I find that the longer I work in this field, the more scripts I write. Solving a problem with a script might take a bit longer the first time, but the next time you see the problem it takes seconds to resolve (assuming you can find your script back, that is). This is illustrated so well (and so timely) here ==> http://www.xkcd.com/974/ But I'm not here to sell you on scripting, or on any particular scripting language. This story about neat stuff I've learned while scripting, tid-bits that I wouldn't have learned otherwise that I hope you find useful as well. Recently I had to assess if a remote windows host was using a self-signed certificate, or one issued by a public or a private CA (Certificate Authority). The remote host was a VMware vCenter console, but that's not material to the script really, other than dictating the path. Easy you say, use a browser! Sure, that's ONE easy way, but what if you've got 10 others to assess, or a hundred? Or more likely, what if this is one check in hundreds in an audit or assessment? It's at that point that the "this needs a script" lightbulb goes off for me. In this case I "discovered" the windows command CERTUTIL.EXE. Typing "certutil -?" will get you pages of syntax of the complex things that this command can do, but in this case all we want to do is dump the certificate information. Since the server is remote, let's map a drive and query the cert: >map l: \
Oh - and can you please pass the salt ? =============== Rob VandenBrink Metafore
|
Rob VandenBrink 578 Posts ISC Handler Nov 7th 2011 |
Thread locked Subscribe |
Nov 7th 2011 1 decade ago |
A master artisan of great foresight!
|
Hal 50 Posts |
Quote |
Nov 7th 2011 1 decade ago |
if you're going to use this as is (and why not?) then you can use output redirection to eliminate the need for QUIT.in, viz:
echo "QUIT" | openssl s_client ... |
chrismewett 1 Posts |
Quote |
Nov 8th 2011 1 decade ago |
that should be:
echo -en "QUIT\r" | openssl s_client ... to get the CR rather than LF/NL as required by protocol, no? |
sashametro 3 Posts |
Quote |
Nov 8th 2011 1 decade ago |
or rather:
echo -en 'QUIT\r' | openssl s_client ... to avoid the shell eating the backslash. Sometimes putting the thing in a file is actually easier and more straightforward... |
sashametro 3 Posts |
Quote |
Nov 8th 2011 1 decade ago |
"QUIT" isn't the important bit, lines that start with "Q" are treated as EOF by default, and lines that start with "R" cause a renegotiation.
A useful one-liner is: echo "" | openssl s_client -connect www.gmail.com:443 | openssl x509 -noout -subject -dates To cleanly do the same for SMTP+STARTTLS printf "QUIT\r\n" | openssl s_client -connect mail.messaging.microsoft.com:25 -starttls smtp -ign_eof | openssl x509 -noout -subject -dates To show chain details too (where available from the server): echo "" | openssl s_client -connect www.facebook.com:443 -showcerts | gawk 'BEGIN { pipe="openssl x509 -noout -subject -issuer -dates -serial "} \ /^-+BEGIN CERT/,/^-+END CERT/ { print | pipe } /END CERT/ { close(pipe); printf("\n\n")} ' |
Mr Spuratic 3 Posts |
Quote |
Nov 8th 2011 1 decade ago |
reinventing the wheel? sometimes it's enough to put on your g00gles :)
#!/bin/sh # for CERT in \ myfirst.server.local:443 \ mysecond.server.local:993 \ do echo |\ openssl s_client -connect ${CERT} 2>/dev/null |\ sed -ne "/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p" |\ openssl x509 -noout -subject -dates done echo "need more? type: openssl x509 -?" ### REF -> http://www.madboa.com/geek/openssl/#cert-retrieve |
mike f. 2 Posts |
Quote |
Nov 8th 2011 1 decade ago |
salt:
_____ ^ <_ _ _/ ) / \ / / \ + / = [ . . . . x 2^~ ] / \ *the proper stones (NaCl) and a input of a < "brute-force-hammer"* |
mike f. 2 Posts |
Quote |
Nov 8th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!