Changeset 7821 for TI12-security


Ignore:
Timestamp:
17/01/11 16:15:24 (8 years ago)
Author:
pjkersha
Message:

Bash script to check the validity of a certificate from a given server running over SSL.

  • added the ability to check certificates returned for expiry in X days from now - useful for checking for cert renewal.
File:
1 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/ssl_cert_verification_utils/sslcertcheck.sh

    r7820 r7821  
    22# 
    33# Get an SSL certificate from a server and verify it against a set of trusted CA 
    4 # certificates and check it for time validity. 
     4# certificates and check it for time validity. e.g. check mulitiple services: 
     5# 
     6# $ sslcertcheck.sh -c "somewhere.ac.uk:443 somewhereelse.ac.uk:6000" -p ./ca-dir 
     7# 
     8# It outputs the status for each connection made and exits with 1 if any of them 
     9# fails; exits with 0 if all succeed.  To check a single connection e.g. 
     10# 
     11# $ sslcertcheck.sh --connect someservice.ac.uk:8443 --CApath ./ca-dir 
     12# 
     13# - this example uses alternative long form for command line options. 
    514# 
    615# Author: P J Kershaw  
     
    1322# 
    1423# $Id$ 
    15 cmdline_opt=`getopt -o hc:p: --long help,connect:,CApath:: -n "$0" -- "$@"` 
     24cmdline_opt=`getopt -o hc:p:d: --long help,connect:,CApath:days-expiry-from-now:: -n "$0" -- "$@"` 
    1625 
    1726usage="Usage: $(basename $0) [-h|--help] [-c|--connect \"host1:port1 host2:port2 ... hostN:portN\"] [-p|--CApath dir]" 
     
    2938        -c|--connect) connect_strings=$2 ; shift 2 ;; 
    3039        -p|--CApath) ca_dir=$2 ; shift 2 ;; 
     40        -d|--days-expiry-from-now) days_expiry_from_now=$2 ; shift 2 ;; 
    3141        --) shift ; break ;; 
    3242        *) echo "Internal error!" ; exit 1 ;; 
     
    4252if [ "$ca_dir" ]; then 
    4353    verify_arg="-CApath $ca_dir" 
     54fi 
     55 
     56if [ "$days_expiry_from_now" ]; then 
     57    # Use bc to allow for decimal days 
     58    secs_expiry_from_now=$(echo "$days_expiry_from_now * 86400"|bc -l) ; 
     59else 
     60    secs_expiry_from_now=0 ;  
    4461fi 
    4562 
     
    6582    expiry_date_secs=$(date --date="$expiry_date" +%s) 
    6683    current_date_secs=$(date +%s) 
    67     # Test expired case 
    68     #current_date_secs=$(date --date="Wed Jan 12 14:22:05 GMT 2020" +%s) 
     84    test_date_secs=$(echo $current_date_secs + $secs_expiry_from_now | bc -l) 
    6985 
    7086    echo -n ", certificate \"$subject\": " ; 
     
    7490    fi 
    7591  
    76     if [ "$expiry_date_secs" -lt "$current_date_secs" ]; then 
    77         echo certificate has expired ; 
     92    if [ "$expiry_date_secs" -lt "$test_date_secs" ]; then 
     93        test_date=$(date -d "1970-01-01 $test_date_secs sec GMT") 
     94        echo certificate expires before $test_date ; 
    7895        exit_code=1 ; 
    7996    fi 
Note: See TracChangeset for help on using the changeset viewer.