As it says on the tin. I'm looking for a way to retrieve the x509 cert for SMTP servers that offer STARTTLS. gnutls-cli can be used, but you have to manually type some steps: EHOL blah, STARTTLS and then ctrl-D (for EOF(:
visser@nagios:~$ gnutls-cli --starttls --print-cert --port 25 aspmx.l.google.com Resolving 'aspmx.l.google.com'... Connecting to '2a00:1450:400c:c09::1a:25'... - Simple Client Mode: 220 mx.google.com ESMTP fu3si8792677wib.31 - gsmtp EHLO blah 250-mx.google.com at your service, [2001:610:158:98d::45] 250-SIZE 35882577 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 STARTTLS 220 2.0.0 Ready to start TLS *** Starting TLS handshake - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `C=US,ST=California,L=Mountain View,O=Google Inc,CN=mx.google.com', issuer `C=US,O=Google Inc,CN=Google Internet Authority G2', RSA key 2048 bits, signed using RSA-SHA1, activated `2014-07-15 08:56:16 UTC', e xpires `2015-04-04 15:15:55 UTC', SHA-1 fingerprint `2282b379696a721505f273fa1e6bbe36f0ba01e2' -----BEGIN CERTIFICATE----- MIIGhDCCBWygAwIBAgIIa7+rjwrecGgwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE1MDg1NjE2WhcNMTUwNDA0MTUxNTU1 WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXdZYG I'm looking for a way to avoid the interactive steps, so that it can be used in scripts. Background: I have a Nagios plugin that depends on the output of 'openssl s_client' to retrieve the certs, like this: visser@nagios:~$ openssl s_client -showcerts -starttls smtp -connect aspmx.l.google.com:25 < /dev/null 2>&1 CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 -----BEGIN CERTIFICATE----- MIIGhDCCBWygAwIBAgIIa7+rjwrecGgwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE1MDg1NjE2WhcNMTUwNDA0MTUxNTU1 WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN etc etc but for some reason 'openssl s_client' does not work with IPv6. The mail servers I want to connect to only run IPv6, so openssl fails. GnuTLS works with IPv6, the only thing left is a way to script it... Thanks!! -- Dick Visser Sr. System & Networking Engineer GÉANT Association, Amsterdam Office (formerly TERENA) Singel 468D, 1017 AW Amsterdam, the Netherlands Tel: +31 (0) 20 530 4488 GÉANT Association Networking. Services. People. Learn more at: http://www.géant.org _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
