Skip to content

Instantly share code, notes, and snippets.

@oskar456
Created September 19, 2018 15:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save oskar456/a1c9edf9bc228cffa25ecddb6269737e to your computer and use it in GitHub Desktop.
Save oskar456/a1c9edf9bc228cffa25ecddb6269737e to your computer and use it in GitHub Desktop.
Get hostname list from CT logs, via certspotter, check if hostnames offer valid certificate path.
#!/usr/bin/env python3
import ssl
import socket
from pathlib import Path
def get_cert_hostnames():
path = Path("~/.certspotter/certs/").expanduser()
for f in path.glob("*/*.cert.pem"):
# https://stackoverflow.com/a/50072461
c = ssl._ssl._test_decode_cert(f)
if 'subjectAltName' in c:
for t, n in c['subjectAltName']:
if t == "DNS":
yield n
def get_remote_tls_cert(hostname, port=443, timeout=1):
"""
Connect to a hostname. Return parsed peer certificate as dict.
Raise ssl.SSLError on TLS error
Raise ssl.certificateerror on unmatching certificate
Raise socket.gaierror on DNS error
Raise ConnectionRefusedError on connection refused
Raise socket.timeout on timeout
"""
context = ssl.create_default_context()
with socket.create_connection((hostname, port), timeout) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as sslsock:
return sslsock.getpeercert()
def main():
ok, broken, other = [], [], []
for h in get_cert_hostnames():
try:
get_remote_tls_cert(h)
ok.append(h)
print(f"{h} OK")
except ssl.SSLError as e:
broken.append(h)
print(f"{h} broken: {e}")
except (socket.error, ConnectionRefusedError, ssl.CertificateError) as e:
other.append(h)
print(f"{h} other: {e}")
print("\n\n===================")
print("Good domains: {}".format(len(ok)))
print("Other problems: {}".format(len(other)))
print("Broken TLS: {}".format(len(broken)))
print("===================")
print("Broken hostnames:")
print("\n".join(broken))
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment