git.lirion.de

Of git, get, and gud

aboutsummaryrefslogtreecommitdiffstats
path: root/bin/sslcheck
blob: 1cf13aa7de93b411f5f74099b45362082b3afdae (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#!/usr/bin/env bash

export DETAILS=0 VERIFY=0 TGTSRV="localhost" TGTPORT="443"

sslbin="$(command -v openssl||printf "/usr/bin/openssl")"
if [ ! -x "$sslbin" ];then printf "%b not executable!\\n" "$sslbin" >&2;exit 1;fi
sslshowparms=( "x509" "-noout" "-subject" "-issuer" "-dates" )

function ichraffsnet {
	printf "USAGE: %b [-h] | -s target [-d] [-v] [PORT]\n" "$(basename "$0")"
	(
		printf -- "-h:;This help\\n"
		printf -- "-d:;More details on certificate\\n"
		printf -- "-v:;verify certificate\\n"
		printf -- "-s:;Target server\\n"
		printf -- "-p:;target port\\n"
	)|column -ts\;
}
TGTURL="$1"
[ -z "$TGTURL" ]&&printf "URL missing!\\n\\n" >&2&&ichraffsnet&&exit 127
TGTPORT="$2"
[ -z "$TGTPORT" ]&&TGTPORT=443&&TGTPORTN="https"
#case "$TGTPORT" in
#	"https") TGTPORT=443;TGTPORTN="https";;
#	"rdp") TGTPORT="3389";TGTPORTN="rdp";;
#	"winrm") TGTPORT="443";TGTPORTN="winrm";;
#esac
numrex='^[0-9]+$'
if ! [[ "$TGTPORT" =~ $numrex ]];then
	PORTNUM="$(grep -P "^${TGTPORT}[\\t\\ ]" /etc/services|awk '{print $2}'|awk -F/ '{print $1}'|head -n1)"
	case "$TGTPORT" in
		"rdp") PORTNUM="3389";;
	esac
	if [ -z "$PORTNUM" ];then
		printf "\"%b\" is not a known port.\\n" "$TGTPORT" >&2
		exit 1
	else
		TGTPORTN="$TGTPORT"
		TGTPORT="$PORTNUM"
	fi
fi
while getopts :vdhs: SHOPT;do
	case "${SHOPT}" in
		d) export DETAILS=1;;
		v) export VERIFY=1;;
		h) ichraffsnet;exit 0;;
		s) TGTSRV="${OPTARG}";;
		*) printf "No valid parameter: -%b!\n" "${OPTARG}" >&2;exit 2;;
	esac
done
shift $((OPTIND-1))

#if [ "$DETAILS" -eq 1 ];then
	sslshowparms+=( "-issuer_hash" "-email" "-serial" "-ocsp_uri" )
	sslshowparms+=( "-ext" "subjectAltName,subjectKeyIdentifier,crlDistributionPoints" )
#fi

### --- STARTTLS --- ###
case "$TGTPORT" in
	21)   sslinitparms+=( "-starttls" "ftp" );;
	25)   sslinitparms+=( "-starttls" "smtp" );;
	110)  sslinitparms+=( "-starttls" "pop3" );;
	143)  sslinitparms+=( "-starttls" "imap" );;
	389)  sslinitparms+=( "-starttls" "ldap" );;
	2000) sslinitparms+=( "-starttls" "sieve" );; # port 2000 is obsolete sh*t
	3306) sslinitparms+=( "-starttls" "mysql" );;
	4190) sslinitparms+=( "-starttls" "sieve" );;
	5222) sslinitparms+=( "-starttls" "xmpp" );;
	5432) sslinitparms+=( "-starttls" "postgres" );;
esac

if ! nc -zw3 "$TGTURL" "$TGTPORT"; then
	printf "%b cannot be reached on port %b" "$TGTURL" "$TGTPORT" >&2
	if [ -z "$TGTPORTN" ]; then
		SVCNM="$(grep -P "[\\t\\ ]$TGTPORT/tcp" /etc/services|awk '{print $1}')"
	else
		SVCNM="$TGTPORTN"
	fi
	if [ -n "$SVCNM" ];then
		printf " (%b).\n" "$SVCNM" >&2
	else
		printf ".\n" >&2
	fi
	exit 1
fi
echo '' | "${sslbin}" s_client -connect "$TGTURL":"$TGTPORT" "${sslinitparms[@]}" 2>&1 |\
	sed -n '/---BEGIN CERT/,/---END CERT/p' |\
	"${sslbin}" "${sslshowparms[@]}"|tr -s '\n'