From 9fe7e95bf8d3e683b826c61d1c79d01d1463fa99 Mon Sep 17 00:00:00 2001 From: Emmanuel Lacour Date: Tue, 6 Jun 2006 19:30:26 +0000 Subject: [PATCH 1/1] Initialize repository with 0.6.2 --- debian/README.Debian | 5 + debian/changelog | 65 ++++++++++ debian/compat | 1 + debian/control | 14 ++ debian/copyright | 24 ++++ debian/cron.d | 8 ++ debian/default | 2 + debian/dirs | 2 + debian/docs | 1 + debian/install | 2 + debian/rules | 52 ++++++++ sslexpire/README | 49 +++++++ sslexpire/copyright | 16 +++ sslexpire/sslexpire | 330 +++++++++++++++++++++++++++++++++++++++++++++++ sslexpire/sslexpire.conf | 12 ++ 15 files changed, 583 insertions(+) create mode 100644 debian/README.Debian create mode 100644 debian/changelog create mode 100644 debian/compat create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/cron.d create mode 100644 debian/default create mode 100644 debian/dirs create mode 100644 debian/docs create mode 100644 debian/install create mode 100755 debian/rules create mode 100644 sslexpire/README create mode 100644 sslexpire/copyright create mode 100755 sslexpire/sslexpire create mode 100644 sslexpire/sslexpire.conf diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..7402d4c --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,5 @@ +Debian-specific sslexpire configuration +--------------------------------------- + +This program can be configured to run periodically via cron. You configure this +by editing /etc/default/sslexpire. diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..ddb255a --- /dev/null +++ b/debian/changelog @@ -0,0 +1,65 @@ +sslexpire (0.6.2-1) unstable; urgency=low + + * Removed debian directory from upstream + * Packaging cleanup + + -- Emmanuel Lacour Wed, 17 May 2006 20:49:37 +0200 + +sslexpire (0.6.1) unstable; urgency=low + + * A small bug with too much \n ... in sendmail function. + + -- Emmanuel Lacour Sat, 26 Jul 2003 18:23:10 +0200 + +sslexpire (0.6) unstable; urgency=low + + * Changes inspired from Mark D. Nagel : + * replaced call to date -d with use of str2time from Date::Parse + * merged the two openssl calls into one (for efficiency) + * created variables to point to the openssl and sendmail binaries + * replaced the use of 'mail' with 'sendmail -t' (mail command could easily + introduce security flaws) + * some typos + + -- Emmanuel Lacour Sat, 26 Jul 2003 17:42:35 +0200 + +sslexpire (0.5) unstable; urgency=low + + * Leave Makefile + * Move files in topdir + * simplify using dh_install + + -- Emmanuel Lacour Thu, 1 May 2003 22:10:33 +0200 + +sslexpire (0.4) unstable; urgency=low + + * More doc + * cleanup makefile + * cleanup debian tree + * use binary-indep in debian/rules + + -- Emmanuel Lacour Thu, 1 May 2003 20:36:03 +0200 + +sslexpire (0.3) unstable; urgency=low + + * Fixed bug which make -h and -p unusable + + -- Emmanuel Lacour Wed, 30 Apr 2003 18:06:07 +0200 + +sslexpire (0.2) unstable; urgency=low + + * Easier config file + * Use of IO::Socket instead of Socket + * Options enhancement + + -- Emmanuel Lacour Wed, 30 Apr 2003 17:31:54 +0200 + +sslexpire (0.1) unstable; urgency=low + + * Initial Release. + + -- Emmanuel Lacour Fri, 18 Apr 2003 13:58:52 +0200 + +Local variables: +mode: debian-changelog +End: diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..7ed6ff8 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +5 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..8de603c --- /dev/null +++ b/debian/control @@ -0,0 +1,14 @@ +Source: sslexpire +Section: admin +Priority: optional +Maintainer: Emmanuel Lacour +Build-Depends: debhelper (>= 5.0.7) +Standards-Version: 3.7.2 + +Package: sslexpire +Architecture: all +Depends: ${perl:Depends}, libtimedate-perl, libnet-ssleay-perl (>= 1.0.8), openssl (>= 0.9.6c), exim4 | mail-transport-agent +Description: Remote ssl expiration date check + This program checks ssl certificate expiration date by connecting on a remote + host to the given port and print the result or send it by mail. It uses a + configuration files which allow to periodically check multiples hosts:port. