I want to create a bash script that takes url as an argument.
for ex: ./scriptname https://domainame.com/
Current one works with with domainname.com but not with the full URL.
I get this error when I try to enter the full URL,
unable to load certificate
140398535546784:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
This is the one I have currently have,
#!/bin/bash
echo | openssl s_client -connect $1:443 2> /dev/null | \
openssl x509 -noout -enddate | \
cut -d = -f 2
A quick fix is to cut the parts of protocol and path out of the url
#!/bin/bash¬
NoProtocol="${1//https:\/\//}"¬
DomainOnly="${NoProtocol%%/*}"¬
¬
echo | openssl s_client -connect ${DomainOnly}:443 2> /dev/null | \¬
openssl x509 -noout -enddate | \¬
cut -d = -f 2¬
Related
I use this command to give me the output from openssl without the (stdin)= the beginning.
openssl x509 -noout -modulus -in certfile.crt | openssl sha1 -binary | xxd -p
with output
7857b35259019acc7484201958ac7e622c227b68
If I change openssl to create a sha256 digest, xxd prints it over two lines
openssl x509 -noout -modulus -in certfile.crt | openssl sha256 -binary | xxd -p
with output
b274c19ac31cc7893dc2297804a2ca666fe168d5cd5eb4d4b6c47616bad9
8996
How can I write that output on line one?
b274c19ac31cc7893dc2297804a2ca666fe168d5cd5eb4d4b6c47616bad98996
Is it something else I have to do with xxd now that the digest is longer or is there a need to pipe it through some other command to get the combined output?
As usual there are several ways.
The first general solution which came into my mind is this:
printf "%s" $( openssl x509 -noout -modulus -in certfile.crt | openssl sha256 -binary | xxd -p )
Of course, if the output is less than 256, you could use xxd -f -c 256 as stated by tshiono.
Another solution for this special case with openssl would be this:
openssl x509 -noout -modulus -in certfile.crt | openssl sha256 -r
or
openssl x509 -noout -modulus -in certfile.crt | openssl sha256 -hex
but both are not exactly like the output you want. The hex string is in the output, but padded before or after which can be cut off, by piping to the command cut -d" " -f 1 or cut -d" " -f 2 for the removal of the prefix or postfix.
I am given multiple certificate files e.g. "cert1.crt", "cert2.crt" etc, and multiple CRL lists, "list1.crl", "list2.crl" etc. No rootCA or any other type of files are provided. My task is to find out what certificates have NOT been revoked. Despite extensive search for "verification" command I failed to find any command or procedure that would provide me at least a clue. In the end, I managed to do some bash script aerobatics which let me manually test serial number for each .crt file
for((i=1;i<9;i++))
do
echo $i
fileIn="crl"$i".crl"
#serial is manually c/p from each .crt file
serial="1319447396"
OUTPUT="$(openssl crl -in $fileIn -noout -text | grep $serial)"
echo $OUTPUT
done
This way I could do it manually one at a time, but it will work only for small number of files (9 at present). With tens of files it would get tiresome and ineffective, with 100+ it would get impossible to do it like this.
I was wondering is there a "smart" way to validate .crt against .crl? Or at least is there a way to bash script the job so I wouldn't have to check each .crt manually? Right now it's way beyond my scripting knowledge.
So, in pseudo, I would be thrilled if something like this existed:
openssl x509 -verify cert1.cert -crl_list list8.crl
In general, yes, each certificate is checked against a CRL, as is detailed in this guide.
But, Actually, each crl is a simple list of revoked certificate serial numbers.
The list contained in a crl could be expanded with:
openssl crl -inform DER -text -noout -in mycrl.crl
Asuming the crl is in DER form (adapt as needed).
Expand each (all) crl to a text file, like:
openssl crl -inform DER -text -noout -in mycrl.crl > mycrl.crl.txt
The out file could be reduced to only the Serial Number: lines.
