View previous topic :: View next topic |
Author |
Message |
KS-Soft
Joined: 03 Apr 2002 Posts: 12806 Location: USA
|
Posted: Thu Mar 12, 2009 1:44 pm Post subject: Certificate check |
|
|
There is command line utility that may check when SSL certificate expires: www.ks-soft.net/download/utils/certcheck.zip
It can be used with HostMonitor's Shell Script test method
There is one obligatory and 4 optional parameters
Usage: certcheck.exe -host:<host_name> [-port:<port>] [-threshold:<days>] [-withinfo] [-timeout:<timeout>]
Parameters:
-host : Name or IP of the host, where certificate is located
-port : TCP port number. Default port is 443
-threshold : Alert when certificate expires in NN days or less. Default: 0
-withinfo : Tells the program to display certificate info
-timeout : Communication timeout (msec).
Examples:
certcheck -host:www.ssl.com
certcheck -host:talk.google.com -port:5223
certcheck -host:192.168.1.100 -port:25 -withinfo
Regards
Alex |
|
Back to top |
|
|
mp1
Joined: 07 Mar 2006 Posts: 200
|
Posted: Mon Mar 16, 2009 5:51 am Post subject: |
|
|
Hi,
Thanks, this is great
Works for me perfect, also querying Domaincontroller Certificates.
There is also an example for smtp, when I try to query our smpt ssl certificate, I get the following error:
SSL cannot be initialized. erro:1408F108:SS routines:SSL3_GET_RECORD:wrong version number
The same on our ftps server. Is there maybe a way to check this certficates also?
Regards,
Martin |
|
Back to top |
|
|
KS-Soft Europe
Joined: 16 May 2006 Posts: 2832
|
Posted: Mon Mar 16, 2009 6:21 am Post subject: |
|
|
mp1 wrote: | SSL cannot be initialized. erro:1408F108:SS routines:SSL3_GET_RECORD:wrong version number
The same on our ftps server. Is there maybe a way to check this certficates also? | Actually, our utility is not so smart
It is able to check certificate if secure connection establishes just after initial connection (implicit mode). I suppose, your mail server and ftp provides TLS auth and establishes secure connection after special key phrase, like STARTTLS (explicit mode). So, in order to get certificate info, utility should provide some protocol depended communication routine. I'm sorry, this utility is not designed to support FTP, SMTP, etc. protocols.
Regards,
Max |
|
Back to top |
|
|
Stoltze
Joined: 03 Feb 2004 Posts: 174 Location: Denmark
|
Posted: Tue Mar 31, 2009 2:02 pm Post subject: |
|
|
Hi,
Would it be possible to get an example on how to use this script..?
And using eg CommentLines as params...? Eg params for hostname and threshold.. |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12806 Location: USA
|
Posted: Tue Mar 31, 2009 3:41 pm Post subject: |
|
|
Examples listed in first post
certcheck -host:www.ssl.com
certcheck -host:talk.google.com -port:5223
certcheck -host:192.168.1.100 -port:25 -withinfo
If you setup Shell Script test method then you should specify parameters using "Params" field of the test
E.g.
-host:www.ssl.com -threshold:30
or
-host:talk.google.com -port:5223
"Start cmd" property of Shell Script may look like
cmd /c c:\HostMonitor\certcheck.exe %Params%
Quote: | And using eg CommentLines as params...? Eg params for hostname and threshold.. |
You cannot do that.
Regards
Alex |
|
Back to top |
|
|
Stoltze
Joined: 03 Feb 2004 Posts: 174 Location: Denmark
|
Posted: Tue Mar 31, 2009 10:21 pm Post subject: |
|
|
Thanx very much Alex for this example..
It is possible to use CommentLines as input to parameters, works nicely... |
|
Back to top |
|
|
xcentric
Joined: 23 Oct 2010 Posts: 176
|
Posted: Sat Aug 20, 2011 10:21 am Post subject: |
|
|
I have just stumbled upon this wonderful tool.
Something else I didnt think I needed.
I am having difficulty with one site in particular. It has a valid cert and is accessible from all browsers.
I do know it has to do with the site which is running in FIPS 140-2 mode. If I disable it the check succeeds. Can these types of sites be checked?
I noticed the ssl libraries were from 2007 so I tried updating them but the exe complained that no libraries were found.
Is this something that can be easily done?
Regards |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12806 Location: USA
|
Posted: Mon Aug 22, 2011 7:33 am Post subject: |
|
|
Can we access this site for testings?
Quote: | I noticed the ssl libraries were from 2007 so I tried updating them but the exe complained that no libraries were found |
Please do not change libeay32.dll and ssleay32.dll files that come with HostMonitor. These files located in HostMonitor folder and used by HostMonitor only.
Regards
Alex |
|
Back to top |
|
|
xcentric
Joined: 23 Oct 2010 Posts: 176
|
Posted: Mon Aug 22, 2011 8:44 am Post subject: |
|
|
Quote: | Please do not change libeay32.dll and ssleay32.dll files that come with HostMonitor. These files located in HostMonitor folder and used by HostMonitor only. |
The certcheck utility is provided with it's own set of ssl libraries. These are the ones I attempted to update. The ssl libraries in the hostmonitor directory were not modified and I assumed are independent of the certcheck utility. Besides, when it didnt work I put the originals back.
Our hope was that if we updated the libraries the check would succeed. I found this was not the case and there seems a need for work to be done on the certcheck executable to use validated fips libraries.
Information is available on the openssl website. I am not sure exactly what it means.
Is compiling fips validated libraries all that is required? Or is there more to it?
OpenSSL and FIPS 140-2
http://www.openssl.org/docs/fips/fipsnotes.html
Regards |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12806 Location: USA
|
Posted: Tue Aug 23, 2011 10:03 pm Post subject: |
|
|
Quote: | The certcheck utility is provided with it's own set of ssl libraries. |
I know. But the same rule applies to certcheck utility - its better do not replace these DLLs. It may not work with different version correctly.
I read manuals, trying to understand what exactly means that FIPS 140-2
On one hand, requirements to encryption, keys exchange and hashing sound familiar:
- Transport Layer Security (TLS) protocol;
- only the Triple DES encryption algorithm for the TLS traffic encryption;
- RSA public key algorithm for the TLS key exchange and authentication;
- SHA-1 for the TLS hashing
These protocols supported by OpenSSL and HostMonitor/CertCheck
On the other hand there some additional requirements for integrity checks and so on. Looks like without another module from OpenSSL and without some modifications on our side, this test will not work with FIPS 140-2
Regards
Alex |
|
Back to top |
|
|
xcentric
Joined: 23 Oct 2010 Posts: 176
|
Posted: Tue Aug 23, 2011 10:36 pm Post subject: |
|
|
Quote: | I know. But the same rule applies to certcheck utility - its better do not replace these DLLs. It may not work with different version correctly. |
No problem. I understand completely.
And thank you for looking into fips 140-2 support. It is not really mainstream at the moment but it is gaining popularity especially when dealing with security compliance.
I can live without checking the few sites with fips for the moment. I intend to do some of my own research in the matter to stay ahead of the curve. If I come across new information that I think would benefit a possible implementation I will post back in this thread.
Regards |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12806 Location: USA
|
Posted: Wed Aug 24, 2011 9:59 am Post subject: |
|
|
Thank you
Regards
Alex |
|
Back to top |
|
|
|