ssl 2.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103
  1. #!/bin/sh
  2. # {{{ Variables
  3. RESULT=1
  4. CAPATH="/etc/ssl/certs"
  5. DATE_CHECK=0
  6. # }}}
  7. # {{{ usage()
  8. usage() {
  9. cat <<EOH
  10. USAGE: $(basename "$0") [-t] -u URI
  11. Options:
  12. -u Specify the URI to check
  13. -t Count and print the certificate expiration interval in days
  14. URI Examples:
  15. - tls+smtp://smtp.googlemail.com:submission
  16. - tls+imap://imap.no-log.org:imap
  17. - ssl://imap.free.fr:imaps
  18. - ssl://pop.free.fr:pop3s
  19. - tls+xmpp://jabber.org:xmpp-client
  20. - ssl://www.google.com:https
  21. Return:
  22. print 0 on stdout if the certificate is valid
  23. print 1 on stdout if the certificate is not valid
  24. print the certificate expiration interval in days (only with option -t)
  25. EOH
  26. }
  27. # }}}
  28. # {{{ main()
  29. while getopts htu: option ; do
  30. case "${option}" in
  31. h)
  32. usage
  33. exit 1
  34. ;;
  35. t)
  36. DATE_CHECK=1
  37. ;;
  38. u)
  39. URI="${OPTARG}"
  40. ;;
  41. esac
  42. done
  43. if [ -z "${URI}" ]; then
  44. printf "Error: URI not found\n\n" >&2
  45. usage
  46. exit 1
  47. fi
  48. eval $(echo "${URI}" | sed -r -n 's/^(ssl|tls)(\+(.+))?:\/\/([^:]+)(:([^:]+))?$/layer="\1"\nproto="\3"\nhost="\4"\nport="\6"/p')
  49. tls_opts=
  50. if [ "${layer}" = "tls" ] && [ "${proto}" != "" ]; then
  51. tls_opts="$tls_opts -starttls ${proto}"
  52. fi
  53. certs_data=$(mktemp -t "$(basename "$(readlink -f "${0}")")-certs.XXXXXXXX")
  54. errors_log=$(mktemp -t "$(basename "$(readlink -f "${0}")")-errors.XXXXXXXX")
  55. openssl s_client \
  56. -CApath "${CAPATH}" \
  57. -servername "${host}" \
  58. -connect "${host}:${port}" \
  59. ${tls_opts} \
  60. -showcerts < /dev/null 2>"${errors_log}" > "${certs_data}"
  61. if [ $? != 0 ]; then
  62. printf "Error (openssl): %s\n" "$(head -n 2 "${errors_log}" | tr '\n' ',')" >&2
  63. exit 1
  64. fi
  65. if [ "${DATE_CHECK}" = 1 ]; then
  66. cert_enddate="$(sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' < "${certs_data}" | openssl x509 -text 2>/dev/null | sed -n 's/ *Not After : *//p')"
  67. if [ -z "${cert_enddate}" ]; then
  68. printf "Error: unable to find certificate end date\n" >&2
  69. exit 1
  70. fi
  71. cert_enddate_seconds=$(date '+%s' --date "${cert_enddate}")
  72. now_seconds=$(date '+%s')
  73. diff_seconds=$(( ${cert_enddate_seconds} - ${now_seconds} ))
  74. diff_days=$(( ${diff_seconds} / 3600 / 24 ))
  75. RESULT="${diff_days}"
  76. else
  77. return_code=$(cat "${certs_data}" | sed -r -n 's/^\s*Verify return code: ([0-9]+) (.*)$/\1/p')
  78. if [ "${return_code}" = 0 ]; then
  79. RESULT=0
  80. fi
  81. fi
  82. rm -f "${certs_data}" "${errors_log}"
  83. printf -- "${RESULT}\n"
  84. exit 0
  85. # }}}
  86. # vim: foldmethod=marker foldlevel=0 foldenable