Coder Social home page Coder Social logo

tlscertcheck's Introduction

tlscertcheck

TLS certificate checking tool

Check the TLS certificates on a given set of HTTPS server IP addresses and print out identifying information about the certificates. Optionally, match those certificates against a specified certificate identifier. The original purpose of this program was to provide a way to quickly inspect the certificates of a pool of servers to see if they all had the expected configuration.

Pre-requisites:

  • Python 3
  • OpenSSL
  • M2Crypto module (Python interface to OpenSSL) (I recommend version 0.29 or later that includes the set1_host() function that correctly does certificate name checking.)

Usage and options:

$ tlscertcheck.py --help
Usage: tlscertcheck.py [Options] <host1> <host2> ...

    Options:
    --help            Print this help message
    --verbose         Verbose mode; print details of certificate
    --printchain      Print full certificate chain if verbose is specified
    --silent          No output, just set response code
    --port=N          Use specified port (default: 443)
    --ipversion=N     Use only specified IP version for resolving hosts (4 or 6)
    --sni=<name>      For IP address arguments, set SNI extension to given name
    --match=<id>      Check that certficates match given id
    --usefp           Use SHA1 fingerprint of DER-encoded cert as id
    --timeout=N       Timeout per connection in seconds (default: 10.0)
    --infile=<file>   Read server addresses from given file
    --cacert=<file>   Use given file for trusted root CAs (PEM format)
    --noverify        Don't perform certificate verification
    --onlyerror       Only print errors for each server
    --summary         Print summary at the end
    --m2warn          Print warning if missing M2Crypto library features

The host1, host2 etc arguments can either be IP addresses or hostnames. The main output format is the following, one line per server IP address:

<certid> <ipaddr> <hostname>

The "certid" is a combination of the serial number and issuer hash, which should uniquely identify a certificate. This should provide an easy way to inspect whether all of the servers have the same certificate. The "--usefp" option can be specified to alternatively use the SHA1 fingerprint of the DER-encoding of the full certificate as the certid.

For an IP address argument, the "hostname" is the name returned by reverse DNS lookup (PTR record) of the IP address. For a hostname argument, the program resolves all IPv4 or IPv6 addresses of the hostname and checks each one.

The "--match" option can be used to specify a certid that all the server certificates are compared to. An error message is printed for each server that does not match, and if any fail to match, the program's exit code is set to 1 (zero otherwise).

The "--infile" option can be used to specify a file containing the list of IP addresses (one per line) instead of specifying them on the command line.

The "--verbose" option will print more verbose info about each certificate, such as: serial number, issuer, subject, SAN dNSNames, inception and expiration times.

The "--printchain" option (when specified with --verbose) will also print the details of the full certificate chain.

The "--cacert" option can be used to specify a file containing root certification authorities to trust (as a sequence of PEM format CA certificates). The default cacert file is hardcoded into the program (typically where it is found on many Linux distributions). Note: that this program does not do certificate name checking, since it is designed to connect to servers by IP address.

The "--noverify" option can be used to turn off certificate verification.

Example runs

$ tlscertcheck.py --summary 10.61.133.16 10.61.132.182 10.61.133.196
2e02c81977ca118098382df7e2ec96b:4bcd7fc5        10.61.133.16 host1.example.com
2e02c81977ca118098382df7e2ec96b:4bcd7fc5        10.61.132.182 host2.example.com
2e02c81977ca118098382df7e2ec96b:4bcd7fc5        10.61.133.196 host3.example.com

## SUMMARY:
## Number of servers: 3 (ok 3, error 0)
## Number of distinct certs seen: 1
## [3] 2e02c81977ca118098382df7e2ec96b:4bcd7fc5 10.61.133.16 10.61.132.182 10.61.133.196

$ echo $?
0

$ tlscertcheck.py --verbose --printchain 1.1.1.1
1cce318de9f567fab2b24901fada71d:35be5bbd        1.1.1.1 one.one.one.one
## Host one.one.one.one address 1.1.1.1
## TLS: TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305-256
## ----------- Certificate at Depth=0:
## Serial    : 1cce318de9f567fab2b24901fada71d
## Issuer    : C=US, O=DigiCert Inc, CN=DigiCert ECC Secure Server CA
## Subject   : C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=cloudflare-dns.com
## SAN: DNS:cloudflare-dns.com
## SAN: DNS:*.cloudflare-dns.com
## SAN: DNS:one.one.one.one
## SAN: IP Address:1.1.1.1
## SAN: IP Address:1.0.0.1
## SAN: IP Address:162.159.132.53
## SAN: IP Address:2606:4700:4700:0:0:0:0:1111
## SAN: IP Address:2606:4700:4700:0:0:0:0:1001
## SAN: IP Address:2606:4700:4700:0:0:0:0:64
## SAN: IP Address:2606:4700:4700:0:0:0:0:6400
## SAN: IP Address:162.159.36.1
## SAN: IP Address:162.159.46.1
## Inception : 2019-01-28 00:00:00+00:00 UTC
## Expiration: 2021-02-01 12:00:00+00:00 UTC
## AKI: keyid:A3:9D:E6:1F:F9:DA:39:4F:C0:6E:E8:91:CB:95:A5:DA:31:E2:0A:9F
## SKI: 70:95:DC:5C:A3:8E:66:07:DB:CB:81:10:C6:AB:E7:C3:A8:45:7F:A0
## keyUsage: Digital Signature
## extendedKeyUsage: TLS Web Server Authentication, TLS Web Client Authentication
## crlDistributionPoints: <present>
## Policy: 2.16.840.1.114412.1.1
## Policy: CPS: https://www.digicert.com/CPS
## Policy: 2.23.140.1.2.2
## AuthorityInfoAccess: OCSP - URI:http://ocsp.digicert.com
## AuthorityInfoAccess: CA Issuers - URI:http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt
## basicConstraints: CA:FALSE
## ct_precert_scts: <present>
## ----------- Certificate at Depth=1:
## Serial    : acb28ba465ee53908767470f3cdc612
## Issuer    : C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
## Subject   : C=US, O=DigiCert Inc, CN=DigiCert ECC Secure Server CA
## Inception : 2013-03-08 12:00:00+00:00 UTC
## Expiration: 2023-03-08 12:00:00+00:00 UTC
## basicConstraints: CA:TRUE, pathlen:0
## keyUsage: Digital Signature, Certificate Sign, CRL Sign
## AuthorityInfoAccess: OCSP - URI:http://ocsp.digicert.com
## crlDistributionPoints: <present>
## Policy: X509v3 Any Policy
## Policy: CPS: https://www.digicert.com/CPS
## SKI: A3:9D:E6:1F:F9:DA:39:4F:C0:6E:E8:91:CB:95:A5:DA:31:E2:0A:9F
## AKI: keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55

$ tlscertcheck.py --verbose www.ietf.org
e8e7fa116fb7d651:f131ccf4       2606:4700:10::6814:55 www.ietf.org
## Host www.ietf.org address 2606:4700:10::6814:55
## TLS: TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305-256
## Serial    : e8e7fa116fb7d651
## Issuer    : C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2
## Subject   : OU=Domain Control Validated, CN=*.ietf.org
## SAN: DNS:*.ietf.org
## SAN: DNS:ietf.org
## Inception : 2018-06-12 15:44:12+00:00 UTC
## Expiration: 2019-08-11 23:12:50+00:00 UTC
## basicConstraints: CA:FALSE
## extendedKeyUsage: TLS Web Server Authentication, TLS Web Client Authentication
## keyUsage: Digital Signature, Key Encipherment
## crlDistributionPoints: <present>
## Policy: 2.16.840.1.114414.1.7.23.1
## Policy: CPS: http://certificates.starfieldtech.com/repository/
## Policy: 2.23.140.1.2.1
## AuthorityInfoAcces: OCSP - URI:http://ocsp.starfieldtech.com/
## AuthorityInfoAcces: CA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt
## authorityInfoAccess: OCSP - URI:http://ocsp.starfieldtech.com/
CA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt
## AKI: keyid:25:45:81:68:50:26:38:3D:3B:2D:2C:BE:CD:6A:D9:B6:3D:B3:66:63
## SKI: 06:FE:0B:AB:D8:E6:74:6E:FC:C4:73:02:85:F7:A9:48:7E:D1:34:4F
## ct_precert_scts: <present>

e8e7fa116fb7d651:f131ccf4       2606:4700:10::6814:155 www.ietf.org
## Host www.ietf.org address 2606:4700:10::6814:155
## TLS: TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305-256
## Serial    : e8e7fa116fb7d651
## Issuer    : C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2
## Subject   : OU=Domain Control Validated, CN=*.ietf.org
## SAN: DNS:*.ietf.org
## SAN: DNS:ietf.org
## Inception : 2018-06-12 15:44:12+00:00 UTC
## Expiration: 2019-08-11 23:12:50+00:00 UTC
## basicConstraints: CA:FALSE
## extendedKeyUsage: TLS Web Server Authentication, TLS Web Client Authentication
## keyUsage: Digital Signature, Key Encipherment
## crlDistributionPoints: <present>
## Policy: 2.16.840.1.114414.1.7.23.1
## Policy: CPS: http://certificates.starfieldtech.com/repository/
## Policy: 2.23.140.1.2.1
## AuthorityInfoAcces: OCSP - URI:http://ocsp.starfieldtech.com/
## AuthorityInfoAcces: CA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt
## authorityInfoAccess: OCSP - URI:http://ocsp.starfieldtech.com/
CA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt
## AKI: keyid:25:45:81:68:50:26:38:3D:3B:2D:2C:BE:CD:6A:D9:B6:3D:B3:66:63
## SKI: 06:FE:0B:AB:D8:E6:74:6E:FC:C4:73:02:85:F7:A9:48:7E:D1:34:4F
## ct_precert_scts: <present>

