Skip to content

Instantly share code, notes, and snippets.

@qbi

qbi/ssl-fp-check.zsh

Created September 6, 2011 21:55
Show Gist options
  • Save qbi/1199097 to your computer and use it in GitHub Desktop.
Save qbi/1199097 to your computer and use it in GitHub Desktop.
Download ZIP
Get the fingerprint of a SSL-connection via SSH from different hosts
Raw
ssl-fp-check.zsh
#!/bin/zsh -fuC
# Get the fingerprint of a SSL-connection via SSH from different hosts to check
# that it's the same from everywhere, i.e. there's no or the same man in the
# middle.
ssh_local_port=13724
process_fp()
{
if [[ ${#master_fp:-} -gt 0 && $master_fp != $1 ]]
then
print "\e[1m$1\e[0m"
else
print $1
fi
if [[ ${#master_fp:-} -eq 0 ]]
then
master_fp=$1
fi
}
if [[ $1 == (-l|--local-openssl) ]]
then
local_openssl=true
shift
else
local_openssl=false
fi
dest=$1
shift
hosts=( $@ )
if [[ $dest != *:* ]]
then
dest+=:443
fi
if $local_openssl
then
sock_dir=$(mktemp -d)
trap 'for i in $sock_dir/*(N); do ssh -S $i -O exit 2>/dev/null; done;
rm -r $sock_dir' EXIT INT TERM KILL
for host in $hosts
do
ssh_socket=$sock_dir/$host
if ssh -S $ssh_socket -NTf -o ExitOnForwardFailure=yes \
-L ${ssh_local_port}:$dest $host
then
out=$(openssl s_client -connect localhost:$ssh_local_port \
</dev/null 2>/dev/null \
|openssl x509 -fingerprint -noout \
|| true)
ssh -S $ssh_socket -O exit $host 2>/dev/null
print -n "${host}: "
process_fp $out
else
print "connection to $host via ssh failed" >&2
fi
done
else
for host in $hosts
do
out=$(ssh -n $host openssl s_client -connect $dest 2\>/dev/null \
\|openssl x509 -fingerprint -noout \
|| true)
print -n "${host}: "
process_fp $out
done
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment