cert_checker 0.1.2 → 0.1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/Gemfile.lock +2 -2
- data/README.md +13 -10
- data/exe/cert_checker +5 -4
- data/lib/cert_checker.rb +12 -6
- data/lib/cert_checker/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 13a2dc5bb17b514adfcb06421ac83c4ac597b7b5051a66f76c1fcf53a9b57063
|
4
|
+
data.tar.gz: 699da8c4394c5797e95a0e913541af5a979bc84a0e62ca082aec1a2378b3dc81
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: feb368b6d8e1db85ecbb11aa4ddf2c52d3a9e22b775d4488f90a2c0d49986a1a30d90f9349353bd6a52ee3cb01d6b80a1f2bf59c3b4f032f5648a7b1b2861b81
|
7
|
+
data.tar.gz: 36d507330fae5fb8684dcfa26e524f90bf526c431ac3d6eba3ca13b882bebcab98d5e9b62df5f0ac2177be302aa133cc6231d10bf039a7a2aa2f4c0dd4f3dd23
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
@@ -25,9 +25,12 @@ cert_checker [-d domain_or_ip] [-f hosts_file]
|
|
25
25
|
### Examples
|
26
26
|
|
27
27
|
```
|
28
|
-
$ cert_checker -d taobao.com -d xjz.pw
|
29
|
-
ok taobao.com GlobalSign nv-sa 2019-11-13 344 days
|
30
|
-
ok xjz.pw Let's Encrypt 2019-02-18 76 days
|
28
|
+
$ cert_checker -d taobao.com -d xjz.pw -d slack.com -d asdf.com
|
29
|
+
ok taobao.com GlobalSign nv-sa 2019-11-13 344 days (http/1.1)
|
30
|
+
ok xjz.pw Let's Encrypt 2019-02-18 76 days (http/1.1)
|
31
|
+
ok slack.com DigiCert Inc 2021-02-12 714 days (h2)
|
32
|
+
ok asdf.com Let's Encrypt 2019-04-08 38 days (No ALPN)
|
33
|
+
|
31
34
|
|
32
35
|
$ cat >> myhosts <<EOF
|
33
36
|
# A
|
@@ -39,9 +42,9 @@ jd.com
|
|
39
42
|
EOF
|
40
43
|
|
41
44
|
$ cert_checker -f myhosts
|
42
|
-
ok xjz.pw Let's Encrypt 2019-02-18 76 days
|
43
|
-
ok taobao.com GlobalSign nv-sa 2019-11-13 344 days
|
44
|
-
ok jd.com GlobalSign nv-sa 2019-09-28 298 days
|
45
|
+
ok xjz.pw Let's Encrypt 2019-02-18 76 days (http/1.1)
|
46
|
+
ok taobao.com GlobalSign nv-sa 2019-11-13 344 days (http/1.1)
|
47
|
+
ok jd.com GlobalSign nv-sa 2019-09-28 298 days (http/1.1)
|
45
48
|
```
|
46
49
|
|
47
50
|
## Code Usage
|
@@ -49,11 +52,11 @@ ok jd.com GlobalSign nv-sa 2019-09-
|
|
49
52
|
```
|
50
53
|
require 'cert_checker'
|
51
54
|
|
52
|
-
status, host, issuer, expired, desc = CertChecker.check('taobao.com')
|
55
|
+
status, host, issuer, expired, desc, alpn_protocol = CertChecker.check('taobao.com')
|
53
56
|
|
54
57
|
# Other port and timeout
|
55
58
|
port = 443 # default
|
56
|
-
status, host, issuer, expired, desc = CertChecker.check('taobao.com', port, timeout: 5)
|
59
|
+
status, host, issuer, expired, desc, alpn_protocol = CertChecker.check('taobao.com', port, timeout: 5)
|
57
60
|
```
|
58
61
|
|
59
62
|
**Add your root cert**
|
@@ -62,7 +65,7 @@ status, host, issuer, expired, desc = CertChecker.check('taobao.com', port, time
|
|
62
65
|
CertChecker.cert_store.add_cert(root_ca)
|
63
66
|
|
64
67
|
# It will trust certs which signed by this root ca
|
65
|
-
status, host, issuer, expired, desc = CertChecker.check('mydomain.com', port, timeout: 3)
|
68
|
+
status, host, issuer, expired, desc, alpn_protocol = CertChecker.check('mydomain.com', port, timeout: 3)
|
66
69
|
```
|
67
70
|
|
68
71
|
**Multiple cert store instance**
|
@@ -73,7 +76,7 @@ class MyChecker
|
|
73
76
|
end
|
74
77
|
|
75
78
|
MyChecker.cert_store.add_cert(root_ca)
|
76
|
-
status, host, issuer, expired, desc = MyChecker.check('mydomain.com', port, timeout: 3)
|
79
|
+
status, host, issuer, expired, desc, alpn_protocol = MyChecker.check('mydomain.com', port, timeout: 3)
|
77
80
|
```
|
78
81
|
|
79
82
|
## All Status
|
data/exe/cert_checker
CHANGED
@@ -29,14 +29,15 @@ end
|
|
29
29
|
|
30
30
|
puts parser.help if hosts.empty?