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..7187f15 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,24 @@ +This package was debianized by Emmanuel Lacour on +Wed, 17 May 2006 20:45:55 +0200. + +It was downloaded from http://sslexpire.home-dn.net/ + +Copyright Holder: Emmanuel Lacour + +License: + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, + Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. + +see /usr/share/common-licenses/GPL for all details. diff --git a/debian/cron.d b/debian/cron.d new file mode 100644 index 0000000..fdc2bf5 --- /dev/null +++ b/debian/cron.d @@ -0,0 +1,8 @@ +# This will check all hosts in sslexpire config file every day at 01h01 and +# send mail if the expiration date is going to be expired. +# + +DEFAULT=/etc/default/sslexpire +CRONJOB=false + +1 1 * * * nobody [ -x /usr/bin/sslexpire ] && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; [ "$CRONJOB" = "true" ] && /usr/bin/sslexpire -m ; } diff --git a/debian/default b/debian/default new file mode 100644 index 0000000..a08d699 --- /dev/null +++ b/debian/default @@ -0,0 +1,2 @@ +# Should we run sslexpire periodically by cron? +CRONJOB=false diff --git a/debian/dirs b/debian/dirs new file mode 100644 index 0000000..9674168 --- /dev/null +++ b/debian/dirs @@ -0,0 +1,2 @@ +usr/share/man/man1 +etc/default diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..e845566 --- /dev/null +++ b/debian/docs @@ -0,0 +1 @@ +README diff --git a/debian/install b/debian/install new file mode 100644 index 0000000..afeef9c --- /dev/null +++ b/debian/install @@ -0,0 +1,2 @@ +sslexpire usr/bin +sslexpire.conf etc/sslexpire diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..564a155 --- /dev/null +++ b/debian/rules @@ -0,0 +1,52 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. +# +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + + +build: + +clean: + dh_testdir + dh_testroot + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + dh_install + pod2man --section=1 sslexpire > $(CURDIR)/debian/sslexpire/usr/share/man/man1/sslexpire.1 + chmod 0755 debian/sslexpire/usr/bin/sslexpire + cp $(CURDIR)/debian/default $(CURDIR)/debian/sslexpire/etc/default/sslexpire + + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs + dh_installcron + dh_installman + dh_link + dh_compress + dh_fixperms + dh_perl + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +# Build architecture-dependent files here. +binary-arch: build install + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install diff --git a/sslexpire/README b/sslexpire/README new file mode 100644 index 0000000..c10cfd5 --- /dev/null +++ b/sslexpire/README @@ -0,0 +1,49 @@ +This tool provides remote check for ssl certificate expiration date. +It connects to hosts:port, retrieve the expiration date and show you if it's +going to expire or if it's expired, regarding the alert parameter (how many +days before to alert) + +It is released under the GNU GPL (see copyright for more details). + +Requirements: +------------ +You need to have perl installed with at least the following modules: + +IO::Socket +Net::SSLeay +Getopt::Long +Date::Parse + +You also need the following commands: + +- openssl +- sendmail +(see the beginning of the script for command paths customization) + +Installation: +------------ + +Put sslexpire in your PATH (/usr/local/bin for example). +The default location for the configuration file is /etc/sslexpire/sslexpire.conf. + +You can install a manpage by running: + +pod2man --section=1 /path/to/sslexpire | gzip -c > /usr/share/man/man1/sslexpire.1.gz + +Usage: +----- + +Just run "sslexpire --help" to get command options and have a look at +"/etc/sslexpire/sslexpire.conf" to understand config file options. + +If you wan't to check automatically hosts specified in config file, put a line +like this in your /etc/crontab: + +# This will check all hosts in sslexpire config file evry day at 01h01 and send +# mail if the expiration date is going to be expired. +# +1 1 * * * nobody [ -x /usr/bin/sslexpire ] && sslexpire -m + + +I suggest that you run your cron as a non-privileged user like the nobody user +used above (root isn't necessary so...). diff --git a/sslexpire/copyright b/sslexpire/copyright new file mode 100644 index 0000000..82db942 --- /dev/null +++ b/sslexpire/copyright @@ -0,0 +1,16 @@ +Copyright (C) 2002 Emmanuel Lacour + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, + USA. diff --git a/sslexpire/sslexpire b/sslexpire/sslexpire new file mode 100755 index 0000000..610badf --- /dev/null +++ b/sslexpire/sslexpire @@ -0,0 +1,330 @@ +#!