search

matteocorti / check_ssl_cert

A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection.
GNU General Public License v3.0
368 stars 132 forks source link

Plugin Output: specify type of certificate (e.g. 2048-bit RSA, 256 bits EC) #400

Closed lukastribus closed 2 years ago

lukastribus commented 2 years ago

Is your feature request related to a problem? Please describe.

Specifying bit size and certificate type of the certificate in the plugin output.

Describe the solution you'd like

Add something like 2048bit RSA certificate / 256 bits EC:

SSL_CERT OK - example.net:443, https, x509 2048 bit RSA certificate 'example.net' from 'ABC Ca' valid until Nov 3 22:59:00 2022 GMT (expires in 71 days)

lukastribus commented 2 years ago

Here a few different certificate types to test:

check_ssl_cert -H rsa2048.badssl.com
check_ssl_cert -H rsa4096.badssl.com
check_ssl_cert -H rsa8192.badssl.com

check_ssl_cert -H ecc256.badssl.com
check_ssl_cert -H ecc384.badssl.com
lukastribus commented 2 years ago

Are the certificates always x509 in the PKI? If so, this string may be removed?

lukastribus commented 2 years ago

Thank you, however this is basically always sha256WithRSAEncryption:

$ ./check_ssl_cert --format "%SIGALGO%" -H rsa2048.badssl.com
sha256WithRSAEncryption|days_chain_elem1=78;20;15;; days_chain_elem2=1118;20;15;; days_chain_elem3=768;20;15;;
$ ./check_ssl_cert --format "%SIGALGO%" -H rsa4096.badssl.com
sha256WithRSAEncryption|days_chain_elem1=78;20;15;; days_chain_elem2=1118;20;15;; days_chain_elem3=768;20;15;;
$ ./check_ssl_cert --format "%SIGALGO%" -H ecc256.badssl.com
sha256WithRSAEncryption|days_chain_elem1=78;20;15;; days_chain_elem2=1118;20;15;; days_chain_elem3=768;20;15;;
$

The information is Peer signature type and Server public key is :

$ openssl s_client -showcerts -connect ecc256.badssl.com:443 2>&1 | grep -e "signature type" -e "Server public key is"
Peer signature type: ECDSA
Server public key is 256 bit
^C
$ openssl s_client -showcerts -connect ecc384.badssl.com:443 2>&1 | grep -e "signature type" -e "Server public key is"
Peer signature type: ECDSA
Server public key is 384 bit
^C
$ openssl s_client -showcerts -connect rsa2048.badssl.com:443 2>&1 | grep -e "signature type" -e "Server public key is"
Peer signature type: RSA
Server public key is 2048 bit
^C
$ openssl s_client -showcerts -connect rsa4096.badssl.com:443 2>&1 | grep -e "signature type" -e "Server public key is"
Peer signature type: RSA
Server public key is 4096 bit
^C
$
matteocorti commented 2 years ago

The script is currently reading Signature Algorithm and not Public Key Algorithm and Public-Key

matteocorti commented 2 years ago

See https://security.stackexchange.com/questions/141661/whats-the-difference-between-public-key-algorithm-and-signature-algorithm-i

matteocorti commented 2 years ago

Fixed in bc4fa02

lukastribus commented 2 years ago

Great, thank you!