Last active
February 1, 2018 14:11
-
-
Save kacchan822/88257a7c522d95881a4adc2d1b7f0cf4 to your computer and use it in GitHub Desktop.
checker for Chrome distrusting Symantec certificates.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # This software is released under the MIT License. | |
| # http://opensource.org/licenses/mit-license.php | |
| import datetime | |
| import re | |
| import socket | |
| import ssl | |
| import sys | |
| timeout = 5 | |
| def get_cert(cn, port=443): | |
| """ | |
| return: dict | |
| {'OCSP': ('http://ocsp.int-x3.letsencrypt.org',), | |
| 'caIssuers': ('http://cert.int-x3.letsencrypt.org/',), | |
| 'issuer': ((('countryName', 'US'),), | |
| (('organizationName', "Let's Encrypt"),), | |
| (('commonName', "Let's Encrypt Authority X3"),)), | |
| 'notAfter': 'Mar 15 20:46:19 2018 GMT', | |
| 'notBefore': 'Dec 15 20:46:19 2017 GMT', | |
| 'serialNumber': '0467F6AD9DE0A1D776DC5688B22569094A49', | |
| 'subject': ((('commonName', 'ip.ksn.cloud'),),), | |
| 'subjectAltName': (('DNS', 'ip.ksn.cloud'), | |
| ('DNS', 'ip4.ksn.cloud'), | |
| ('DNS', 'ip6.ksn.cloud')), | |
| 'version': 3} | |
| """ | |
| context = ssl.create_default_context() | |
| try: | |
| with context.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM), | |
| server_hostname=cn) as conn: | |
| conn.settimeout(timeout) | |
| conn.connect((cn, port)) | |
| return conn.getpeercert() | |
| except ssl.CertificateError as e: | |
| print('Errorr:', e) | |
| sys.exit(1) | |
| def _conv_dt(datetime_string): | |
| cert_date_format = '%b %d %H:%M:%S %Y %Z' | |
| return datetime.datetime.strptime(datetime_string, cert_date_format) | |
| def _get_cert_datetime(cert): | |
| return _conv_dt(cert['notBefore']), _conv_dt(cert['notAfter']) | |
| def check_issuer(cert): | |
| if cert.get('issuer'): | |
| issuer = {key_val[0][0]: key_val[0][1] for key_val in cert.get('issuer')} | |
| else: | |
| issuer = {} | |
| issuer['checkFlag'] = True | |
| if re.match(r'(Symantec|GeoTrust)', issuer.get('organizationName', '')): | |
| issuer['checkFlag'] = False | |
| if re.match(r'RapidSSL', issuer.get('commonName', '')): | |
| issuer['checkFlag'] = False | |
| return issuer | |
| def check_cert_datetime(cert): | |
| start, end = _get_cert_datetime(cert) | |
| if start < datetime.datetime(2016, 6, 1, 0, 0, 0): | |
| flag = 1 | |
| msg = 'Cert was published at {}; before 2016-05-31.' | |
| elif (datetime.datetime(2016, 5, 31, 23, 59, 59) < start and | |
| start < datetime.datetime(2017, 12, 1, 0, 0, 0)): | |
| flag = 2 | |
| msg = 'Cert was published at {}; between 2016-06-01 and 2017-11-30.' | |
| else: | |
| flag = 0 | |
| msg = 'Cert was published at {}.' | |
| return flag, msg.format(str(start)) | |
| def main(cn): | |
| try: | |
| cn, port = cn.strip().split(':') | |
| except ValueError: | |
| cn = cn.strip() | |
| port = 443 | |
| cert = get_cert(cn, int(port)) | |
| issuer = check_issuer(cert) | |
| cert_datetime = check_cert_datetime(cert) | |
| cert_start, cert_end = _get_cert_datetime(cert) | |
| if not issuer['checkFlag']: | |
| if (cert_datetime[0] == 1 and | |
| cert_end > datetime.datetime(2016, 6, 1, 0, 0, 0)): | |
| state_msg = 'CRITICAL-1' | |
| elif (cert_datetime[0] == 2 and | |
| cert_end > datetime.datetime(2018, 9, 12, 23, 59, 59)): | |
| state_msg = 'CRITICAL-2' | |
| else: | |
| state_msg = 'WARNING' | |
| else: | |
| state_msg = 'OK' | |
| message = '[{: ^12}] {}: {} ({}, {})'.format( | |
| state_msg, cn, cert_datetime[1], issuer.get('organizationName', '-'), | |
| issuer.get('commonName', '-') | |
| ) | |
| return message | |
| if __name__ == '__main__': | |
| print(main(sys.argv[1])) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
output examples