Any ideas about this? On 26 November 2014 at 17:28, Dick Visser <[email protected]> wrote: > As it says on the tin. > I'm looking for a way to retrieve the x509 cert for SMTP servers that > offer STARTTLS. > gnutls-cli can be used, but you have to manually type some steps: EHOL > blah, STARTTLS and then ctrl-D (for EOF(: > > visser@nagios:~$ gnutls-cli --starttls --print-cert --port 25 > aspmx.l.google.com > Resolving 'aspmx.l.google.com'... > Connecting to '2a00:1450:400c:c09::1a:25'... > > - Simple Client Mode: > > 220 mx.google.com ESMTP fu3si8792677wib.31 - gsmtp > EHLO blah > 250-mx.google.com at your service, [2001:610:158:98d::45] > 250-SIZE 35882577 > 250-8BITMIME > 250-STARTTLS > 250-ENHANCEDSTATUSCODES > 250-PIPELINING > 250-CHUNKING > 250 SMTPUTF8 > STARTTLS > 220 2.0.0 Ready to start TLS > *** Starting TLS handshake > - Certificate type: X.509 > - Got a certificate list of 3 certificates. > - Certificate[0] info: > - subject `C=US,ST=California,L=Mountain View,O=Google > Inc,CN=mx.google.com', issuer `C=US,O=Google Inc,CN=Google Internet > Authority G2', RSA key 2048 bits, signed using RSA-SHA1, activated > `2014-07-15 08:56:16 UTC', e xpires `2015-04-04 > 15:15:55 UTC', SHA-1 fingerprint > `2282b379696a721505f273fa1e6bbe36f0ba01e2' > > -----BEGIN CERTIFICATE----- > MIIGhDCCBWygAwIBAgIIa7+rjwrecGgwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE > BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl > cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE1MDg1NjE2WhcNMTUwNDA0MTUxNTU1 > WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN > TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu > Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXdZYG > > > > > I'm looking for a way to avoid the interactive steps, so that it can > be used in scripts. > > Background: I have a Nagios plugin that depends on the output of > 'openssl s_client' to retrieve the certs, like this: > > visser@nagios:~$ openssl s_client -showcerts -starttls smtp -connect > aspmx.l.google.com:25 < /dev/null 2>&1 > CONNECTED(00000003) > depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA > verify error:num=20:unable to get local issuer certificate > verify return:0 > --- > Certificate chain > 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com > i:/C=US/O=Google Inc/CN=Google Internet Authority G2 > -----BEGIN CERTIFICATE----- > MIIGhDCCBWygAwIBAgIIa7+rjwrecGgwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE > BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl > cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE1MDg1NjE2WhcNMTUwNDA0MTUxNTU1 > WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN > etc etc > > but for some reason 'openssl s_client' does not work with IPv6. > The mail servers I want to connect to only run IPv6, so openssl fails. > > GnuTLS works with IPv6, the only thing left is a way to script it... > > > > > Thanks!! > > > -- > Dick Visser > Sr. System & Networking Engineer > GÉANT Association, Amsterdam Office (formerly TERENA) > Singel 468D, 1017 AW Amsterdam, the Netherlands > Tel: +31 (0) 20 530 4488 > > GÉANT Association > Networking. Services. People. > > Learn more at: http://www.géant.org
-- Dick Visser Sr. System & Networking Engineer GÉANT Association, Amsterdam Office (formerly TERENA) Singel 468D, 1017 AW Amsterdam, the Netherlands Tel: +31 (0) 20 530 4488 GÉANT Association Networking. Services. People. Learn more at: http://www.géant.org _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
