From: Christoph Egger <christoph@christoph-egger.org>
Date: Sat, 7 Nov 2015 17:20:37 +0000 (+0100)
Subject: Add name in addition to host to tls-check
X-Git-Url: https://git.siccegge.de//index.cgi?p=tools.git;a=commitdiff_plain;h=46c2647692ccd87951a86e04c2c6c63b6f65ec2b

Add name in addition to host to tls-check

Sometimes, e.g. with srv records, we want to check for a name in the
certificate that is different from the hostname associated with the
A/AAAA record.

This is neccessary e.g. for the upcomming XMPP check, at least untill
python3-ldns becomes properly available.
---

diff --git a/tls-check b/tls-check
index 467a753..4610063 100644
--- a/tls-check
+++ b/tls-check
@@ -16,12 +16,12 @@ class Verifier:
         self.crit = crit
         self.warn = warn
 
-    def check(self, proto, host, port):
+    def check(self, proto, host, port, name):
         context = SSLContext(PROTOCOL_TLSv1_2)
         context.verify_mode = CERT_REQUIRED
         context.load_verify_locations(self.cafile)
         if hasattr(self, 'remote_check_%s' % proto):
-            getattr(self, 'remote_check_%s' % proto)(context, host, port)
+            getattr(self, 'remote_check_%s' % proto)(context, host, port, name)
 
     def remote_check_smtp(self, context, host, port):
         smtp = SMTP(host, port)
@@ -32,11 +32,11 @@ class Verifier:
             return 2
 
         cert = smtp.sock.getpeercert()
-        return self.check_cert(cert, host, port)
+        return self.check_cert(cert, host, port, name)
 
-    def remote_check_ssl(self, context, host, port):
+    def remote_check_ssl(self, context, host, port, name):
         connection = context.wrap_socket(socket(AF_INET6),
-                                     server_hostname=host)
+                                     server_hostname=name)
         try:
             connection.connect((host, port))
         except SSLError:
@@ -44,17 +44,17 @@ class Verifier:
             return 2
 
         cert = connection.getpeercert()
-        return self.check_cert(cert, host, port)
+        return self.check_cert(cert, host, port, name)
 
-    def check_cert(self, data, host, port):
+    def check_cert(self, data, host, port, name):
         expiretimestamp = cert_time_to_seconds(data['notAfter'])
         delta = datetime.utcfromtimestamp(expiretimestamp) - datetime.utcnow()
 
         if delta < self.crit:
-            print("CRIT (expires in %s) %s:%d" % (delta, host, port))
+            print("CRIT (expires in %s) %s:%d" % (delta, name, port))
             return 2
         elif delta < self.warn:
-            print("WARN (expires in %s) %s:%d" % (delta, host, port))
+            print("WARN (expires in %s) %s:%d" % (delta, name, port))
             return 1
 
 def main():
@@ -106,12 +106,12 @@ def main():
                         timedelta(configuration['crit_days'] if 'crit_days' in configuration else 5))
 
     try:
-        hosts = [ (i[0], i[1], int(i[2])) for i in [ j.split(':', 2) for j in configuration['names'] ] ]
+        hosts = [ (i[0], i[1], int(i[2]), i[3] if len(i) == 4 else i[1]) for i in [ j.split(':', 3) for j in configuration['names'] ] ]
     except (ValueError, IndexError):
         parser.error("names need to be in PROTO:DNSNAME:PORT format")
         
-    for proto, host, port in hosts:
-        verifier.check(proto, host, port)
+    for proto, host, port, name in hosts:
+        verifier.check(proto, host, port, name)
                       
 if __name__ == "__main__":
     main()