check_ssl_cert w/ PKI / X.509 Chain Validation
Brian A. Seklecki
lavalamp at spiritual-machines.org
Wed Aug 6 18:03:33 CEST 2008
Two new notes:
1) Extracting the root CA cert DB from FF3 manually (GUI + Select all)
to PEM works fine with c_rehas.pl
$ openssl s_client -verify 4 -connect www.gmail.com:443 2>& 1 | egrep \
"Verify\ return\ code"
Verify return code: 0 (ok)
2) I'm unable to find the file system database that contains the root
CA, otherwise the process could be automated:
$ for a in $(certutil -L -d ~/.mozilla/firefox/3u995ypq.default/ |
egrep -v "Nickname" | cut -f1 -d ' ' -s ); do certutil -L -d
~/.mozilla/firefox/3u995ypq.default/ -a -n "$a" > /tmp/"$a".pem; done
However:
1) certutil(8) is awful and doesn't escape the DB "nick" column with
quotes, making it impossible to regex out the cert name.
2) In FC9 and FBSD7, neither /etc/pki/nssdb/ or
/usr/{local/share|lib64)/firefox-3.0.1 has the the certutil
format'd DB to automate the extract process from.
Anyway, the root CA DB doesn't change very often, so code can be written
around this for now.
~BAS
On Wed, 11 Apr 2007, Brian A. Seklecki wrote:
>
> These scripts are great thank you very much to all involved who contributed
> (no e-mail address for 'mastrboy'). . I'm considering spending some time
> adding additional functionality:
>
> --
>
> In addition to simply parsing the date and comparing the date/time, I'd like
> to test the validity of the X.509 Cert against it's PKI infrastructure using
> the OpenSSL routines.
>
> I'm pretty sure that this can be accomplished by checking the result code of
> openssl 's_client' or 'verify'; both permit for -CApath and -CAfile.
>
> For internal PKI, this is pretty straightforward; just specify your
> organization's Root CA Cert.
>
> For public cert verification; it gets tricky because you have to take a
> certificate store like the Mozilla NSS/NSPR default and convert it into
> OpenSSL c_rehash format -- taking ideas on that here.
>
> http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt
>
> Thoughts?
>
> l8*
> -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
> http://www.spiritual-machines.org/
>
l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/
"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~Maynard James Keenan
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list