From 0ee07954a7b40e89238ed7e2266e54ce3a2b35cd Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Sun, 25 May 2008 13:01:38 +0200 Subject: [PATCH] Add "ssl" command --- dowkd.in | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/dowkd.in b/dowkd.in index 8212b84..559fb38 100644 --- a/dowkd.in +++ b/dowkd.in @@ -40,6 +40,8 @@ COMMAND is one of: file: examine files on the command line for weak keys host: examine the specified hosts for weak SSH keys (change destination port with "host -p PORT HOST...") + ssl: examine the specified hosts for weak X.509 keys + (change destination port with "ssl -p PORT HOST...") user: examine user SSH keys for weakness; examine all users if no users are given quick: check this host for weak keys (encompasses "user" plus @@ -449,6 +451,33 @@ sub from_ssh_host ($@) { } } +sub from_ssl_host ($;$) { + my ($host, $port) = @_; + $port = $port || 443; + my @output = safe_backtick_stderr qw/openssl s_client -connect/, "$host:$port"; + if (@output && $output[0]) { + while (@output) { + my $line = shift @output; + if ($line =~ /^-----BEGIN CERTIFICATE-----/) { + my $tmp = new File::Temp; + do { + print $tmp $line or die "print: $!"; + goto LAST if $line =~ /^-----END CERTIFICATE-----/; + } while ($line = shift @output); + LAST: + $tmp->flush or die "flush: $!"; + my $out = safe_backtick qw/openssl x509 -noout -text -in/, $tmp; + if ($out) { + openssl_output_check $host, $out; + return; + } + # fall through to the warning message + } + } + } + warn "$host: could not obtain SSL server key\n"; +} + sub from_user ($) { my $user = shift; my ($name,$passwd,$uid,$gid, @@ -535,6 +564,15 @@ if (@ARGV) { exit 1; } from_ssh_host $port, @ARGV; + } elsif ($cmd eq 'ssl') { + my $port = cli_get_port @ARGV, 443; + unless (@ARGV) { + help; + exit 1; + } + for my $name (@ARGV) { + from_ssl_host $name, $port; + } } elsif ($cmd eq 'user') { if (@ARGV) { from_user $_ for @ARGV; -- 2.11.4.GIT