/usr/bin/perl -w +# Check peer certificate validity +# Require perl module : IO::Socket, Net::SSLeay, Date::Parse +# Require unix programs : openssl, echo, sendmail +# +# Copyright (C) 2003 Emmanuel Lacour +# +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2, or (at your option) any +# later version. +# +# This file is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied warranty +# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this file; see the file COPYING. If not, write to the Free +# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +# 02110-1301, USA. +# + + +# Local variables are prefixed with "l_" + +use strict; +use IO::Socket; +use Net::SSLeay; +use Getopt::Long; +use Date::Parse; + +Net::SSLeay::SSLeay_add_ssl_algorithms(); +Net::SSLeay::randomize(); + +my $VERSION = '0.6.2'; +my $AUTHOR = 'Emmanuel Lacour, '; +# Default values +my $opensslpath = "/usr/bin/openssl"; +my $sendmailpath = "/usr/lib/sendmail"; +my $mailreport = 0; +my $alert = 5; +my $mail = "root"; +my $conf = "/etc/sslexpire/sslexpire.conf"; + +my %hosts; +my $host; +my @ports; +my $port; +my $portlist; +my $rhost; +my $rport; +my $tmp; + + + +# Get options +# output : -m = mail, default = stdout +# host : -h host, -p port, default = from config file +# config : -f configfile, default /etc/sslexpire/sslexpire.conf +# standard : --help, --version + +my %opts; +GetOptions (\%opts, + 'host|h=s', + 'port|p=s', + 'mail|m', + 'conf|c=s', + 'verbose|v', + 'help', + 'version|'); + +if (($opts{'host'}) && ($opts{'port'})) { + push @{$hosts{$opts{'host'}}}, $opts{'port'}; +} + +$mailreport = 1 if ($opts{'mail'}); + +if ($opts{'conf'}) { + $conf = $opts{'conf'}; +} + +if ($opts{'help'}) { + &usage; +} + +if ($opts{'version'}) { + print "sslexpire $VERSION\n"; + print "Written by $AUTHOR\n"; + exit; +} + +# Parse config file + + +if (-f $conf) { + open (CONF,$conf); + + while () { + # Skip comments + next if (/^[ ]*#/); + # Alert param. + if (/^alert[ ]*=/) { + ($tmp,$alert) = split /=/, $_; + # Mail param. + } elsif (/^mail[ ]*=/) { + ($tmp,$mail) = split /=/, $_; + # Use hosts from config file if noone are given by command line + } elsif ((!$opts{'host'}) && (!$opts{'port'}) && (/:/)) { + ($tmp,$portlist) = split /:/, $_; + chomp ($tmp); + chomp ($portlist); + # There is multiple ports + if (/,/) { + @ports = split /,/, $portlist; + foreach (@ports) { + push @{$hosts{$tmp}}, $_; + } + # There is only one port + } else { + push @{$hosts{$tmp}},$portlist; + } + } + + } + + close CONF; +} + +# Print program usage +sub usage { + print "Usage: sslexpire [OPTION]... +-h, --host=HOST check only this host +-p, --port=TCPPORT check this port on the previous host +-m, --mail report by mail instead of STDOUT +-c, --conf=FILE use this config file + --help print this help, then exit +"; + exit; +} + + +# This will return the expiration date +sub getExpire { + + my ($l_host,$l_port) = @_; + my ($l_expdate,$l_comment); + + # Connect to $l_host:$l_port + my $socket = IO::Socket::INET->new( + Proto => "tcp", + PeerAddr => $l_host, + PeerPort => $l_port + ); + # If we connected successfully + if ($socket) { + # Intiate ssl + my $l_ctx = Net::SSLeay::CTX_new(); + my $l_ssl = Net::SSLeay::new($l_ctx); + + Net::SSLeay::set_fd($l_ssl, fileno($socket)); + my $res = Net::SSLeay::connect($l_ssl); + + # Get peer certificate + my $l_x509 = Net::SSLeay::get_peer_certificate($l_ssl); + if ($l_x509) { + my $l_string = Net::SSLeay::PEM_get_string_X509($l_x509); + # Get the expiration date, using openssl + ($l_expdate,$l_comment) = split(/\n/, `echo "$l_string" | $opensslpath x509 -enddate -subject -noout 2>&1`); + $l_expdate =~ s/.