KS-Soft. Network Management Solutions
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister    ProfileProfile    Log inLog in 

Certificate check

 
Post new topic   Reply to topic    KS-Soft Forum Index -> Library
View previous topic :: View next topic  
Author Message
KS-Soft



Joined: 03 Apr 2002
Posts: 10922
Location: USA

PostPosted: Thu Mar 12, 2009 1:44 pm    Post subject: Certificate check Reply with quote

There is command line utility that may check when SSL certificate expires: www.ks-soft.net/download/utils/certcheck.zip
It can be used with HostMonitor's Shell Script test method

There is one obligatory and 4 optional parameters
Usage: certcheck.exe -host:<host_name> [-port:<port>] [-threshold:<days>] [-withinfo] [-timeout:<timeout>]

Parameters:
-host : Name or IP of the host, where certificate is located
-port : TCP port number. Default port is 443
-threshold : Alert when certificate expires in NN days or less. Default: 0
-withinfo : Tells the program to display certificate info
-timeout : Communication timeout (msec).

Examples:
certcheck -host:www.ssl.com
certcheck -host:talk.google.com -port:5223
certcheck -host:192.168.1.100 -port:25 -withinfo

Regards
Alex
Back to top
View user's profile Send private message Send e-mail Visit poster's website
mp1



Joined: 07 Mar 2006
Posts: 192

PostPosted: Mon Mar 16, 2009 5:51 am    Post subject: Reply with quote

Hi,

Thanks, this is great

Works for me perfect, also querying Domaincontroller Certificates.
There is also an example for smtp, when I try to query our smpt ssl certificate, I get the following error:

SSL cannot be initialized. erro:1408F108:SS routines:SSL3_GET_RECORD:wrong version number

The same on our ftps server. Is there maybe a way to check this certficates also?

Regards,

Martin
Back to top
View user's profile Send private message
KS-Soft Europe



Joined: 16 May 2006
Posts: 2481

PostPosted: Mon Mar 16, 2009 6:21 am    Post subject: Reply with quote

mp1 wrote:
SSL cannot be initialized. erro:1408F108:SS routines:SSL3_GET_RECORD:wrong version number

The same on our ftps server. Is there maybe a way to check this certficates also?
Actually, our utility is not so smart
It is able to check certificate if secure connection establishes just after initial connection (implicit mode). I suppose, your mail server and ftp provides TLS auth and establishes secure connection after special key phrase, like STARTTLS (explicit mode). So, in order to get certificate info, utility should provide some protocol depended communication routine. I'm sorry, this utility is not designed to support FTP, SMTP, etc. protocols.

Regards,
Max
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Stoltze



Joined: 03 Feb 2004
Posts: 174
Location: Denmark

PostPosted: Tue Mar 31, 2009 2:02 pm    Post subject: Reply with quote

Hi,

Would it be possible to get an example on how to use this script..?

And using eg CommentLines as params...? Eg params for hostname and threshold..
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 10922
Location: USA

PostPosted: Tue Mar 31, 2009 3:41 pm    Post subject: Reply with quote

Examples listed in first post
certcheck -host:www.ssl.com
certcheck -host:talk.google.com -port:5223
certcheck -host:192.168.1.100 -port:25 -withinfo

If you setup Shell Script test method then you should specify parameters using "Params" field of the test
E.g.
-host:www.ssl.com -threshold:30
or
-host:talk.google.com -port:5223

"Start cmd" property of Shell Script may look like
cmd /c c:\HostMonitor\certcheck.exe %Params%

Quote:
And using eg CommentLines as params...? Eg params for hostname and threshold..

You cannot do that.

Regards
Alex
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Stoltze



Joined: 03 Feb 2004
Posts: 174
Location: Denmark

PostPosted: Tue Mar 31, 2009 10:21 pm    Post subject: Reply with quote

Thanx very much Alex for this example..

