[exim] Re: Please avoid TLSA records matching retired issuin…

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni via Exim-users
Data:  
Dla: exim-users
Temat: [exim] Re: Please avoid TLSA records matching retired issuing CAs.
On Mon, Jul 17, 2023 at 10:11:08AM +0200, Niels Dettenbach via Exim-users wrote:

> helpful for pro-actively watching / monitoring different aspects of a
> DANE / TLSA setup per Nagios (as "compatible" monitoring systems):
> https://github.com/matteocorti/check_ssl_cert
>
> which is very flexible and (til now) well maintained.


Thanks for the tooling link. If anyone is looking for something much
simpler/smaller. I can offer up the below bash function, whose exit
status indicates success or failure to find a matching DANE TLSA record:

    danesmtp () 
    { 
        local host=$1;
        shift;
        local opts=(-starttls smtp -connect "$host:25" -verify 9 -verify_return_error -brief -dane_ee_no_namechecks -dane_tlsa_domain "$host");
        set -- $(dig +short +nosplit -t tlsa "_25._tcp.$host" | grep -Ei '^[23] [01] [012] [0-9a-f]+$');
        while [ $# -ge 4 ]; do
            opts=("${opts[@]}" "-dane_tlsa_rrdata" "$1 $2 $3 $4");
            shift 4;
        done;
        ( sleep 1; printf "QUIT\r\n" ) | openssl s_client "${opts[@]}"
    }


Of course that leaves the task of integrating the above probe into a
monitoring process up to the reader.

-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/