Chinaunix首页 | 论坛 | 博客
  • 博客访问: 972775
  • 博文数量: 99
  • 博客积分: 3306
  • 博客等级: 中校
  • 技术积分: 1238
  • 用 户 组: 普通用户
  • 注册时间: 2009-04-21 10:14
文章分类

全部博文(99)

文章存档

2012年(37)

2011年(56)

2010年(6)

分类: Python/Ruby

2012-09-18 23:53:11

因为公司的业务原因,所以基本上全站都是使用https。然后又因为各种各样的问题造成有的域名不能使用通配符证书,只能使用单独的证书,这样就造成了网络配置上同一个应用要配置多个公网IP以便绑定不同的证书(很多浏览器不支持SNI,所以只能配置多个IP了)。今天简单写了一个脚本,测试了一下可以把某个机房全站应用的公网IP对于的证书都检查一遍。

脚本如下:


  1. #!/usr/bin/env perl
  2. #===============================================================================
  3. #
  4. # FILE: comcheck.pl
  5. #
  6. # USAGE: perl comcheck.pl host_list
  7. #
  8. # DESCRIPTION: test ssl cert
  9. #
  10. # OPTIONS: ---
  11. # REQUIREMENTS: ---
  12. # BUGS: ---
  13. # NOTES: ---
  14. # AUTHOR: @GNUer

  15. # VERSION: 1.0
  16. # CREATED: 2012年09月18日 09时48分21秒
  17. # REVISION: ---
  18. #===============================================================================

  19. use strict;
  20. use warnings;
  21. use utf8;
  22. use IO::Socket::SSL;
  23. my %vips;
  24. if ( !-f $ARGV[0] ) {
  25.     &help;
  26. }
  27. open my $HOSTS, "<$ARGV[0]" or die "open $ARGV[0]\n";
  28. while ( my $line = <$HOSTS> ) {
  29.     if ( $line =~ /\s*([\d\.]+)\s+(.*)\s*#/ ) {
  30.         my $tdms = $2;
  31.         my $ip = $1;
  32.         my @dms = split( /\s+/, $tdms );
  33.         foreach (@dms) {
  34.             $vips{$_} = $ip;
  35.         }
  36.     }
  37. }
  38. close $HOSTS;

  39. foreach my $name ( sort keys %vips ) {
  40.     my $ip = $vips{$name};
  41.     &check_cert_com( $ip, $name );
  42. }

  43. sub check_cert_com() {
  44.     my $vip = shift;
  45.     my $hostname = shift;
  46.     chomp $hostname;
  47.     chomp $vip;
  48.     my $sock = IO::Socket::SSL->new(
  49.         PeerAddr => $vip,
  50.         PeerPort => '443',
  51.         Proto => 'tcp',
  52.         SSL_verify_mode => 0x00, #does no authentication.
  53.         Timeout => 3,

  54.    #You may combine 0x01 (verify peer),
  55.    # 0x02 (fail verification if no peer certificate exists; ignored for clients)
  56.    # 0x04 (verify client once) to change the default.
  57.         SSL_hostname => $hostname, # specifiy the hostname used for SNI
  58.         SSL_verifycn_name => $hostname, #Set the name which is used in verification of hostname
  59.         SSL_ca_path => "/etc/ssl/certs/",

  60.     );

  61.     if ( !( ref $sock eq "IO::Socket::SSL" ) ) {
  62.         print "connect $hostname failed\n";
  63.         return 1;
  64.     }
  65.     if ( $sock->verify_hostname( $hostname, 'http' ) ) {
  66.         print "$hostname verification ok\n";
  67.         return 0;
  68.     }
  69.     else {
  70.         print STDERR "$hostname verify failed\n";
  71.     }
  72.     my $comname = $sock->peer_certificate("commonName");
  73.     my $tname = $hostname;
  74.     my $tcom = $comname;
  75.     $tname =~ s/\.xxx.com//g;
  76.     $tcom =~ s/\.xxx.com//g;
  77.     if ( $tcom eq "*" && $tname !~ /\./ ) {
  78.         ;
  79.         print "$hostname $comname\n";
  80.     }
  81.     elsif ( $tname eq $tcom ) {
  82.         ;
  83.         # print "$hostname eq $comname\n";
  84.     }
  85.     else {

  86.         print STDERR "$vip \e[1;32m$hostname\e[m error cert:\e[1;31m $comname\e[m\n";
  87.     }
  88.     $sock->close();

  89. }

  90. sub help() {
  91.     print "perl comcheck.pl hostlist\n";
  92.     exit 0;
  93. }

输入文件的格式如下:

12.75.123.70 app1.xxx.com #appxxx
12.75.123.20 app2.xxx.com #appxxx
12.75.123.76 app3.xxx.com #appxxx
12.75.123.42 app41.xxx.com app42.xxx.com air.xxx.com #appxxx
12.75.123.43 app5xxx.com #appxxx

如果只看错误的话可以

perl certcheck.pl host >/dev/null

阅读(10328) | 评论(0) | 转发(1) |
给主人留下些什么吧!~~