It is possible to use CommentLines as input to parameters, works nicely...
Back to top
View user's profile Send private message
xcentric



Joined: 23 Oct 2010
Posts: 170

PostPosted: Sat Aug 20, 2011 10:21 am    Post subject: Reply with quote

I have just stumbled upon this wonderful tool.

Something else I didnt think I needed.

I am having difficulty with one site in particular. It has a valid cert and is accessible from all browsers.

I do know it has to do with the site which is running in FIPS 140-2 mode. If I disable it the check succeeds. Can these types of sites be checked?

I noticed the ssl libraries were from 2007 so I tried updating them but the exe complained that no libraries were found.

Is this something that can be easily done?

Regards
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 10922
Location: USA

PostPosted: Mon Aug 22, 2011 7:33 am    Post subject: Reply with quote

Can we access this site for testings?

Quote:
I noticed the ssl libraries were from 2007 so I tried updating them but the exe complained that no libraries were found

Please do not change libeay32.dll and ssleay32.dll files that come with HostMonitor. These files located in HostMonitor folder and used by HostMonitor only.

Regards
Alex
Back to top
View user's profile Send private message Send e-mail Visit poster's website
xcentric



Joined: 23 Oct 2010
Posts: 170

PostPosted: Mon Aug 22, 2011 8:44 am    Post subject: Reply with quote

Quote:
Please do not change libeay32.dll and ssleay32.dll files that come with HostMonitor. These files located in HostMonitor folder and used by HostMonitor only.


The certcheck utility is provided with it's own set of ssl libraries. These are the ones I attempted to update. The ssl libraries in the hostmonitor directory were not modified and I assumed are independent of the certcheck utility. Besides, when it didnt work I put the originals back.

Our hope was that if we updated the libraries the check would succeed. I found this was not the case and there seems a need for work to be done on the certcheck executable to use validated fips libraries.

Information is available on the openssl website. I am not sure exactly what it means.

Is compiling fips validated libraries all that is required? Or is there more to it?

OpenSSL and FIPS 140-2
http://www.openssl.org/docs/fips/fipsnotes.html

Regards
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 10922
Location: USA

PostPosted: Tue Aug 23, 2011 10:03 pm    Post subject: Reply with quote

Quote:
The certcheck utility is provided with it's own set of ssl libraries.

I know. But the same rule applies to certcheck utility - its better do not replace these DLLs. It may not work with different version correctly.

I read manuals, trying to understand what exactly means that FIPS 140-2
On one hand, requirements to encryption, keys exchange and hashing sound familiar:
- Transport Layer Security (TLS) protocol;
- only the Triple DES encryption algorithm for the TLS traffic encryption;
- RSA public key algorithm for the TLS key exchange and authentication;
- SHA-1 for the TLS hashing
These protocols supported by OpenSSL and HostMonitor/CertCheck

On the other hand there some additional requirements for integrity checks and so on. Looks like without another module from OpenSSL and without some modifications on our side, this test will not work with FIPS 140-2

Regards
Alex
Back to top
View user's profile Send private message Send e-mail Visit poster's website
xcentric



Joined: 23 Oct 2010
Posts: 170

PostPosted: Tue Aug 23, 2011 10:36 pm    Post subject: Reply with quote

Quote:
I know. But the same rule applies to certcheck utility - its better do not replace these DLLs. It may not work with different version correctly.


No problem. I understand completely.

And thank you for looking into fips 140-2 support. It is not really mainstream at the moment but it is gaining popularity especially when dealing with security compliance.

I can live without checking the few sites with fips for the moment. I intend to do some of my own research in the matter to stay ahead of the curve. If I come across new information that I think would benefit a possible implementation I will post back in this thread.

Regards
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 10922
Location: USA

PostPosted: Wed Aug 24, 2011 9:59 am    Post subject: Reply with quote

Thank you

Regards
Alex
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    KS-Soft Forum Index -> Library All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

KS-Soft Forum Index