forked from csware/postfix-tls-policy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
re-test.pl
90 lines (85 loc) · 2.41 KB
/
re-test.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/usr/bin/perl
if ($ARGV[0] eq '-v') { $verbose = 1; }
test('tls_policy', 0);
print "------\nDANE:";
test('tls_policy-dane', 1);
exit;
sub test() {
($filename,$dane) = @_;
open(LIST, "<$filename");
while(<LIST>) {
$line = $_;
next if ($line =~ /^#/);
if ($line =~ /^\.?([a-zA-Z0-9-.]+)\s+(.*)/) {
$dom = $1;
$match = $2;
} else { next; }
print "$dom: ";
testdomain($dom, $match, $dane);
print "\n";
}
close(LIST);
}
sub testdomain() {
($srv,$match,$dane) = @_;
if ($dane) {
open(DEF,'posttls-finger -P /etc/ssl/certs '.$srv.' |');
} else {
open(DEF,'posttls-finger -l secure -P /etc/ssl/certs '.$srv.' |');
}
$cnt = 0;
$ssl = 0;
$certnames = ();
while(<DEF>) {
$line = $_;
#print STDERR $line;
if ($cnt == 0 && $line =~ /^posttls-finger: using DANE RR:/) {
print ' using DANE!! ' if ($verbose);
$ssl = 2;
if ($match ne 'dane-only') { print ' --NOW WITH DANE!-- '; }
}
if ($ssl == 0 && $line =~ /^posttls-finger: > STARTTLS$/) {
$ssl = 1;
print ' using STARTTLS ' if ($verbose);
if ($match eq 'may' || $match eq 'dane') {
print ' --NOW WITH STARTTLS!-- ';
}
}
if ($ssl && $line =~ /^posttls-finger: Untrusted TLS connection established/) {
if ($ssl == 2 || $match =~ /^secure /) {
print ' -- ATTENTION: UNTRUSTED!!! -- ';
}
}
if ($ssl == 1 && $match eq 'encrypt' && $line =~ /^posttls-finger: Verified TLS connection established/) {
print ' -- NOW CERT VERIFICABLE! -- ';
}
if ($ssl != 2 && $line =~ /^posttls-finger: [a-zA-Z0-9-.]+\[[0-9.:]+\]:25 (?:Matched )?(?:subjectAltName:|CommonName) ([a-zA-Z0-9.*-]+)/) {
push(@certnames, $1);
}
if ($line =~ /posttls-finger: server certificate verification failed/) {
print " -- ATTENTION: $line --";
}
++$cnt;
}
if ($ssl != 2 && $match eq 'dane-only') {
print ' -- ATTENTION: LOST DANE!!! --';
} elsif (!$ssl && ($match eq 'encrypt' || $match eq 'dane' || $match =~ /^secure /)) {
print ' -- ATTENTION: LOST SSL!!! --';
} elsif ($ssl = 1 && $match =~ /^secure match=(.*)/) {
$found = 0;
foreach $requiredmatch (split(/:/, $1)) {
foreach $cert (@certnames) {
# print "\nchecking $requiredmatch mit $cert\n";
if (($requiredmatch =~ /^\./ && $cert =~ /$requiredmatch$/) || $requiredmatch eq $cert) {
$found = 1;
last;
}
}
last if ($found);
}
if (!$found) {
print ' -- REQUIRED TRUST CHANGED! -- ';
}
}
close(DEF);
}