[gnutls-help] Non-interactive way of printing certs with gnutls-cli and --starttls
Dick Visser
visser at terena.org
Mon Jan 12 21:33:21 CET 2015
Any ideas about this?
On 26 November 2014 at 17:28, Dick Visser <visser at terena.org> wrote:
> As it says on the tin.
> I'm looking for a way to retrieve the x509 cert for SMTP servers that
> offer STARTTLS.
> gnutls-cli can be used, but you have to manually type some steps: EHOL
> blah, STARTTLS and then ctrl-D (for EOF(:
>
> visser at nagios:~$ gnutls-cli --starttls --print-cert --port 25 aspmx.l.google.com
> Resolving 'aspmx.l.google.com'...
> Connecting to '2a00:1450:400c:c09::1a:25'...
>
> - Simple Client Mode:
>
> 220 mx.google.com ESMTP fu3si8792677wib.31 - gsmtp
> EHLO blah
> 250-mx.google.com at your service, [2001:610:158:98d::45]
> 250-SIZE 35882577
> 250-8BITMIME
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-CHUNKING
> 250 SMTPUTF8
> STARTTLS
> 220 2.0.0 Ready to start TLS
> *** Starting TLS handshake
> - Certificate type: X.509
> - Got a certificate list of 3 certificates.
> - Certificate[0] info:
> - subject `C=US,ST=California,L=Mountain View,O=Google
> Inc,CN=mx.google.com', issuer `C=US,O=Google Inc,CN=Google Internet
> Authority G2', RSA key 2048 bits, signed using RSA-SHA1, activated
> `2014-07-15 08:56:16 UTC', e xpires `2015-04-04
> 15:15:55 UTC', SHA-1 fingerprint
> `2282b379696a721505f273fa1e6bbe36f0ba01e2'
>
> -----BEGIN CERTIFICATE-----
> MIIGhDCCBWygAwIBAgIIa7+rjwrecGgwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
> BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
> cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE1MDg1NjE2WhcNMTUwNDA0MTUxNTU1
> WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
> TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu
> Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXdZYG
>
>
>
>
> I'm looking for a way to avoid the interactive steps, so that it can
> be used in scripts.
>
> Background: I have a Nagios plugin that depends on the output of
> 'openssl s_client' to retrieve the certs, like this:
>
> visser at nagios:~$ openssl s_client -showcerts -starttls smtp -connect
> aspmx.l.google.com:25 < /dev/null 2>&1
> CONNECTED(00000003)
> depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
> i:/C=US/O=Google Inc/CN=Google Internet Authority G2
> -----BEGIN CERTIFICATE-----
> MIIGhDCCBWygAwIBAgIIa7+rjwrecGgwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
> BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
> cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE1MDg1NjE2WhcNMTUwNDA0MTUxNTU1
> WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
> etc etc
>
> but for some reason 'openssl s_client' does not work with IPv6.
> The mail servers I want to connect to only run IPv6, so openssl fails.
>
> GnuTLS works with IPv6, the only thing left is a way to script it...
>
>
>
>
> Thanks!!
>
>
> --
> Dick Visser
> Sr. System & Networking Engineer
> GÉANT Association, Amsterdam Office (formerly TERENA)
> Singel 468D, 1017 AW Amsterdam, the Netherlands
> Tel: +31 (0) 20 530 4488
>
> GÉANT Association
> Networking. Services. People.
>
> Learn more at: http://www.géant.org
--
Dick Visser
Sr. System & Networking Engineer
GÉANT Association, Amsterdam Office (formerly TERENA)
Singel 468D, 1017 AW Amsterdam, the Netherlands
Tel: +31 (0) 20 530 4488
GÉANT Association
Networking. Services. People.
Learn more at: http://www.géant.org
More information about the Gnutls-help
mailing list