Guillaume Destuynder (:kang)

Guillaume Destuynder (:kang)

hacking stuff, one bug at a time

less than 1 minute read

It’s some easy thing to do, but not explained anywhere. Python certificate support is inexistant, coding your own SSL wrapper kinda sucks.. well, there’s openssl anyways!

The thing is, openssl man page is kinda long and obscure, so here’s a snippet that’ll do it, since I will forget about the options in 2 days from now … :p

Usage: ./check_expiration www.verisign.com
[-] Certificate for www.verisign.com has not expired yet: May 8 23:59:59 2009 GMT

#!/bin/bash
dates=$(echo "GET /" |openssl s_client -connect "$1:443" 2> /dev/null |openssl x509 -noout -dates)
# For STARTTLS over e.g. smtp, replace the offending field by:
# openssl s_client -connect "$1:25" -starttls smtp
if [ -z "$dates" ]; then
    echo "[!] Invalid IP, not SSL or no cert found"
    exit 2
fi
not_after=$(echo $dates|cut -d '=' -f 3)
now_epoch=$(date +%s)
not_after_epoch=$(date +%s -d "$not_after")
if [ $now_epoch -gt $not_after_epoch ]; then
    echo "[!] Certificate for $1 has expired: $not_after"
    exit 1
else
    echo "[-] Certificate for $1 has not expired yet: $not_after"
fi

Updated:

Comments

You May Also Enjoy

Mueller Report

1 minute read

These are just my notes about the operational security pieces that are relevant to the US’s Mueller report about Russian interference with US elections of 20...

Containers, systemd-nspawn and overlayfs

7 minute read

This is a little blurb about how to use namespaces most efficiently at the time of writting. In particular, systemd-nspawn offers a lot of flexibility, is li...

Sheeva plug

4 minute read

The Sheeva plug is a relatively old ARM-based (ARMv5, Kirkwood/Feroceron CPU) “plug-style” Linux box, with 512Mb NAND flash, an SDCard reader, and an ethern...