Re: Access to x509 certificate using LWP?
> It's not the most beautiful thing in the world, but you can get access > to the certificate data in the SSL_verify_callback. It gets called for > each certificate in the chain, starting from the root cert. Here's a > basic example: > > use strict; > use warnings; > use LWP::UserAgent; > > my $last_expire; > my $ua = LWP::UserAgent->new( > ssl_opts => { > SSL_verify_callback => sub { > my ($ok, $ctx_store) = @_; > my $cert = Net::SSLeay::X509_STORE_CTX_get_current_cert($ctx_store); > $last_expire = > Net::SSLeay::P_ASN1_TIME_get_isotime(Net::SSLeay::X509_get_notAfter($cert)); > return $ok; > }, > }, > ); > > $ua->get('https://www.google.com/'); > warn "$last_expire\n"; This is exactly what I was looking for. Thanks! Unfortunately, the callback function is not called on my system, probably a too-old library (I try adding a die() in the callback, but nothing died). -- Seb, autocuiseur
Re: Access to x509 certificate using LWP?
On 2/27/13 11:37 AM, Sebastien Koechlin wrote: > Hello! > > I'm using a Perl script to monitor many webservers. I do a request on a page > using LWP, check header and content, and print the result (OK/WARNING/ERROR). > > For https; I would like to also check the certificat expiration date and > report a WARNING if the expiration date is in few weeks. > > Is there any way to access the certificat sent by the remote server using LWP? > > (I'm using Red Hat EL 5.3 / perl-libwww-perl-5.805) > It's not the most beautiful thing in the world, but you can get access to the certificate data in the SSL_verify_callback. It gets called for each certificate in the chain, starting from the root cert. Here's a basic example: use strict; use warnings; use LWP::UserAgent; my $last_expire; my $ua = LWP::UserAgent->new( ssl_opts => { SSL_verify_callback => sub { my ($ok, $ctx_store) = @_; my $cert = Net::SSLeay::X509_STORE_CTX_get_current_cert($ctx_store); $last_expire = Net::SSLeay::P_ASN1_TIME_get_isotime(Net::SSLeay::X509_get_notAfter($cert)); return $ok; }, }, ); $ua->get('https://www.google.com/'); warn "$last_expire\n";
Re: Access to x509 certificate using LWP?
On 2013, Feb 27, at 10:37, Sebastien Koechlin wrote: > I'm using a Perl script to monitor many webservers. I do a request on a page > using LWP, check header and content, and print the result (OK/WARNING/ERROR). > > For https; I would like to also check the certificat expiration date and > report a WARNING if the expiration date is in few weeks. > > Is there any way to access the certificat sent by the remote server using LWP? > > (I'm using Red Hat EL 5.3 / perl-libwww-perl-5.805) I see there have been several non-LWP suggestions, and unfortunately this is another. But, what you describe sounds extremely similar to what Nagios and its checks do so I'll just mention that I use the as-shipped check_http module to do that as follows: define command { command_namecheck_https_cert command_line$USER1$/check_http -S -C 30 -H $HOSTADDRESS$ $ARG1$ $ARG2$ $ARG3$ } And then in a service definition I use one of (obviously altering the www.example.com to the hostname of the virtual server I'm interested in if a host serves for multiple names): check_command check_https_cert check_command check_https_cert!-H!www.example.com Sorry it's not a pure perl solution, but it does address your ultimate need even though it's not exactly how you were asking for it to be done. You can find it as part of the normal plugin package at: http://nagiosplugins.org/ or your favorite OS package manager. -p
Re: Access to x509 certificate using LWP?
On Wed, Feb 27, 2013 at 09:09:24PM +0100, Dirk-Willem van Gulik wrote: > On 27 Feb 2013, at 18:01, Michiel Beijen wrote: > > > Hi, > > Op 27 feb. 2013 17:38 schreef "Sebastien Koechlin" > > het volgende: > > > > > For https; I would like to also check the certificat expiration date and > > > report a WARNING if the expiration date is in few weeks. > > > > > > Is there any way to access the certificat sent by the remote server using > > LWP? > > > > I think you can not do that via LWP, but you could use > > http://search.cpan.org/~hirose/Net-SSL-ExpireDate-1.10/lib/Net/SSL/ExpireDate.pm > > I find that using (and parsing) the output of openssl s_client > > openssl s_client -connect www.news.com:443 -CAfile root.pem Thanks, I use the ouput of "openssl s_client -prexit -connect HOSTNAME:443
Re: Access to x509 certificate using LWP?
On 27 Feb 2013, at 18:01, Michiel Beijen wrote: > Hi, > Op 27 feb. 2013 17:38 schreef "Sebastien Koechlin" > het volgende: > > > For https; I would like to also check the certificat expiration date and > > report a WARNING if the expiration date is in few weeks. > > > > Is there any way to access the certificat sent by the remote server using > LWP? > > I think you can not do that via LWP, but you could use > http://search.cpan.org/~hirose/Net-SSL-ExpireDate-1.10/lib/Net/SSL/ExpireDate.pm I find that using (and parsing) the output of openssl s_client openssl s_client -connect www.news.com:443 -CAfile root.pem works well - as that lets you also detect expiry of intermediate certificates. With -showcerts one can also send the results of 'openssl verify' and catch a whole raft of other issues too - which go a bit beyond the expiry. Dw.
Re: Access to x509 certificate using LWP?
Hi, Op 27 feb. 2013 17:38 schreef "Sebastien Koechlin" het volgende: > For https; I would like to also check the certificat expiration date and > report a WARNING if the expiration date is in few weeks. > > Is there any way to access the certificat sent by the remote server using LWP? I think you can not do that via LWP, but you could use http://search.cpan.org/~hirose/Net-SSL-ExpireDate-1.10/lib/Net/SSL/ExpireDate.pm -- Mike