check_ssl_cert w/ PKI / X.509 Chain Validation

Brian A. Seklecki lavalamp at spiritual-machines.org
Wed Aug 6 18:03:33 CEST 2008

Previous message: nagvis giving me hell
Next message: Nagiosgraph trouble
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Two new notes:


   1) Extracting the root CA cert DB from FF3 manually (GUI + Select all)
     to PEM works fine with c_rehas.pl
    $ openssl s_client -verify 4 -connect www.gmail.com:443 2>& 1 | egrep \
        "Verify\ return\ code"
     Verify return code: 0 (ok)


   2) I'm unable to find the file system database that contains the root
     CA, otherwise the process could be automated:

     $ for a in $(certutil -L  -d ~/.mozilla/firefox/3u995ypq.default/ |
       egrep -v "Nickname" | cut -f1 -d ' ' -s ); do certutil -L  -d
       ~/.mozilla/firefox/3u995ypq.default/ -a -n "$a" > /tmp/"$a".pem; done


     However:

      1) certutil(8) is awful and doesn't escape the DB "nick" column with
         quotes, making it impossible to regex out the cert name.
      2) In FC9 and FBSD7, neither /etc/pki/nssdb/ or
         /usr/{local/share|lib64)/firefox-3.0.1 has the the certutil
         format'd DB to automate the extract process from.

Anyway, the root CA DB doesn't change very often, so code can be written 
around this for now.

~BAS



On Wed, 11 Apr 2007, Brian A. Seklecki wrote:

>
> These scripts are great thank you very much to all involved who contributed 
> (no e-mail address for 'mastrboy'). .  I'm considering spending some time 
> adding additional functionality:
>
> --
>
> In addition to simply parsing the date and comparing the date/time, I'd like 
> to test the validity of the X.509 Cert against it's PKI infrastructure using 
> the OpenSSL routines.
>
> I'm pretty sure that this can be accomplished by checking the result code of 
> openssl 's_client' or 'verify'; both permit for -CApath and -CAfile.
>
> For internal PKI, this is pretty straightforward; just specify your 
> organization's Root CA Cert.
>
> For public cert verification; it gets tricky because you have to take a 
> certificate store like the Mozilla NSS/NSPR default and convert it into 
> OpenSSL c_rehash format -- taking ideas on that here.
>
> http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt
>
> Thoughts?
>
> l8*
> 	-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
> 	       http://www.spiritual-machines.org/
>

l8*
 	-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
 	       http://www.spiritual-machines.org/

     "Guilty? Yeah. But he knows it. I mean, you're guilty.
     You just don't know it. So who's really in jail?"
     ~Maynard James Keenan


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: nagvis giving me hell
Next message: Nagiosgraph trouble
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list