ssl证书有效性检测

因为公司的业务原因,所以基本上全站都是使用https。然后又因为各种各样的问题造成有的域名不能使用通配符证书,只能使用单独的证书,这样就造成了网络配置上同一个应用要配置多个公网IP以便绑定不同的证书(很多浏览器不支持SNI,所以只能配置多个IP了)。今天简单写了一个脚本,测试了一下可以把某个机房全站应用的公网IP对于的证书都检查一遍。

脚本如下:

[pl]

#!/usr/bin/env perl
#===============================================================================
#
# FILE: comcheck.pl
#
# USAGE: perl comcheck.pl host_list
#
# DESCRIPTION: test ssl cert
#
# OPTIONS: —
# REQUIREMENTS: —
# BUGS: —
# NOTES: —
# AUTHOR: @GNUer

# VERSION: 1.0
# CREATED: 2012年09月18日 09时48分21秒
# REVISION: —
#===============================================================================

use strict;
use warnings;
use utf8;
use IO::Socket::SSL;
my %vips;
if ( !-f $ARGV[0] ) {
&help;
}
open my $HOSTS, "<$ARGV[0]" or die "open $ARGV[0]\n";
while ( my $line = <$HOSTS> ) {
if ( $line =~ /\s*([\d\.]+)\s+(.*)\s*#/ ) {
my $tdms = $2;
my $ip = $1;
my @dms = split( /\s+/, $tdms );
foreach (@dms) {
$vips{$_} = $ip;
}
}
}
close $HOSTS;

foreach my $name ( sort keys %vips ) {
my $ip = $vips{$name};
&check_cert_com( $ip, $name );
}

sub check_cert_com() {
my $vip = shift;
my $hostname = shift;
chomp $hostname;
chomp $vip;
my $sock = IO::Socket::SSL->new(
PeerAddr => $vip,
PeerPort => ‘443’,
Proto => ‘tcp’,
SSL_verify_mode => 0x00, #does no authentication.
Timeout => 3,

#You may combine 0x01 (verify peer),
# 0x02 (fail verification if no peer certificate exists; ignored for clients)
# 0x04 (verify client once) to change the default.
SSL_hostname => $hostname, # specifiy the hostname used for SNI
SSL_verifycn_name => $hostname, #Set the name which is used in verification of hostname
SSL_ca_path => "/etc/ssl/certs/",

);

if ( !( ref $sock eq "IO::Socket::SSL" ) ) {
print "connect $hostname failed\n";
return 1;
}
if ( $sock->verify_hostname( $hostname, ‘http’ ) ) {
print "$hostname verification ok\n";
return 0;
}
else {
print STDERR "$hostname verify failed\n";
}
my $comname = $sock->peer_certificate("commonName");
my $tname = $hostname;
my $tcom = $comname;
$tname =~ s/\.xxx.com//g;
$tcom =~ s/\.xxx.com//g;
if ( $tcom eq "*" && $tname !~ /\./ ) {
;
print "$hostname $comname\n";
}
elsif ( $tname eq $tcom ) {
;
# print "$hostname eq $comname\n";
}
else {

print STDERR "$vip \e[1;32m$hostname\e[m error cert:\e[1;31m $comname\e[m\n";
}
$sock->close();

}

sub help() {
print "perl comcheck.pl hostlist\n";
exit 0;
}

[/pl]

输入文件的格式如下:

12.75.123.70 app1.xxx.com #appxxx
12.75.123.20 app2.xxx.com #appxxx
12.75.123.76 app3.xxx.com #appxxx
12.75.123.42 app41.xxx.com app42.xxx.com air.xxx.com #appxxx
12.75.123.43 app5xxx.com #appxxx

如果只看错误的话可以

perl certcheck.pl host >/dev/null

此条目发表在Perl Script分类目录。将固定链接加入收藏夹。

发表评论