On Mon, Jul 16, 2007 at 10:41:15AM -0500, Owen Crow wrote:
> I've seen some tests mentioned in this list, but they point to broken links.
>
> It seems like this can be done with the openssl command line, but I
> can only get certificate date information _after_ the certificate
> expires. If anyone knows how to extract an SSL certificate's
> expiration date remotely, I'd be happy to convert that into a monitor
> script.
Yes, I've wanted to do this for a long time. You just inspired me to
read the man pages and it looks pretty straightforward to use the
openssl command line:
# download the certificate:
openssl s_client -connect server.example.com:443 < /dev/null > testme.pem
# print out the expiration date:
openssl x509 -noout -in testme.pem -enddate
The output showing the expiration date looks like this:
notAfter=Nov 3 18:58:34 1999 GMT
Which should be easy to feed to Date::Parse::str2time() to turn into a ctime.
> I'm primarily interested in HTTPS, but it seems like this would be
> generic for any SSL/TLS-protected service.
The openssl command line man page says it also supports SMTP and POP
protocol for downloading certificates:
openssl s_client -connect mail.example.com:25 -starttls smtp < /dev/null >
testme.pem
Or "-starttls pop3" for a POP server. No IMAP support, unfortunately.
Here's a possible starting point:
sslcert.monitor [--protocol {https|smtp|pop3}] [--port NNN]
[--expirewarn NN] host [...]
Where the port number defaults to 443, and expirewarn defaults to 30 days
(i.e. alarm if the server's certificate expiration date is within 30 days).
Later on we could add bells and whistles to check the verification chain,
warn on self-signed certs,
If you start the script I'll help you finish it. I suggest writing it
in Perl since I know it'll have no problem parsing the expiration date
output.
_______________________________________________
mon mailing list
mon@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon
