Package: ssl-cert-check
Version: 3.29-1
Severity: wishlist
Tags: patch
Most modern openssl client code will be able to connect to a XMPP server
either on the client or server port and check the SSL certificate. This
patch enables ssl-cert-check to use that feature so you can check your
XMPP server has an up-to-date certificate.
It would mean the package would need a recommends on bind9-host but not
a dependency, as the program works fine without the host command for
other types of checks.
The way it is done for xmpp could also be used for other things that use
DNS SRV records, it is just a matter of calling resolve_service_host.
- Craig
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages ssl-cert-check depends on:
ii openssl 1.1.0c-2
Versions of packages ssl-cert-check recommends:
ii bsd-mailx [mailx] 8.1.2-0.20160123cvs-3
ssl-cert-check suggests no packages.
-- no debconf information
-- debsums errors found:
debsums: changed file /usr/bin/ssl-cert-check (from ssl-cert-check package)
--- ssl-cert-check.orig 2017-01-28 09:23:37.257705319 +1100
+++ ssl-cert-check 2017-01-28 09:35:12.748501793 +1100
@@ -245,6 +245,7 @@
PRINTF=$(which printf)
SED=$(which sed)
MKTEMP=$(which mktemp)
+HOSTCMD=$(which host)
# Try to find a mail client
if [ -f /usr/bin/mailx ]
@@ -446,6 +447,41 @@
echo ""
}
+##########################################################################
+# Purpose: Find the real server name using DNS records
+# Arguments:
+# $1 -> Server name
+# $2 -> Service
+##########################################################################
+resolve_service_host() {
+ if [ -z ${HOSTCMD} ]
+ then
+ prints ${1} ${2} "Host command not found" "Unknown"
+ RETCODE=3
+ return
+ fi
+ if [ _${2} = '_xmpp-client' ]
+ then
+ TLSPROTO='xmpp'
+ elif [ _${2} = '_xmpp-server' ]
+ then
+ TLSPROTO='xmpp-server'
+ else
+ prints ${1} ${2} "Unknown service to resolve" "Unknown"
+ RETCODE=3
+ return
+ fi
+ TLSFLAG=""
+ HOSTOUT=`${HOSTCMD} -t SRV _${2}._tcp.${1} 2>&1`
+ if [ `echo ${HOSTOUT} | ${GREP} -c 'has SRV record'` -gt 0 ]
+ then
+ CONNECTHOST=`echo ${HOSTOUT} | ${AWK} '{print $8 ":" $7}'`
+ TLSFLAG="-starttls xmpp -xmpphost ${1}"
+ else
+ prints ${1} ${2} "Cannot resolve service" "Unknown"
+ RETCODE=3
+ fi
+}
##########################################################################
# Purpose: Connect to a server ($1) and port ($2) to see if a certificate
@@ -455,6 +491,7 @@
# $2 -> TCP port to connect to
##########################################################################
check_server_status() {
+ CONNECTHOST=$1:${2}
if [ "_${2}" = "_smtp" -o "_${2}" = "_25" ]
then
@@ -475,6 +512,9 @@
elif [ "_${2}" = "_submission" -o "_${2}" = "_587" ]
then
TLSFLAG="-starttls smtp -port ${2}"
+ elif [ "_${2}" = "_xmpp-client" -o "_${2}" = "_xmpp-server" ]
+ then
+ resolve_service_host $1 $2
else
TLSFLAG=""
fi
@@ -489,7 +529,7 @@
TLSFLAG="${TLSFLAG} -servername $1"
fi
- echo "" | ${OPENSSL} s_client ${VER} -connect ${1}:${2} ${TLSFLAG} 2>
${ERROR_TMP} 1> ${CERT_TMP}
+ echo "" | ${OPENSSL} s_client ${VER} -connect ${CONNECTHOST} ${TLSFLAG} 2>
${ERROR_TMP} 1> ${CERT_TMP}
if ${GREP} -i "Connection refused" ${ERROR_TMP} > /dev/null
then