e8e7fa116fb7d651:f131ccf4       104.20.0.85 www.ietf.org
## Host www.ietf.org address 104.20.0.85
## TLS: TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305-256
## Serial    : e8e7fa116fb7d651
## Issuer    : C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2
## Subject   : OU=Domain Control Validated, CN=*.ietf.org
## SAN: DNS:*.ietf.org
## SAN: DNS:ietf.org
## Inception : 2018-06-12 15:44:12+00:00 UTC
## Expiration: 2019-08-11 23:12:50+00:00 UTC
## basicConstraints: CA:FALSE
## extendedKeyUsage: TLS Web Server Authentication, TLS Web Client Authentication
## keyUsage: Digital Signature, Key Encipherment
## crlDistributionPoints: <present>
## Policy: 2.16.840.1.114414.1.7.23.1
## Policy: CPS: http://certificates.starfieldtech.com/repository/
## Policy: 2.23.140.1.2.1
## AuthorityInfoAcces: OCSP - URI:http://ocsp.starfieldtech.com/
## AuthorityInfoAcces: CA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt
## authorityInfoAccess: OCSP - URI:http://ocsp.starfieldtech.com/
CA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt
## AKI: keyid:25:45:81:68:50:26:38:3D:3B:2D:2C:BE:CD:6A:D9:B6:3D:B3:66:63
## SKI: 06:FE:0B:AB:D8:E6:74:6E:FC:C4:73:02:85:F7:A9:48:7E:D1:34:4F
## ct_precert_scts: <present>

e8e7fa116fb7d651:f131ccf4       104.20.1.85 www.ietf.org
## Host www.ietf.org address 104.20.1.85
## TLS: TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305-256
## Serial    : e8e7fa116fb7d651
## Issuer    : C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2
## Subject   : OU=Domain Control Validated, CN=*.ietf.org
## SAN: DNS:*.ietf.org
## SAN: DNS:ietf.org
## Inception : 2018-06-12 15:44:12+00:00 UTC
## Expiration: 2019-08-11 23:12:50+00:00 UTC
## basicConstraints: CA:FALSE
## extendedKeyUsage: TLS Web Server Authentication, TLS Web Client Authentication
## keyUsage: Digital Signature, Key Encipherment
## crlDistributionPoints: <present>
## Policy: 2.16.840.1.114414.1.7.23.1
## Policy: CPS: http://certificates.starfieldtech.com/repository/
## Policy: 2.23.140.1.2.1
## AuthorityInfoAcces: OCSP - URI:http://ocsp.starfieldtech.com/
## AuthorityInfoAcces: CA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt
## authorityInfoAccess: OCSP - URI:http://ocsp.starfieldtech.com/
CA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt
## AKI: keyid:25:45:81:68:50:26:38:3D:3B:2D:2C:BE:CD:6A:D9:B6:3D:B3:66:63
## SKI: 06:FE:0B:AB:D8:E6:74:6E:FC:C4:73:02:85:F7:A9:48:7E:D1:34:4F
## ct_precert_scts: <present>

$ tlscertcheck.py expired.badssl.com
ERROR: TLS certificate verify failed: Cert has expired: 104.154.89.105 expired.badssl.com

$ tlscertcheck.py self-signed.badssl.com
ERROR: TLS certificate verify failed: Self Signed certificate: 104.154.89.105 self-signed.badssl.com

$ tlscertcheck.py untrusted-root.badssl.com
ERROR: TLS certificate verify failed: Unable to get issuer cert locally: 104.154.89.105 untrusted-root.badssl.com

$ tlscertcheck.py wrong.host.badssl.com
ERROR: Certificate name mismatch: 104.154.89.105 wrong.host.badssl.com
1f202031dfda98efdff0f72be51060d:4bcd7fc4        104.154.89.105 wrong.host.badssl.com

tlscertcheck's People

Contributors

shuque avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.