|
31
31
|
|
32
|
-
format = "%-14s %-35s %-20s %10s %s"
|
32
|
+
format = "%-14s %-35s %-20s %10s %s (%s)"
|
33
33
|
hosts.each do |host|
|
34
34
|
begin
|
35
|
-
status, host, issuer, expired, desc = CertChecker.check(host)
|
35
|
+
status, host, issuer, expired, desc, alpn_protocol = CertChecker.check(host)
|
36
36
|
expired = expired.strftime('%F') if expired
|
37
37
|
desc = desc.to_s + ' days' if desc.to_s =~ /^\d+$/
|
38
|
-
|
38
|
+
alpn_protocol ||= 'No ALPN'
|
39
|
+
puts format % [status, host, issuer, expired, desc, alpn_protocol]
|
39
40
|
rescue CertChecker::Error => e
|
40
|
-
puts format % ['error', host, e.message, nil, nil]
|
41
|
+
puts format % ['error', host, e.message, nil, nil, nil]
|
41
42
|
end
|
42
43
|
end
|
data/lib/cert_checker.rb
CHANGED
@@ -15,7 +15,7 @@ module CertChecker
|
|
15
15
|
|
16
16
|
def get_cert(host, port = 443, timeout: DEFAULT_TIMEOUT)
|
17
17
|
tcp_client = Socket.tcp(host, port, connect_timeout: timeout)
|
18
|
-
ssl_client = OpenSSL::SSL::SSLSocket.new(tcp_client)
|
18
|
+
ssl_client = OpenSSL::SSL::SSLSocket.new(tcp_client, new_ctx)
|
19
19
|
ssl_client.hostname = host
|
20
20
|
|
21
21
|
begin
|
@@ -26,7 +26,7 @@ module CertChecker
|
|
26
26
|
retry if IO.select(nil, [ssl_client], nil, timeout)
|
27
27
|
end
|
28
28
|
|
29
|
-
[ssl_client.peer_cert, ssl_client.peer_cert_chain].tap do
|
29
|
+
[ssl_client.peer_cert, ssl_client.peer_cert_chain, ssl_client.alpn_protocol].tap do
|
30
30
|
ssl_client.close
|
31
31
|
tcp_client.close
|
32
32
|
end
|
@@ -36,17 +36,17 @@ module CertChecker
|
|
36
36
|
|
37
37
|
# @return [cert, verify_result, cert_chain, err_str]
|
38
38
|
def verify(host, *args)
|
39
|
-
cert, cert_chain = get_cert(host, *args)
|
39
|
+
cert, cert_chain, alpn_protocol = get_cert(host, *args)
|
40
40
|
if cert
|
41
41
|
err = nil
|
42
42
|
result = cert_store.verify(cert, cert_chain) { |r, s| err = s.error_string unless r; r }
|
43
|
-
[cert, result, cert_chain, err]
|
43
|
+
[cert, result, cert_chain, alpn_protocol, err]
|
44
44
|
end
|
45
45
|
end
|
46
46
|
|
47
47
|
# @return [status_symbol, host, issuer, expired_at, desc]
|
48
48
|
def check(host, *args)
|
49
|
-
cert, verify_result, _cert_chain, err_str = verify(host, *args)
|
49
|
+
cert, verify_result, _cert_chain, alpn_protocol, err_str = verify(host, *args)
|
50
50
|
return [:failed, host, nil, nil, nil] unless cert
|
51
51
|
status_sym = :unverifiable unless verify_result
|
52
52
|
|
@@ -63,7 +63,7 @@ module CertChecker
|
|
63
63
|
else :ok
|
64
64
|
end
|
65
65
|
|
66
|
-
[status_sym, host, issuer, expired_at, desc]
|
66
|
+
[status_sym, host, issuer, expired_at, desc, alpn_protocol]
|
67
67
|
end
|
68
68
|
|
69
69
|
def cert_store
|
@@ -74,6 +74,12 @@ module CertChecker
|
|
74
74
|
|
75
75
|
private
|
76
76
|
|
77
|
+
def new_ctx
|
78
|
+
OpenSSL::SSL::SSLContext.new.tap do |ctx|
|
79
|
+
ctx.alpn_protocols = %w{http/1.1 h2}
|
80
|
+
end
|
81
|
+
end
|
82
|
+
|
77
83
|
def verify_cert_dns(host, cert)
|
78
84
|
dns_ext = cert.extensions.find { |e| e.oid == 'subjectAltName' }
|
79
85
|
dns = dns_ext.value.split(',').map { |d| d.split(':').last }
|
data/lib/cert_checker/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cert_checker
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- jiangzhi.xie
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2019-03-01 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -108,7 +108,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
108
108
|
version: '0'
|
109
109
|
requirements: []
|
110
110
|
rubyforge_project:
|
111
|
-
rubygems_version: 2.6
|
111
|
+
rubygems_version: 2.7.6
|
112
112
|
signing_key:
|
113
113
|
specification_version: 4
|
114
114
|
summary: A tool to check host certs config
|