Last active
August 29, 2015 14:27
-
-
Save metavida/5e95255b9470dbd48cc3 to your computer and use it in GitHub Desktop.
A script to help check SSL cert SHA1 vs SHA2 validity
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| require 'time' | |
| if ARGV[0].to_s.empty? | |
| puts <<-USAGE | |
| Outputs info & warnings that try to help determine if Chrome, Firefox, or IE might display SHA1-related warnings about your the certificates for a given domain. | |
| Usage: #{__FILE__} hostname [-v|--tabs] | |
| Examples: | |
| #{__FILE__} www.google.com | |
| #{__FILE__} www.ssllabs.com -v | |
| #{__FILE__} www.sslshopper.com --tabs | |
| Resources: | |
| * http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html | |
| * https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ | |
| * http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx | |
| USAGE | |
| end | |
| hostname = ARGV[0].to_s.gsub(/[^[a-z][0-9]-\.']/, '') | |
| verbose = ARGV[1] == '-v' | |
| tsv = ARGV[1] == '--tabs' | |
| puts "Checking: #{hostname}" unless tsv | |
| full_openssl_output = `openssl s_client -showcerts -connect #{hostname}:443 < /dev/null 2>/dev/null` | |
| class String | |
| # colorization | |
| def colorize(color_code) | |
| color_code = case color_code.to_s | |
| when 'red' then 31 | |
| when 'green' then 32 | |
| when 'yellow' then 33 | |
| when 'blue' then 34 | |
| when 'none' then nil | |
| else color_code.to_i | |
| end | |
| color_code ? "\e[#{color_code}m#{self}\e[0m" : "#{self}" | |
| end | |
| def red | |
| colorize('red') | |
| end | |
| def yellow | |
| colorize('yellow') | |
| end | |
| def blue | |
| colorize('blue') | |
| end | |
| end | |
| certs=[] | |
| in_cert=false | |
| cert="" | |
| full_openssl_output.each_line do |line| | |
| in_cert=true if line =~ /-BEGIN CERTIFICATE-/ | |
| if in_cert | |
| cert+=line | |
| end | |
| if line =~ /-END CERTIFICATE-/ | |
| in_cert=false | |
| certs << cert | |
| cert = "" | |
| end | |
| end | |
| # Assume the best | |
| all_good = true | |
| server_expires = nil | |
| certs.each_with_index do |cert, cert_index| | |
| if cert_index == 0 | |
| puts "Server Cert:" unless tsv | |
| else | |
| puts "Chain Cert #{cert_index}:" unless tsv | |
| end | |
| cert_details = `echo "#{cert}" | openssl x509 -text -in /dev/stdin`.split("\n") | |
| puts cert_details.join("\n") if verbose | |
| subject = cert_details.grep(/Subject:/).first.gsub(/^[^:]*:\s*/,'') | |
| issuer = cert_details.grep(/Issuer:/).first.gsub(/^[^:]*:\s*/,'') | |
| sig_algo = cert_details.grep(/Signature Algorithm:/).first.gsub(/^[^:]*:\s*/,'') | |
| not_after = cert_details.grep(/Not After :/).first.gsub(/^[^:]*:\s*/,'') | |
| expires = Time.parse(not_after) | |
| if cert_index == 0 | |
| server_expires = expires | |
| end | |
| fingerprint = `echo "#{cert}" | openssl x509 -sha1 -fingerprint -in /dev/stdin | head -n1`.strip | |
| sig_color = 'none' | |
| exp_color = 'none' | |
| if sig_algo !~ /sha256/ | |
| # Ignore SHA1 on root certs | |
| if cert == certs.last && sig_algo =~ /sha1/ | |
| sig_color = 'blue' | |
| elsif expires >= Time.parse('2016-01-01 00:00:00') && expires < Time.parse('2017-01-01 00:00:00') | |
| sig_color = 'yellow' | |
| all_good = false | |
| elsif expires >= Time.parse('2017-01-01 00:00:00') | |
| sig_color = 'red' | |
| all_good = false | |
| else | |
| sig_color = 'blue' | |
| end | |
| else | |
| sig_color = 'green' | |
| end | |
| if cert_index != 0 && expires < server_expires | |
| exp_color = 'red' | |
| else | |
| exp_color = 'green' | |
| end | |
| if tsv | |
| output = [ | |
| hostname, cert_index, | |
| subject.split(', ').last, issuer.split(', ').last, | |
| sig_algo, sig_color, | |