*=//; + chomp($l_expdate); + } else { + $l_expdate = 1; + $l_comment = 1; + } + + # Close and cleanup + Net::SSLeay::free($l_ssl); + Net::SSLeay::CTX_free($l_ctx); + close $socket; + } else { + $l_expdate = 1; + $l_comment = 1; + } + return ($l_expdate,$l_comment); +} + + +# Report if needed +# +# +sub report { + # Convert date into epoch using date command + my ($l_expdate,$l_comment,$l_host,$l_port) = @_; + my $l_subject = ""; + + if ($l_expdate ne "1") { + # The current date + my $l_today = time; + my $l_epochdate = str2time($l_expdate); + + # Calculate diff between expiration date and today + my $l_diff = ($l_epochdate - $l_today)/(3600*24); + + # Report if needed + if ($l_diff < $alert) { + $l_subject = "Warning ssl certificate on $l_host:$l_port expires in $l_diff days:" if ($l_diff > 1); + $l_subject = "Warning ssl certificate on $l_host:$l_port expires today:" if (($l_diff > 0) && ($l_diff < 1)); + $l_subject = "Warning ssl certificate on $l_host:$l_port expired:" if ($l_diff <= 0); + my $l_mesg = "Expiration date: $l_expdate\n$l_comment\n"; + # Mail report + if ($mailreport) { + sendmail($mail, $l_subject, $l_mesg); + } else { + print "$l_subject\n"; + print "$l_mesg\n"; + } + } + } else { + $l_subject = "Unable to read certificate on $l_host:$l_port!"; + if ($mailreport) { + sendmail($mail, $l_subject, ""); + } else { + print "$l_subject\n"; + } + } +} + + +# Send mail - sendmail (to,subject,body) +sub sendmail { + my $to = shift; + my $subj = shift; + my $mesg = shift; + chomp ($to); + chomp ($subj); + chomp ($mesg); + open (MAIL,"| $sendmailpath -t") or die "Couldn't open $sendmailpath"; + print MAIL "To: $to\n"; + print MAIL "Subject: $subj\n"; + print MAIL "\n"; + print MAIL "$mesg\n" if $mesg; + close MAIL; + if ((my $status = $?>>8) != 0) { + die "sendmail: exit status $status\n"; + } +} + +# Main +# + + +# We haven't hosts to check... +if (!%hosts) {&usage;}; + + +# Parse hosts +foreach $host (keys %hosts) { + # Parse ports for each hosts + foreach $port (@{$hosts{$host}}) { + if ($opts{'verbose'}) { + print "Checking\t$host:$port\n"; + } + + # Get expiration date + my ($expdate,$comment) = &getExpire($host,$port); + + # Report + &report("$expdate","$comment","$host","$port"); + } +} + + +# script documentation (POD style) + +=head1 NAME + +sslexpire - Remotely check ssl certificate expiration date. + +=head1 DESCRIPTION + +This program connect to an host:port to retrieve the expiration date of the ssl +certificate. It gives a report to STDOUT or by email using configuration file. + +=head1 COMMAND LINE PARAMETERS + +Optional command line parameters are the host and the port to connect. This +allow checking a single host instead of using those given in the configuration +file for periodically checks. + +=head1 OPTIONS + +=head2 B<-c> I, B<--conf>=I + +Specify an alternate config file. + +=head2 B<-h> I, B<--host>=I + +Connect to I instead of those given in the config file. + +=head2 B<-p> I, B<--port>=I + +Specify the port to connect to (used in conjonction with --host). + +=head2 B<-v>, B<--verbose> + +Prints out verbose messages. + +=head2 B<-m>, B<--mail> + +Send report by mail instead of STDOUT. It will use the address given in the +config file or root by default. + +=head2 B<--help> + +Prints out command-line help. + +=head2 B<--version> + +Prints out version information. + +=head1 FILES + +/etc/sslexpire/sslexpire.conf + +=head1 AUTHOR + +Emmanuel Lacour, elacour@home-dn.net + +=cut diff --git a/sslexpire/sslexpire.conf b/sslexpire/sslexpire.conf new file mode 100644 index 0000000..a23e839 --- /dev/null +++ b/sslexpire/sslexpire.conf @@ -0,0 +1,12 @@ +# This is the config file for sslexpire +# When to alert (day before certificate expiration date) +alert = 5 + +# Mail address where reports will be sent +mail = root + +# Hosts:port1,port2... to be checked, one per line +# Examples: +# 10.0.0.2:443,995 +# www.mydomain.com:https,995 +# 127.0.0.1:smtp -- 2.11.0