-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathsslcert.py
More file actions
executable file
·104 lines (82 loc) · 2.74 KB
/
sslcert.py
File metadata and controls
executable file
·104 lines (82 loc) · 2.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#!/usr/bin/env python
import sys
from OpenSSL import SSL
import socket
import datetime
"""
Nagios check to test SSL certificate expiration and cname is correct
"""
HOSTNAME = 'www.dataloop.io'
PORT = 443
CN = '*.dataloop.io'
METHOD = 'SSLv23' # Options : (SSLv2|SSLv3|SSLv23|TLSv1) defaults to SSLv23'
WARN = 15 # Threshold for warning alert in days
CRIT = 5 # Threshold for critical alert in days
def get_options():
options = {'host': HOSTNAME,
'port': PORT,
'method': 'SSLv23',
'critical': CRIT,
'warning': WARN,
'cn': CN}
return options
def main():
options = get_options()
# Initialize context
if options['method'] == 'SSLv3':
ctx = SSL.Context(SSL.SSLv3_METHOD)
elif options['method'] == 'SSLv2':
ctx = SSL.Context(SSL.SSLv2_METHOD)
elif options['method'] == 'SSLv23':
ctx = SSL.Context(SSL.SSLv23_METHOD)
else:
ctx = SSL.Context(SSL.TLSv1_METHOD)
# Set up client
sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
sock.connect((options['host'], int(options['port'])))
# Send an EOF
try:
sock.send("\x04")
sock.shutdown()
peer_cert = sock.get_peer_certificate()
sock.close()
except SSL.Error, e:
print e
exit_status = 0
exit_message = []
cur_date = datetime.datetime.utcnow()
cert_nbefore = datetime.datetime.strptime(peer_cert.get_notBefore(), '%Y%m%d%H%M%SZ')
cert_nafter = datetime.datetime.strptime(peer_cert.get_notAfter(), '%Y%m%d%H%M%SZ')
expire_days = int((cert_nafter - cur_date).days)
if cert_nbefore > cur_date:
if exit_status < 2:
exit_status = 2
exit_message.append('C: cert is not valid')
elif expire_days < 0:
if exit_status < 2:
exit_status = 2
exit_message.append('Expire critical (expired)')
elif options['critical'] > expire_days:
if exit_status < 2:
exit_status = 2
exit_message.append('Expire critical')
elif options['warning'] > expire_days:
if exit_status < 1:
exit_status = 1
exit_message.append('Expire warning')
else:
exit_message.append('Expire OK')
exit_message.append('['+str(expire_days)+'d]')
for part in peer_cert.get_subject().get_components():
if part[0] == 'CN':
cert_cn = part[1]
if options['cn'] != '' and options['cn'].lower() != cert_cn.lower():
if exit_status < 2:
exit_status = 2
exit_message.append(' - CN mismatch')
else:
exit_message.append(' - CN OK')
exit_message.append(' - cn:'+cert_cn)
print ''.join(exit_message)
sys.exit(exit_status)
main()