Get the Serial Number from the text expansion of a cert:
mycrt=$(openssl x509 -in mycrt.com.crt -serial -noout)
mycrt=${mycrt#*=}
grep the serial number in all text files from step one (if one match the cert is revoked) in one call to grep:
if grep -rl "$mycrt" *.crl.txt 2>/dev/null; then
echo "the certificate has been revoked"
fi
Full script:
#!/bin/bash
# Create (if they don't exist) files for all the crl given.
for crl in *.crl; do
if [[ ! -e "$crl.txt" ]]; then
openssl crl -inform DER -text -noout -in "$crl" |
awk -F ': ' '/Serial Number:/{print $2}'> "$crl.txt"
fi
done
# Process all certificates
for crt in *.crt; do
mycrt=$(openssl x509 -in "$crt" -serial -noout)
mycrt=${mycrt#*=}
if grep -rl "$mycrt" *.crl.txt; then
echo "Certificate $crt has been revoked"
fi
done
I finally managed to solve this in a way that's maybe not optimal, but requires much less bash knowledge. Here is my script:
#!/bin/bash
for((j=1;j<10;j++))
do
indicator=0
cert="cert"$j".crt"
for((i=1;i<9;i++))
do
infile="crl"$i".crl"
SERIAL="$(openssl x509 -noout -text -in $cert | grep Serial | cut -d 'x' -f 2 | cut -d ')' -f 1)"
OUTPUT="$(openssl crl -inform DER -in $infile -noout -text | grep $SERIAL )"
if [ -n $OUTPUT ]
then ((indicator++))
fi
done
echo $cert
if [ $indicator == 0 ]
then echo "not revoked"
else
echo "revoked"
fi
done
I don't understand why this command is failing
openssl s_client -connect smtp.gmail.com:587 -starttls smtp < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin | cut -d'=' -f2
I am trying to initiate a TLS smtp session with the smtp server of Gmail and then redirect the output of the console to the x509 function in order to extract the fingerprint.
Here is what I get when I run the command without filtering the errors
$ openssl s_client -connect smtp.gmail.com:587 -starttls smtp < /dev/null
connect: Bad file number
connect:errno=9
What am I doing wrong?
There is a firewall upstream of my connexion which seems to block my query.
Adding torify at the beginning of the command (I have Tor installed on my computer) solved the issue.
user#home:~$ torify openssl s_client -connect smtp.gmail.com:587 -starttls smtp < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout | cut -d'=' -f2
D3:7C:82:FC:D0:5F:8F:D7:DA:A2:59:8C:42:D7:B2:9F:C1:9F:7E:60
The above sample works perfect with :25 also.
openssl s_client -connect some.smtp.host:25 -starttls smtp < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout | cut -d'=' -f2
We were able to connect but its not fetching the cert details
$ bash-3.2# echo | openssl s_client -host $h -port $p 2>/dev/null
CONNECTED(00000005)
$
Any idea why its not fetching the cert details.
Try this,
openssl s_client -connect hostname:443 -servername hostname 2>/dev/null | openssl x509 -noout -enddate
Hey guys I am trying to figure out a way to time out a variable if it goes past X time trying to get contents, this is based on touching a server to verify it has SSL. If the server doesn't respond in X seconds I would like to just set the variable as empty (or set some other flag if possible)
What I am using is
response=$(echo ^D |openssl s_client -connect ${line}:443 2> /dev/null |openssl x509 -noout -hash |grep -E '^[[:xdigit:]]{8}')
where $line is baidu.com for now
I tried something like this
( cmdpid=$BASHPID;
( sleep 10; kill $cmdpid; echo -e "\n\t$line missed window, terminating...\n"
) & exec response=$(echo ^D |openssl s_client -connect ${line}:443 2> /dev/null |openssl x509 -noout -hash |grep -E '^[[:xdigit:]]{8}')
)
But realized several issues, such as A) I am in a subshell and cannot get my variable out, B) I am trying to run response=#hash and returning errors etc
What would the best way to run a timeout on capturing my variable?
Thanks
IFS= read -t 10 -d '' variable < <(yourcommand)
e.g.
IFS= read -t 10 -d '' response < <(echo ^D |openssl s_client -connect ${line}:443 2> /dev/null |openssl x509 -noout -hash |grep -E '^[[:xdigit:]]{8}')