Bulk Domains Certificates Data Check
Bash script to check domain certificates' data
I am on Ubuntu 22.04 and I got this while trying to execute :
echo | openssl s_client -showcerts -servername somewhere.some-domain.com -connect somewhere.some-domain.com:443
CONNECTED(00000003)
804BEB97177F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../ssl/statem/extensions.c:879:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 79 bytes and written 323 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID: 444B4801123BC7B1F514AC456251FE627A0C3E03385A651AC6D52B8347B25285
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1678785503
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
sudo vi /usr/lib/ssl/openssl.cnf
At the end insert Options = UnsafeLegacyRenegotiation
so that it looks like this :
[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=2
Options = UnsafeLegacyRenegotiation
Now you can run this script on any ubuntu machine :
https://gist.github.com/apankrat/062efc40f8f2dafeca8d8561b87374e7
Code here, incase its deleted on GitHub :
sites="
reddit.com
google.com
microsoft.com
news.ycombinator.com
twitter.com
anjanesh.com
anjanesh.dev
anjanesh.digital
"
tmp=/tmp/cert-check.out
now=`date -d "$now" +%s`
echo "site,match,subject,expires,left,issuer"
for site in $sites
do
if [[ $site == \#* ]]; then continue; fi
printf "$site,"
echo | openssl s_client -showcerts -servername $site -connect $site:443 2>/dev/null | openssl x509 -inform pem -noout -text > $tmp
issuer=`grep 'Issuer:' $tmp`
issuer=${issuer##*O=}
issuer=${issuer%%,*}
subject=`grep 'Subject:' $tmp`
subject=${subject##*CN=}
subject=${subject%%,*}
if [[ $site == $subject ]] || [[ ".$site" == $subject ]]; then match='Yes'; else match='!'; fi
expires=`grep 'Not After' $tmp`
expires=`date '+%Y-%m-%d' -d "${expires#*:}"`
epoch=`date -d "$expires" +%s`
if [ $epoch -lt $now ]
then
left='EXPIRED'
else
days=$(( ($epoch - $now) / 86400 ))
left="$days days"
fi
printf "$match,"
printf "$subject,"
printf "$expires,"
printf "$left,"
echo "$issuer"
done