Certificate check

[KS-Soft]

There is command line utility that may check when SSL certificate expires: www.ks-soft.net/download/utils/certcheck.zip
It can be used with HostMonitor's Shell Script test method

There is one obligatory and 4 optional parameters
Usage: certcheck.exe -host:<host_name> [-port:<port>] [-threshold:<days>] [-withinfo] [-timeout:<timeout>]

Parameters:
-host : Name or IP of the host, where certificate is located
-port : TCP port number. Default port is 443
-threshold : Alert when certificate expires in NN days or less. Default: 0
-withinfo : Tells the program to display certificate info
-timeout : Communication timeout (msec).

Examples:
certcheck -host:www.ssl.com
certcheck -host:talk.google.com -port:5223
certcheck -host:192.168.1.100 -port:25 -withinfo

Regards
Alex

[mp1]

Hi,

Thanks, this is great

Works for me perfect, also querying Domaincontroller Certificates.
There is also an example for smtp, when I try to query our smpt ssl certificate, I get the following error:

SSL cannot be initialized. erro:1408F108:SS routines:SSL3_GET_RECORD:wrong version number

The same on our ftps server. Is there maybe a way to check this certficates also?

Regards,

Martin

[KS-Soft Europe]

SSL cannot be initialized. erro:1408F108:SS routines:SSL3_GET_RECORD:wrong version number

The same on our ftps server. Is there maybe a way to check this certficates also?

Actually, our utility is not so smart
It is able to check certificate if secure connection establishes just after initial connection (implicit mode). I suppose, your mail server and ftp provides TLS auth and establishes secure connection after special key phrase, like STARTTLS (explicit mode). So, in order to get certificate info, utility should provide some protocol depended communication routine. I'm sorry, this utility is not designed to support FTP, SMTP, etc. protocols.

Regards,
Max

[Stoltze]

Hi,

Would it be possible to get an example on how to use this script..?

And using eg CommentLines as params...? Eg params for hostname and threshold..

[KS-Soft]

Examples listed in first post
certcheck -host:www.ssl.com
certcheck -host:talk.google.com -port:5223
certcheck -host:192.168.1.100 -port:25 -withinfo

If you setup Shell Script test method then you should specify parameters using "Params" field of the test
E.g.
-host:www.ssl.com -threshold:30
or
-host:talk.google.com -port:5223

"Start cmd" property of Shell Script may look like
cmd /c c:\HostMonitor\certcheck.exe %Params%

And using eg CommentLines as params...? Eg params for hostname and threshold..

You cannot do that.

Regards
Alex

[Stoltze]

Thanx very much Alex for this example..

It is possible to use CommentLines as input to parameters, works nicely...

[xcentric]

I have just stumbled upon this wonderful tool.

Something else I didnt think I needed.

I am having difficulty with one site in particular. It has a valid cert and is accessible from all browsers.

I do know it has to do with the site which is running in FIPS 140-2 mode. If I disable it the check succeeds. Can these types of sites be checked?

I noticed the ssl libraries were from 2007 so I tried updating them but the exe complained that no libraries were found.

Is this something that can be easily done?

Regards

[KS-Soft]

Can we access this site for testings?

I noticed the ssl libraries were from 2007 so I tried updating them but the exe complained that no libraries were found

Please do not change libeay32.dll and ssleay32.dll files that come with HostMonitor. These files located in HostMonitor folder and used by HostMonitor only.

Regards
Alex

[xcentric]

Please do not change libeay32.dll and ssleay32.dll files that come with HostMonitor. These files located in HostMonitor folder and used by HostMonitor only.

The certcheck utility is provided with it's own set of ssl libraries. These are the ones I attempted to update. The ssl libraries in the hostmonitor directory were not modified and I assumed are independent of the certcheck utility. Besides, when it didnt work I put the originals back.

Our hope was that if we updated the libraries the check would succeed. I found this was not the case and there seems a need for work to be done on the certcheck executable to use validated fips libraries.

Information is available on the openssl website. I am not sure exactly what it means.

Is compiling fips validated libraries all that is required? Or is there more to it?

OpenSSL and FIPS 140-2
http://www.openssl.org/docs/fips/fipsnotes.html

Regards

[KS-Soft]

The certcheck utility is provided with it's own set of ssl libraries.

I know. But the same rule applies to certcheck utility - its better do not replace these DLLs. It may not work with different version correctly.

I read manuals, trying to understand what exactly means that FIPS 140-2
On one hand, requirements to encryption, keys exchange and hashing sound familiar:
- Transport Layer Security (TLS) protocol;
- only the Triple DES encryption algorithm for the TLS traffic encryption;
- RSA public key algorithm for the TLS key exchange and authentication;
- SHA-1 for the TLS hashing
These protocols supported by OpenSSL and HostMonitor/CertCheck

On the other hand there some additional requirements for integrity checks and so on. Looks like without another module from OpenSSL and without some modifications on our side, this test will not work with FIPS 140-2

Regards
Alex

[xcentric]

I know. But the same rule applies to certcheck utility - its better do not replace these DLLs. It may not work with different version correctly.

No problem. I understand completely.

And thank you for looking into fips 140-2 support. It is not really mainstream at the moment but it is gaining popularity especially when dealing with security compliance.

I can live without checking the few sites with fips for the moment. I intend to do some of my own research in the matter to stay ahead of the curve. If I come across new information that I think would benefit a possible implementation I will post back in this thread.

Regards

[KS-Soft]

Thank you

Regards
Alex