[gnutls-help] Non-interactive way of printing certs with gnutls-cli and --starttls
Dick Visser
visser at terena.org
Wed Nov 26 17:28:40 CET 2014
As it says on the tin.
I'm looking for a way to retrieve the x509 cert for SMTP servers that
offer STARTTLS.
gnutls-cli can be used, but you have to manually type some steps: EHOL
blah, STARTTLS and then ctrl-D (for EOF(:
visser at nagios:~$ gnutls-cli --starttls --print-cert --port 25 aspmx.l.google.com
Resolving 'aspmx.l.google.com'...
Connecting to '2a00:1450:400c:c09::1a:25'...
- Simple Client Mode:
220 mx.google.com ESMTP fu3si8792677wib.31 - gsmtp
EHLO blah
250-mx.google.com at your service, [2001:610:158:98d::45]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8
STARTTLS
220 2.0.0 Ready to start TLS
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `C=US,ST=California,L=Mountain View,O=Google
Inc,CN=mx.google.com', issuer `C=US,O=Google Inc,CN=Google Internet
Authority G2', RSA key 2048 bits, signed using RSA-SHA1, activated
`2014-07-15 08:56:16 UTC', e xpires `2015-04-04
15:15:55 UTC', SHA-1 fingerprint
`2282b379696a721505f273fa1e6bbe36f0ba01e2'
-----BEGIN CERTIFICATE-----
MIIGhDCCBWygAwIBAgIIa7+rjwrecGgwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE1MDg1NjE2WhcNMTUwNDA0MTUxNTU1
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu
Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXdZYG
I'm looking for a way to avoid the interactive steps, so that it can
be used in scripts.
Background: I have a Nagios plugin that depends on the output of
'openssl s_client' to retrieve the certs, like this:
visser at nagios:~$ openssl s_client -showcerts -starttls smtp -connect
aspmx.l.google.com:25 < /dev/null 2>&1
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIGhDCCBWygAwIBAgIIa7+rjwrecGgwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE1MDg1NjE2WhcNMTUwNDA0MTUxNTU1
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
etc etc
but for some reason 'openssl s_client' does not work with IPv6.
The mail servers I want to connect to only run IPv6, so openssl fails.
GnuTLS works with IPv6, the only thing left is a way to script it...
Thanks!!
--
Dick Visser
Sr. System & Networking Engineer
GÉANT Association, Amsterdam Office (formerly TERENA)
Singel 468D, 1017 AW Amsterdam, the Netherlands
Tel: +31 (0) 20 530 4488
GÉANT Association
Networking. Services. People.
Learn more at: http://www.géant.org
More information about the Gnutls-help
mailing list