Python:如何获取过期的SSL证书日期?

kq0g1dla  于 2023-03-19  发布在  Python
关注(0)|答案(2)|浏览(220)

我创建了一个简单的Python程序来获取SSL证书的过期日期,它可以从Internet上的引用中获取,对于尚未过期的证书可以正常工作,但是对于已经过期的证书,由于证书过期,在套接字握手期间会引发一个错误。
我如何得到过期的证书信息来提取过期日期,因为连接被拒绝。有没有办法强制套接字连接建立,即使证书可能过期?
代码:

import ssl
from cryptography import x509
import sys
import socket

hostname = sys.argv[1]

context = ssl.create_default_context()

with socket.create_connection((hostname, 443)) as sock:
    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
        print("SSL/TLS version:",ssock.version())
        print()
        data = ssock.getpeercert()
        print("Data:",data)
        print()
        notafter_date = data["notAfter"]
        print("Expiry date:",notafter_date)
        print()

未过期证书的输出:

$ python check_ssl_cert.py badssl.com
SSL/TLS version: TLSv1.2

Data: {'subject': ((('countryName', 'US'),), (('stateOrProvinceName', 'California'),), (('localityName', 'Walnut Creek'),), (('organizationName', 'Lucas Garron Torres'),), (('commonName', '*.badssl.com'),)), 'issuer': ((('countryName', 'US'),), (('organizationName', 'DigiCert Inc'),), (('commonName', 'DigiCert SHA2 Secure Server CA'),)), 'version': 3, 'serialNumber': '0AF06CDA37A60B641342F0A1EB1D59FD', 'notBefore': 'Mar 23 00:00:00 2020 GMT', 'notAfter': 'May 17 12:00:00 2022 GMT', 'subjectAltName': (('DNS', '*.badssl.com'), ('DNS', 'badssl.com')), 'OCSP': ('http://ocsp.digicert.com',), 'caIssuers': ('http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt',), 'crlDistributionPoints': ('http://crl3.digicert.com/ssca-sha2-g6.crl', 'http://crl4.digicert.com/ssca-sha2-g6.crl')}

Expiry date: May 17 12:00:00 2022 GMT

过期证书的输出:

$ python check_ssl_cert.py expired.badssl.com
Traceback (most recent call last):
  File "check_ssl_cert.py", line 11, in <module>
    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
  File "/usr/lib/python3.7/ssl.py", line 423, in wrap_socket
    session=session
  File "/usr/lib/python3.7/ssl.py", line 870, in _create
    self.do_handshake()
  File "/usr/lib/python3.7/ssl.py", line 1139, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1091)

正如对另一种解决方案所建议的那样,它没有解决问题。
我想换句台词

data = ssock.getpeercert()

data = ssock.getpeercert(True)

并且对于未过期的证书返回DER格式的证书,但是对于已过期的证书得到证书验证错误。

ssl

2条答案

按热度按时间
jhkqcmku

jhkqcmku1#

我设法创建了一个可行的解决方案。在这里查看我的Github要点:https://gist.github.com/sharuzzaman/8827ef0d9fff89e4e937579b2b01653f
这里还有逐字代码供快速参考

#!/bin/env python3

# check_ssl_cert.py - python get info for expired SSL cert
# Copyright 2022 Sharuzzaman Ahmat Raslan <sharuzzaman@gmail.com>

# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License along with this program. If not, see https://www.gnu.org/licenses/.

from cryptography import x509
import socket
import ssl
import sys

hostname = sys.argv[1]

# create default context
context = ssl.create_default_context()

# override context so that it can get expired cert
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE

with socket.create_connection((hostname, 443)) as sock:
    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
        print("SSL/TLS version:", ssock.version())
        print()

        # get cert in DER format
        data = ssock.getpeercert(True)
        print("Data:", data)
        print()

        # convert cert to PEM format
        pem_data = ssl.DER_cert_to_PEM_cert(data)
        print("PEM cert:", pem_data)

        # pem_data in string. convert to bytes using str.encode()
        # extract cert info from PEM format
        cert_data = x509.load_pem_x509_certificate(str.encode(pem_data))

        # show cert expiry date
        print("Expiry date:", cert_data.not_valid_after)
        print()
赞(0)分享  回复(0)举报  2023-03-19
tp5buhyn

tp5buhyn2#

我使用这样的脚本...
根@脚本:~#目录/根/bin/check-cert-mattila.eu.sh

#!/bin/bash
clear
echo "SERVER CERTIFICATE EXPIRATION DATES:"
echo "------------------------------------"
server=mail.mattila.eu
echo ""
echo "server = ${server}"
echo ""
echo ""
echo "#### WWW port (client2server) ####"
echo "------------------------------------"
echo " SSL certificate on port 443"
echo |openssl s_client -showcerts -connect $server:443 2>/dev/null | openssl x509 -dates | grep After | sed 's/notAfter=/ Expires = /'
echo ""
echo ""
echo "#### SMTP ports (server2server) ####"
echo "------------------------------------"
echo " TLS certificate on port 25"
echo |openssl s_client -showcerts -connect $server:25 2>/dev/null -starttls smtp | openssl x509 -dates | grep After | sed 's/notAfter=/ Expires = /'
echo ""
echo " SSL certificate on port 465"
echo |openssl s_client -showcerts -connect $server:465 2>/dev/null | openssl x509 -dates | grep After | sed 's/notAfter=/ Expires = /'
echo ""
echo " TLS certificate on port 587"
echo |openssl s_client -showcerts -connect $server:587 2>/dev/null -starttls smtp | openssl x509 -dates | grep After | sed 's/notAfter=/ Expires = /'
echo ""
echo ""
echo "#### IMAP ports (client2server) ####"
echo "------------------------------------"
echo " SSL certificate on port 143"
echo |openssl s_client -showcerts -connect $server:143 2>/dev/null -starttls imap | openssl x509 -dates | grep After | sed 's/notAfter=/ Expires = /'
echo ""
echo " SSL certificate on port 993"
echo |openssl s_client -showcerts -connect $server:993 2>/dev/null | openssl x509 -dates | grep After | sed 's/notAfter=/ Expires = /'
echo ""
echo ""

它会给予你这样的东西(如果你的脚本主机有最新的CA)。

SERVER CERTIFICATE EXPIRATION DATES:
------------------------------------

server = mail.mattila.eu

#### WWW port (client2server) ####
------------------------------------
 SSL certificate on port 443
 Expires = May  4 23:33:17 2023 GMT

#### SMTP ports (server2server) ####
------------------------------------
 TLS certificate on port 25
 Expires = May  4 23:33:17 2023 GMT

 SSL certificate on port 465
 Expires = May  4 23:33:17 2023 GMT

 TLS certificate on port 587
 Expires = May  4 23:33:17 2023 GMT

#### IMAP ports (client2server) ####
------------------------------------
 SSL certificate on port 143
 Expires = May  4 23:33:17 2023 GMT

 SSL certificate on port 993
 Expires = May  4 23:33:17 2023 GMT

这也会显示正确过期的(LetsEncrypt/Certbot)证书。您也可以修改它来嗅探SQL/LDAP端口。

赞(0)分享  回复(0)举报  2023-03-19
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com