Giter Club home page Giter Club logo

check_dane's Introduction

⚠️ This repository is no longer maintained.

check_ssl_cert supports validating DANE records with openssl >= 1.1.0

check_dane

Nagios/Icinga plugin for checking DANE/TLSA records.

It compares the DANE/TLSA record against the TLS certificate provided by a service.

Usage

-h, --help            show this help message and exit
--host HOST, -H HOST  Hostname to check.
--port PORT, -p PORT  TCP port to check.
--connect-host CONNECT_HOST, --ip CONNECT_HOST, -I CONNECT_HOST
                      Connect to this host instead of --host.
--connect-port CONNECT_PORT
                      Connect to this port instead of --port.
--starttls {smtp,imap,xmpp,quassel}
                      Send the protocol-specific messages to enable TLS.
--check-pkix          Additionally perform traditional checks on the
                      certificate (ca trust path, hostname, expiry).
--min-days-valid MIN_DAYS_VALID
                      Minimum number of days a certificate has to be valid.
                      Format: INTEGER[,INTEGER]. 1st is #days for warning,
                      2nd is critical.
--no-dnssec           Continue even when DNS replies aren't DNSSEC
                      authenticated.
--nameserver NAMESERVER
                      Use a custom nameserver.
--timeout TIMEOUT     Network timeout in sec. Default: 10
--version             show program's version number and exit

Supported TLSA records

  • Certificate Usage: "Service certificate constraint" (1) and "Domain-issued certificate" (3) is supported
  • Selector: "Full certificate" (0) and SubjectPublicKeyInfo (1)
  • Matching Type: "Exact match" (0), SHA-256 hash (1) and SHA-512 hash (2)

Requirements

  • Python >= 3.4
  • dnspython
  • openssl binary
  • DNSSEC capable resolver (or use --no-dnssec but be aware of the security implications)

Examples

  • check_dane -H mx.example.com -p 25 --starttls smtp
  • check_dane -H example.com -p 443 --check-pkix

check_dane's People

Contributors

countsudoku avatar debfx avatar df7cb avatar dilyanpalauzov avatar nemunaire avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

actindo countsudoku digideskio nemunaire sndrsmnk okoeroo dilyanpalauzov fl1ger stbuehler

check_dane's Issues

Extend to request EC or RSA certificates

For a service several TLSA records can be publised (3 1 1, 3 0 1, 3 0 2) at the same time. During rollover the amount of TLSA records doubles, only half of them are valid. For a TLS connection the server can posses more than one certificates (RSA and EC).

Please extend check_dane, so that it can, depending on how it is invoked,

  • verify that there is a valid “TLSA 3 1 1” record for a service, when the EC certificate is requested,
  • verify that there is a valid “TLSA 3 1 1” record for a service, when the RSA certificate is requested,
  • verify that there is a valid “TLSA 3 0 1” record for a service, that uses the EC certificate
  • verify that there is a valid “TLSA 3 0 1” record for a service, that uses the RSA certificate
  • verify that there is a valid “TLSA 3 0 2” record for a service, that uses the EC certificate
  • verify that there is a valid “TLSA 3 0 2” record for a service, that uses the RSA certificate
  • verify the expiration of the RSA certificate
  • verify the expiration of the EC certificate

The idea is to be able to verify, that both 3 0 1 and 3 0 2 records are valid, which is currently not possilbe.

For 3 1 1 there is somewhere a special requirement that it is offered for SMTP:25, but for the same port 3 0 1 and 3 0 2 are not prohibited.

In addition it would be very nice, if the same TLS connection is used to verify, if the certificate has Must Staple extension and that OCSP verifies, so that no further plugins are needed for this and no further TLS connections must be made.

TLSA Certificate Usage modes 0 and 2 are not supported

Configuring acceptable CAs with TLSA records (usage modes 0 and 2) is not supported with this script, and the script returns the (slightly inaccurate) message saying "Certificate doesn't match TLSA record".
I don't know how to get the full certificate chain from the server response, otherwise I would work on adding this support.
Thanks for the excellent script!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.