Package: ssl-cert-check Version: 3.29-1 Severity: wishlist Tags: patch Most modern openssl client code will be able to connect to a XMPP server either on the client or server port and check the SSL certificate. This patch enables ssl-cert-check to use that feature so you can check your XMPP server has an up-to-date certificate.
It would mean the package would need a recommends on bind9-host but not a dependency, as the program works fine without the host command for other types of checks. The way it is done for xmpp could also be used for other things that use DNS SRV records, it is just a matter of calling resolve_service_host. - Craig -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-2-amd64 (SMP w/6 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ssl-cert-check depends on: ii openssl 1.1.0c-2 Versions of packages ssl-cert-check recommends: ii bsd-mailx [mailx] 8.1.2-0.20160123cvs-3 ssl-cert-check suggests no packages. -- no debconf information -- debsums errors found: debsums: changed file /usr/bin/ssl-cert-check (from ssl-cert-check package)
--- ssl-cert-check.orig 2017-01-28 09:23:37.257705319 +1100 +++ ssl-cert-check 2017-01-28 09:35:12.748501793 +1100 @@ -245,6 +245,7 @@ PRINTF=$(which printf) SED=$(which sed) MKTEMP=$(which mktemp) +HOSTCMD=$(which host) # Try to find a mail client if [ -f /usr/bin/mailx ] @@ -446,6 +447,41 @@ echo "" } +########################################################################## +# Purpose: Find the real server name using DNS records +# Arguments: +# $1 -> Server name +# $2 -> Service +########################################################################## +resolve_service_host() { + if [ -z ${HOSTCMD} ] + then + prints ${1} ${2} "Host command not found" "Unknown" + RETCODE=3 + return + fi + if [ _${2} = '_xmpp-client' ] + then + TLSPROTO='xmpp' + elif [ _${2} = '_xmpp-server' ] + then + TLSPROTO='xmpp-server' + else + prints ${1} ${2} "Unknown service to resolve" "Unknown" + RETCODE=3 + return + fi + TLSFLAG="" + HOSTOUT=`${HOSTCMD} -t SRV _${2}._tcp.${1} 2>&1` + if [ `echo ${HOSTOUT} | ${GREP} -c 'has SRV record'` -gt 0 ] + then + CONNECTHOST=`echo ${HOSTOUT} | ${AWK} '{print $8 ":" $7}'` + TLSFLAG="-starttls xmpp -xmpphost ${1}" + else + prints ${1} ${2} "Cannot resolve service" "Unknown" + RETCODE=3 + fi +} ########################################################################## # Purpose: Connect to a server ($1) and port ($2) to see if a certificate @@ -455,6 +491,7 @@ # $2 -> TCP port to connect to ########################################################################## check_server_status() { + CONNECTHOST=$1:${2} if [ "_${2}" = "_smtp" -o "_${2}" = "_25" ] then @@ -475,6 +512,9 @@ elif [ "_${2}" = "_submission" -o "_${2}" = "_587" ] then TLSFLAG="-starttls smtp -port ${2}" + elif [ "_${2}" = "_xmpp-client" -o "_${2}" = "_xmpp-server" ] + then + resolve_service_host $1 $2 else TLSFLAG="" fi @@ -489,7 +529,7 @@ TLSFLAG="${TLSFLAG} -servername $1" fi - echo "" | ${OPENSSL} s_client ${VER} -connect ${1}:${2} ${TLSFLAG} 2> ${ERROR_TMP} 1> ${CERT_TMP} + echo "" | ${OPENSSL} s_client ${VER} -connect ${CONNECTHOST} ${TLSFLAG} 2> ${ERROR_TMP} 1> ${CERT_TMP} if ${GREP} -i "Connection refused" ${ERROR_TMP} > /dev/null then