Quick script for checking TLS fingerprint

tls_finger.go

// To do: Make this into a full blown site that monitors the internet for changes in TLS fingerprints

package main

import (
	"crypto/sha256"
	"crypto/tls"
	"encoding/hex"
	"flag"
	"fmt"
	"log"
	"strings"
	"time"
)

func GetTLSFingerprint(timeout int, host string) (string, error) {
	ch := make(chan string, 1)
	cherr := make(chan error, 1)
	go func() {
		conn, err := tls.Dial("tcp", host, &tls.Config{
			InsecureSkipVerify: true, // Skip verification for this example
		})
		if err != nil {
			cherr <- err
		}
		defer conn.Close()
		// Get the ConnectionState which includes the server certificate
		connState := conn.ConnectionState()
		if len(connState.PeerCertificates) == 0 {
			cherr <- err
		}

		// Get the first certificate
		cert := connState.PeerCertificates[0]

		// Compute SHA-256 hash of the DER-encoded certificate
		hash := sha256.Sum256(cert.Raw)
		fingerprint := hex.EncodeToString(hash[:])
		ch <- fingerprint
	}()
	select {
	case fingerprint := <-ch:
		return fingerprint, nil
	case err := <-cherr:
		return "", err
	case <-time.After(time.Duration(timeout) * time.Second):
		return "", fmt.Errorf("timeout")
	}
}

func main() {
	var host string
	var timeout int
	flag.StringVar(&host, "host", "", "HTTPS server to scan")
	flag.IntVar(&timeout, "timeout", 5, "Timeout in seconds")
	flag.Parse()
	if host == "" {
		// Show flag usage
		flag.Usage()
		return
	}
	if len(strings.Split(host, ":")) == 1 {
		// Add default port
		host += ":443"
	}
	if strings.HasPrefix(host, "http://") {
		fmt.Println("This does not work with HTTP")
		return
	}
	host = strings.Replace(host, "https://", "", 1)
	fingerprint, err := GetTLSFingerprint(timeout, host)
	if err != nil {
		log.Fatal(err)
	}
	fmt.Printf("TLS Fingerprint of %s: %s\n", host, fingerprint)

}