Anjanesh Lekshminarayanan
Anjanesh

Follow

Anjanesh

Follow
Bulk Domains Certificates Data Check

Bulk Domains Certificates Data Check

Bash script to check domain certificates' data

Anjanesh Lekshminarayanan's photo
Anjanesh Lekshminarayanan
·Mar 14, 2023·

2 min read

I am on Ubuntu 22.04 and I got this while trying to execute :

echo | openssl s_client -showcerts -servername somewhere.some-domain.com -connect somewhere.some-domain.com:443

CONNECTED(00000003)
804BEB97177F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../ssl/statem/extensions.c:879:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 79 bytes and written 323 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 444B4801123BC7B1F514AC456251FE627A0C3E03385A651AC6D52B8347B25285
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1678785503
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

sudo vi /usr/lib/ssl/openssl.cnf

At the end insert Options = UnsafeLegacyRenegotiation so that it looks like this :

[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=2
Options = UnsafeLegacyRenegotiation

Now you can run this script on any ubuntu machine :

https://gist.github.com/apankrat/062efc40f8f2dafeca8d8561b87374e7

Code here, incase its deleted on GitHub :

sites="
reddit.com
google.com
microsoft.com
news.ycombinator.com
twitter.com
anjanesh.com
anjanesh.dev
anjanesh.digital
"

tmp=/tmp/cert-check.out
now=`date -d "$now" +%s`

echo "site,match,subject,expires,left,issuer"

for site in $sites
do
        if [[ $site == \#* ]]; then continue; fi

        printf "$site,"

        echo | openssl s_client -showcerts -servername $site -connect $site:443 2>/dev/null | openssl x509 -inform pem -noout -text > $tmp
        issuer=`grep 'Issuer:' $tmp`
        issuer=${issuer##*O=}
        issuer=${issuer%%,*}

        subject=`grep 'Subject:' $tmp`
        subject=${subject##*CN=}
        subject=${subject%%,*}

        if [[ $site == $subject ]] || [[ ".$site" == $subject ]]; then match='Yes'; else match='!'; fi

        expires=`grep 'Not After' $tmp`
        expires=`date '+%Y-%m-%d' -d "${expires#*:}"`
        epoch=`date -d "$expires" +%s`

        if [ $epoch -lt $now ]
        then
                left='EXPIRED'
        else
                days=$(( ($epoch - $now) / 86400 ))
                left="$days days"
        fi

        printf "$match,"
        printf "$subject,"
        printf "$expires,"
        printf "$left,"
        echo "$issuer"
done
 
Share this