-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathssl-checker.sh
executable file
·126 lines (114 loc) · 3.52 KB
/
ssl-checker.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/usr/bin/env bash
VERSION=0.2
NAME="SSL-checker"
# Global Values
SSL_PORT="443"
SSL_TIMEOUT_CHECK="1"
SSL_WARNING_DAYS="14"
SSL_WARNING_SEC=$(($SSL_WARNING_DAYS*86400))
ROUTE53_MAXITEMS="500"
ROUTE53_TMPFILE="./list_dns_entries.txt"
function minTLS() {
DOMAIN=$1
result_tls=$(nmap --script ssl-enum-ciphers -p ${SSL_PORT} ${DOMAIN})
min_tls=$(echo $result_tls| sed -r -e "s/^.*ssl-enum-ciphers:[[:space:]]+\|[[:space:]]+([A-Za-z0-9.]+):.*$/\1/g")
if [[ "$min_tls" == "SSL"* || "$min_tls" == "TLSv1.0" ]]
then
echo "\e[91m>=${min_tls}"
elif [[ "$min_tls" == "TLSv1.1" ]]
then
echo "\e[93m>=${min_tls}"
elif [[ "$min_tls" == "TLSv1."* ]]
then
echo "\e[92m>=${min_tls}"
else
echo "\e[91m_error_"
fi
}
function checkSSL () {
DOMAIN=$1
HTTPS_OPEN=1 #0 -> Open & #1 -> Close
nc -w $SSL_TIMEOUT_CHECK -z $DOMAIN $SSL_PORT &> /dev/null; HTTPS_OPEN=$?
if [ $HTTPS_OPEN == 0 ]
then
SSL_STATUS=$( echo | openssl s_client -servername $DOMAIN -connect $DOMAIN:$SSL_PORT 2>/dev/null | openssl x509 -noout -issuer -enddate -checkend $SSL_WARNING_SEC)
SSL_ISSUER=$(echo $SSL_STATUS| awk -F "CN = " '{print $2}'|sed 's|notAfter.*$||')
SSL_VALID=$(echo $SSL_STATUS| awk -F " GMT " '{print $2}')
if [ "$SSL_VALID" == "Certificate will expire" ]
then
SSL_END_DATE=$(echo $SSL_STATUS| awk -F "notAfter=" '{print $2}'|sed 's|GMT.*$|GMT|')
echo -e "\e[91m\u274c \e[39mSSL $DOMAIN - Port=Open - \e[91m$SSL_VALID: $SSL_END_DATE \e[39m- $(minTLS $DOMAIN) \e[39m- Issuer=$SSL_ISSUER"
else
echo -e "\e[92m\u2714 \e[39mSSL $DOMAIN - Port=Open - \e[92m$SSL_VALID \e[39m- $(minTLS $DOMAIN) \e[39m- Issuer=$SSL_ISSUER"
fi
fi
}
function getDNSRecords () {
aws route53 list-resource-record-sets --hosted-zone-id $ROUTE53_HOSTZONE --max-items=$ROUTE53_MAXITEMS --query "ResourceRecordSets[?Type == 'CNAME'].Name" --output text>$ROUTE53_TMPFILE
aws route53 list-resource-record-sets --hosted-zone-id $ROUTE53_HOSTZONE --max-items=$ROUTE53_MAXITEMS --query "ResourceRecordSets[?Type == 'A'].Name" --output text>>$ROUTE53_TMPFILE
sed -i -e "s/\.\t/\n/g" $ROUTE53_TMPFILE
sed -i -e "/^*/d" $ROUTE53_TMPFILE
}
function awsSrc () {
getDNSRecords
while IFS= read -r dnsValue
do
checkSSL $dnsValue
done < "$ROUTE53_TMPFILE"
}
function domainSrc () {
dnsValue=$1
checkSSL $dnsValue
}
function clean () {
rm -f $ROUTE53_TMPFILE
}
function printHelp () {
echo "$NAME - v${VERSION}"
echo "Usage: [-d <domain>] [-p <aws> -z <hosted-zone-id>] [-v] [-h]"
echo -e "\t -d: [sub]domain you want check"
echo -e "\t -p: provider, for the moment only 'aws' is available"
echo -e "\t -z: hosted zone id on AWS"
echo -e "\t -v: print version"
echo -e "\t -h: print help"
}
simpleDomain=""
hostedZoneId=""
provider=""
while getopts :hvp:z:d: option
do
case "${option}"
in
\?)
echo "Invalid option: -$OPTARG" >&2
printHelp
exit -1
;;
h) printHelp
exit 0
;;
v)
echo "$NAME v$VERSION" && exit 0
;;
p) provider=${OPTARG} ;;
z) hostedZoneId=${OPTARG} ;;
d) simpleDomain=${OPTARG} ;;
*) print_help
exit 0
;;
esac
done
if [ ! -z $simpleDomain ]
then
checkSSL $simpleDomain
exit 0
fi
if [ ! -z $hostedZoneId ] && [ "$provider" == "aws" ]
then
ROUTE53_HOSTZONE=$hostedZoneId
awsSrc
clean
exit 0
fi
echo "bad argument"
printHelp