| not_after, exp_color, | |
| ] | |
| output += [ | |
| %Q|=HYPERLINK("https://www.sslshopper.com/ssl-checker.html#hostname=#{hostname}", "SSLShopper")|, | |
| %Q|=HYPERLINK("https://www.ssllabs.com/ssltest/analyze.html?d=#{hostname}", "SSL Labs")|, | |
| %Q|=HYPERLINK("https://shaaaaaaaaaaaaa.com/check/#{hostname}", "Shaaaaaaa")|, | |
| ] if cert_index == 0 | |
| puts output.join("\t") | |
| else | |
| puts <<-OUT | |
| Subject: #{subject} | |
| Issuer: #{issuer} | |
| #{"Signature Algorithm: #{sig_algo}".colorize(sig_color)} | |
| #{"Not Valid After: #{not_after}".colorize(exp_color)} | |
| OUT | |
| end | |
| end | |
| puts <<-OUT unless tsv | |
| Test Tools: | |
| SSLShopper: https://www.sslshopper.com/ssl-checker.html#hostname=#{hostname} | |
| SSL Labs : https://www.ssllabs.com/ssltest/analyze.html?d=#{hostname} | |
| Shaaaaaaaa: https://shaaaaaaaaaaaaa.com/check/#{hostname} | |
| OUT | |
| exit 1 unless all_good |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Usage: | |
| # ./active_haiku_domains.sh | pbcopy | |
| # Then paste the results into your spredsheet app of choice | |
| ruby ./ssl_cert_sha256_check.rb eclass.bethanycs.net --tabs | |
| ruby ./ssl_cert_sha256_check.rb haiku.emhs.net --tabs | |
| ruby ./ssl_cert_sha256_check.rb classes.laurelschool.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb eclass.sp-apostle.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb courses.onlineschoolforgirls.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb www.saddlespace.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb education.moma.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb www.digitalroberto.com --tabs | |
| ruby ./ssl_cert_sha256_check.rb mysfhs.stfrancishs.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb wolfden.sfchs.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb www.rusdlearns.net --tabs | |
| ruby ./ssl_cert_sha256_check.rb oconline.ocde.us --tabs | |
| ruby ./ssl_cert_sha256_check.rb www.cicerolearning.com --tabs | |
| ruby ./ssl_cert_sha256_check.rb haiku.madeira.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb courses.globalonlineacademy.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb classes.landryacademy.com --tabs | |
| ruby ./ssl_cert_sha256_check.rb haiku.acdsnet.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb classes.hockaday.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb lms.wasatchacademy.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb lms.rbusd.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb education.joniandfriends.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb haiku.lawrenceville.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb haiku.roxburylatin.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb hallways.lauraltonhall.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb lms.lwsd.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb haiku.york.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb haiku.nvnet.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb learn.caoclink.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb haiku.kent-school.edu --tabs | |
| ruby ./ssl_cert_sha256_check.rb learn.globalcities.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb haiku.stalbansschool.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb haiku.rsgc.on.ca --tabs | |
| ruby ./ssl_cert_sha256_check.rb haiku.unishanoi.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb haiku.greateratlantachristian.org --tabs | |
| ruby ./ssl_cert_sha256_check.rb haiku.nido.cl --tabs | |
| ruby ./ssl_cert_sha256_check.rb haiku.menloschool.org --tabs |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment