Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Get hostname list from CT logs, via certspotter, check if hostnames offer valid certificate path.
#!/usr/bin/env python3
import ssl
import socket
from pathlib import Path
def get_cert_hostnames():
path = Path("~/.certspotter/certs/").expanduser()
for f in path.glob("*/*.cert.pem"):
# https://stackoverflow.com/a/50072461
c = ssl._ssl._test_decode_cert(f)
if 'subjectAltName' in c:
for t, n in c['subjectAltName']:
if t == "DNS":
yield n
def get_remote_tls_cert(hostname, port=443, timeout=1):
"""
Connect to a hostname. Return parsed peer certificate as dict.
Raise ssl.SSLError on TLS error
Raise ssl.certificateerror on unmatching certificate
Raise socket.gaierror on DNS error
Raise ConnectionRefusedError on connection refused
Raise socket.timeout on timeout
"""
context = ssl.create_default_context()
with socket.create_connection((hostname, port), timeout) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as sslsock:
return sslsock.getpeercert()
def main():
ok, broken, other = [], [], []
for h in get_cert_hostnames():
try:
get_remote_tls_cert(h)
ok.append(h)
print(f"{h} OK")
except ssl.SSLError as e:
broken.append(h)
print(f"{h} broken: {e}")
except (socket.error, ConnectionRefusedError, ssl.CertificateError) as e:
other.append(h)
print(f"{h} other: {e}")
print("\n\n===================")
print("Good domains: {}".format(len(ok)))
print("Other problems: {}".format(len(other)))
print("Broken TLS: {}".format(len(broken)))
print("===================")
print("Broken hostnames:")
print("\n".join(broken))
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.