Stuff I Learned Scripting - Evaluating a Remote SSL Certificate
I find that the longer I work in this field, the more scripts I write. Solving a problem with a script might take a bit longer the first time, but the next time you see the problem it takes seconds to resolve (assuming you can find your script back, that is). This is illustrated so well (and so timely) here ==> http://www.xkcd.com/974/
But I'm not here to sell you on scripting, or on any particular scripting language. This story about neat stuff I've learned while scripting, tid-bits that I wouldn't have learned otherwise that I hope you find useful as well.
Recently I had to assess if a remote windows host was using a self-signed certificate, or one issued by a public or a private CA (Certificate Authority). The remote host was a VMware vCenter console, but that's not material to the script really, other than dictating the path.
Easy you say, use a browser! Sure, that's ONE easy way, but what if you've got 10 others to assess, or a hundred? Or more likely, what if this is one check in hundreds in an audit or assessment? It's at that point that the "this needs a script" lightbulb goes off for me.
In this case I "discovered" the windows command CERTUTIL.EXE. Typing "certutil -?" will get you pages of syntax of the complex things that this command can do, but in this case all we want to do is dump the certificate information. Since the server is remote, let's map a drive and query the cert:
>map l: \
>certutil -dump "l:\programdata\vmware\vmware virtualcenter\SSL\rui.crt"
O=VMware Installer
O=VMware, Inc.
>psexec \\%1 -u %2 -p %3 cmd /c certutil -dump "%allusersprofile%\vmware\vmware virtualcenter\ssl\rui.crt" | find "CN="
CN=VMware default certificate
These show that the certificate is the Default cert, installed by the VMware Installer.
depth=0 /O=VMware, Inc./OU=VMware, Inc./CN=VMware default certificate/emailAddress=support@vmware.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=VMware, Inc./OU=VMware, Inc./CN=VMware default certificate/emailAddress=support@vmware.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=VMware, Inc./OU=VMware, Inc./CN=VMware default certificate/emailAddress=support@vmware.com
verify error:num=21:unable to verify the first certificate
verify return:1
0 s:/O=VMware, Inc./OU=VMware, Inc./CN=VMware default certificate/emailAddress=support@vmware.com i:/O=VMware Installer subject=/O=VMware, Inc./OU=VMware, Inc./CN=VMware default certificate/emailAddress=support@vmware.com issuer=/O=VMware Installer
DONE
Oh - and can you please pass the salt ?
=============== Rob VandenBrink Metafore
Comments
Hal
Nov 7th 2011
1 decade ago
echo "QUIT" | openssl s_client ...
chris
Nov 8th 2011
1 decade ago
echo -en "QUIT\r" | openssl s_client ...
to get the CR rather than LF/NL as required by protocol, no?
Alexander Dupuy
Nov 8th 2011
1 decade ago
echo -en 'QUIT\r' | openssl s_client ...
to avoid the shell eating the backslash. Sometimes putting the thing in a file is actually easier and more straightforward...
Alexander Dupuy
Nov 8th 2011
1 decade ago
A useful one-liner is:
echo "" | openssl s_client -connect www.gmail.com:443 |
openssl x509 -noout -subject -dates
To cleanly do the same for SMTP+STARTTLS
printf "QUIT\r\n" | openssl s_client -connect mail.messaging.microsoft.com:25 -starttls smtp -ign_eof |
openssl x509 -noout -subject -dates
To show chain details too (where available from the server):
echo "" | openssl s_client -connect www.facebook.com:443 -showcerts |
gawk 'BEGIN { pipe="openssl x509 -noout -subject -issuer -dates -serial "} \
/^-+BEGIN CERT/,/^-+END CERT/ { print | pipe }
/END CERT/ { close(pipe); printf("\n\n")} '
Mr Spuratic
Nov 8th 2011
1 decade ago
#!/bin/sh
#
for CERT in \
myfirst.server.local:443 \
mysecond.server.local:993 \
do
echo |\
openssl s_client -connect ${CERT} 2>/dev/null |\
sed -ne "/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p" |\
openssl x509 -noout -subject -dates
done
echo "need more? type: openssl x509 -?"
###
REF -> http://www.madboa.com/geek/openssl/#cert-retrieve
mike f.
Nov 8th 2011
1 decade ago
_____
^ <_ _ _/ )
/ \ /
/ \ + / = [ . . . . x 2^~ ]
/ \
*the proper stones (NaCl) and a input of a < "brute-force-hammer"*
mike f.
Nov 8th 2011
1 decade ago