Created
December 16, 2019 11:04
-
-
Save dalf/24c96aff3ecffc0a30b0c33a2cca0606 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from __future__ import absolute_import, division, print_function | |
import socket | |
from OpenSSL import SSL | |
from service_identity import VerificationError | |
from service_identity.pyopenssl import verify_hostname | |
def _verify_callback(conn, cert, errno, depth, ok): | |
print('cert.subject.name=', cert.get_subject().commonName) | |
for i in range(0, cert.get_extension_count()): | |
ex = cert.get_extension(i) | |
if ex.get_short_name() == b'subjectAltName': | |
print(' subjectAltName=', str(ex)) | |
return ok | |
def check_hostname(hostname): | |
print('* Checking ', hostname) | |
ctx = SSL.Context(SSL.TLSv1_2_METHOD) | |
ctx.set_verify(SSL.VERIFY_PEER, _verify_callback) | |
ctx.set_default_verify_paths() | |
conn = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM)) | |
conn.connect((hostname, 443)) | |
try: | |
conn.do_handshake() | |
verify_hostname(conn, hostname) | |
# Do your super-secure stuff here. | |
print('Connected') | |
except SSL.Error as e: | |
print("SSL error {0}".format(str(e))) | |
return False | |
except VerificationError as e: | |
print(e) | |
print("Presented certificate is not valid for {0}.".format(hostname)) | |
return False | |
except Exception as e: | |
print(e) | |
return False | |
finally: | |
try: | |
conn.shutdown() | |
conn.close() | |
except Exception as e: | |
pass | |
return True | |
ok_list = [ | |
('twistedmatrix.com', True), | |
('www.lemonde.fr', True), | |
('linuxfr.org', True), | |
('twitter.com', True), | |
('mozilla-old.badssl.com', True), | |
('mozilla-intermediate.badssl.com', True), | |
('mozilla-modern.badssl.com', True), | |
] | |
cert_error_list = [ | |
('expired.badssl.com', False), | |
('wrong.host.badssl.com', False), | |
('self-signed.badssl.com', False), | |
('untrusted-root.badssl.com', False), | |
('revoked.badssl.com', False), | |
('pinning-test.badssl.com', False), | |
] | |
cert_bad_list = [ | |
('superfish.badssl.com', False), | |
('edellroot.badssl.com', False), | |
('dsdtestprovider.badssl.com', False), | |
('preact-cli.badssl.com', False), | |
('webpack-dev-server.badssl.com', False), | |
] | |
dh_list = [ | |
('dh480.badssl.com', False), | |
('dh512.badssl.com', False), | |
('dh1024.badssl.com', False), | |
] | |
cipher_list = [ | |
('rc4.badssl.com', False), | |
('rc4-md5.badssl.com', False), | |
('null.badssl.com', False), | |
('invalid-expected-sct.badssl.com', False), | |
] | |
sha_list = [ | |
('sha1-intermediate.badssl.com', False), | |
('sha256.badssl.com', True), | |
] | |
# check_list = ok_list + cert_error_list + cert_bad_list + dh_list + cipher_list + sha_list | |
check_list = ok_list + cert_error_list | |
for i in check_list: | |
print('') | |
try: | |
if check_hostname(i[0]) == i[1]: | |
print('✔️ OK') | |
else: | |
print('❌ FAIL !') | |
except Exception as e: | |
print('❌ FAIL WITH EXCEPTION', str(e)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment