltastr = str(delta).split(",") if delta < self.crit: - print("CRIT (expires in %s) %s:%d" % (delta, host, port)) + print("CRIT (expires in %8s,%16s) %s:%d" % (deltastr[0], deltastr[1], name, port)) return 2 elif delta < self.warn: - print("WARN (expires in %s) %s:%d" % (delta, host, port)) + print("WARN (expires in %8s,%16s) %s:%d" % (deltastr[0], deltastr[1], name, port)) return 1 def main(): @@ -88,7 +111,7 @@ def main(): configuration['names'] = opts.names if opts.warn: configuration['warn_days'] = opts.warn - if opts.warn: + if opts.crit: configuration['crit_days'] = opts.crit if opts.ca: configuration['cacertificates'] = opts.ca @@ -106,12 +129,12 @@ def main(): timedelta(configuration['crit_days'] if 'crit_days' in configuration else 5)) try: - hosts = [ (i[0], i[1], int(i[2])) for i in [ j.split(':', 2) for j in configuration['names'] ] ] + hosts = [ (i[0], i[1], int(i[2]), i[3] if len(i) == 4 else i[1]) for i in [ j.split(':', 3) for j in configuration['names'] ] ] except (ValueError, IndexError): parser.error("names need to be in PROTO:DNSNAME:PORT format") - for proto, host, port in hosts: - verifier.check(proto, host, port) + for proto, host, port, name in hosts: + verifier.check(proto, host, port, name) if __name__ == "__main__": main()