Home

Welcome to your wiki!

This is the default page, edit it as you see fit. To add a new page simply reference it within brackets, e.g.: [SamplePage].

The wiki uses Markdown syntax.

Project Members:

• Siegfried (admin)

[Siegfried]

collect_ssl_info

The Script collect_ssl_info can provide in an easy way information from x509 certificates and the host which speaks SSL/TLS.

installation

reqired

• gawk
• openssl

just put it to a bin path and set executable rights to it.

manpage

COLLECT_SSL_INFO(1) System Manager's Manual COLLECT_SSL_INFO(1)

NAME
collect_ssl_info — a wrapper for openssl

DESCRIPTION
collect_ssl_info is an GAWK Script to collect information over x509 certs. The cert source can be a servers or files. The Script shows all details
of x509 certs and calculates hashes and ids for SHA, SHA256, SHA512, DANE and the pin

SYNOPSIS
collect_ssl_info [-pqv] [host:port] [host2:port] [-u host3:port] [-ul hostlist] [-ul hostlist2] [-c cipher] [-c cipher2] [-cl cipherlist]
[-cl cipherlist2] [-z certfile] [-z cerfile2] [-zl certlist] [-zl certlist2]

OPTIONS
-h --help
Show help and information about how to use collect_ssl_info

 -V, --version
     Show program version and exit

 -v
     Verbose mode (can be used several times to increase the level of details).

 -u  www.host.de:port
     host and port to connect to and fetch information
     each string without option is assumed to be an hostname with port
     this option can be used serveral times for serveral hosts

 -ul hostlist
     hostlist is a file with contains a liste with hostname:port entries
     Blank lines and empty lines allowed and will be ignored
     this option can be used serveral time for serveral hosts listes

 -c  RC4-MD5
     chipher to check in the Protokollcheck with Option -p
     this option can be used serveral times to check for serveral ciphers

 -cl cipherlist
     cipherlist is a file with contains a liste with ciphername entries
     Blank lines and empty lines allowed and will be ignored
     this option can be used serveral time for serveral cipher listes

 -z  certfile
     certfile to read
     this option can be used serveral times for serveral certfiles

 -zl certlist
     certlist is a file with contains a liste with certfilesname entries
     Blank lines and empty lines allowed and will be ignored
     this option can be used serveral times for serveral certfile listes

 -i
     show certinfo in details and hashes
     this option is set per default and can be switched of with -q

 --showcerts
     take complete certchain to display the details

 --state
     check certs with OCSP against their CAs

 -q
     do not show any cert

 -p
     check the symmetric ciphers for each host:port pair and show weather the server connects with or not

HOST SELECTION BY LIST
-ul file
file with hostlist in addr:port combination

CIPHER SELECTION BY LIST
-cl file
file with cipher list

CERTIFICAT SELECTION BY LIST
-zl file
file with cerfile list as filename

EXAMPLES
show the cert a host offers
collect_ssl_info www.host.de:443
collect_ssl_info -u www.host.de:443

 show the certs hosts offers
     collect_ssl_info www.host1.de:443 www.host2.de:143
     collect_ssl_info -u www.host1.de:443 -u www.host2.de:143

 show the cert of a host and check ciphers
     collect_ssl_info -p www.host.de:443
     collect_ssl_info -p -u www.host.de:443

 show the cert of a host and check the cipher RC4-MD5
     collect_ssl_info -p www.host.de:443 -c RC4-MD5
     collect_ssl_info -p -u www.host.de:443 -c RC4-MD5

 show the certs hosts offers and check comnects whith ciphers RC4-MD5 and AES128-SHA256
     collect_ssl_info -p www.host.de:443 -c RC4-MD5 -c AES128-SHA256
     collect_ssl_info -p www.host1.de:443 www.host2.de:143 -c RC4-MD5 -c AES128-SHA256

 check_only comnects whith the ciphers RC4-MD5 and AES128-SHA256
     collect_ssl_info -qp www.host.de:443 -c RC4-MD5 -c AES128-SHA256

 show the certfile www.something.de.pem
     collect_ssl_info -z www.something.de.pem

EXAMPLES WITH HOSTLISTS
show only ciphers of the hosts from hostlistaa.txt the list contains the entries
www.host1.de:443
www.host2.de:143

 collect_ssl_info -qp -ul hostlistaa.txt

EXAMPLES WITH CIPHERLISTS
show only this ciphers from the ciperlist of the hosts from cipherlistbb.txt the cipherlist contains the entries
RC4-MD5
AES128-SHA256

 collect_ssl_info -qp -ul hostlistaa.txt -cl cipherlistbb.txt

EXAMPLES WITH CERTLISTS
show the details of the certfiles named in the cerfilelistcc.txt the certlist contains the entries
www.host1.de.pem
www.host2.de.pem

 collect_ssl_info -zl certfilelistcc.txt

PRESETTINGS
-i this option is assumed to use, if not use -q to switch it off

 -u  each string without option is assumed to be a hostname and use -u

SEE ALSO
openssl(1), x509(1)

AUTHOR
collect_ssl_info an this manpage was written by siegfried, It is released under the GPLv3 (GNU General Public License version 3)

an advanced example collect_ssl_info -ul host.txt -pq -cl cipher.txt

First create two listefiles
The hostlist host.txt shows like this

192.xx.yy.zz:123
www.xyz.de:443

and the cipherlist chipher.txt shows like this

RC4-MD5
AES128-SHA256

now we can use both lists to do q quick chipher check on these hosts with the command

collect_ssl_info -ul host.txt -pq -cl cipher.txt

===== begin ciphertest 192.xx.yy.zz:123 ===============
RC4-MD5 failed
AES128-SHA256 success
===== end ciphertest 192.xx.yy.zz:123 ===============
===== begin ciphertest www.xyz.de:443 ===============
RC4-MD5 failed
AES128-SHA256 success
===== end ciphertest www.xyz.de:443 ===============