Re: [Uta] draft-brotman-mta-sts/

Mon, 02 May 2016 16:37:16 -0700 

Cool, thanks for sharing that, John.

I should note that even we are considering fetching these policies from
outside the MTA, so a script like this running in its own cron job against
the last hour's unique domains could be a totally viable option. I offer
this for those who were reluctant to open port 80/443 on their production
MTAs.

/m



--
Mark E. Risher |  Group Product Manager |  [email protected] |  650-253-3123

On Mon, May 2, 2016 at 4:33 PM, John Levine <[email protected]> wrote:

> >> With typical https libraries, I don't know how hard it'd be to check
> >> the second name in the certificate.
>
> I tried writing a python script to fetch an https URL and check a
> different domain name against the subjectAltNames in the site's
> certificate.  It turned out to be really easy, viz. the tiny script
> below.  So at first glance, that doesn't seem to be a big problem.
>
> R's,
> John
>
> --- snippo, python3 below ---
>
> import http.client
> import argparse
> import re
>
> parser = argparse.ArgumentParser('Fetch an https thing and also check an
> alt name')
> parser.add_argument('url', help='URL to fetch')
> parser.add_argument('name', help='Other domain name to check')
>
> args = parser.parse_args()
>
> if not args:
>     exit(1)
>
> r = re.match(r'https://([-a-z0-9.]*)(/.*)', args.url)
> if not r:
>     print ("Doesn't look like an https url: ",r)
>     exit(1)
> domain = r.group(1)
> path = r.group(2)
>
> c = http.client.HTTPSConnection(domain)
> if not c:
>     print("cannot set up ",domain)
>     exit(1)
>
> c.request('GET', path)
> r = c.getresponse()
> if r.status != 200:
>     print ("status is", r.status)
>     exit(1)
>
> data = r.read()
> cert = c.sock.getpeercert()
> c.close()
>
> # check for alt name
> matched = False
> if 'subjectAltName' in cert:
>     for t, n in cert['subjectAltName']:
>         if t == 'DNS' and n == args.name: # should check wildcards, too.
>             matched = True
>             break
>
> if not matched:
>     print("no dice for",name)
>     exit(1)
>
> print ("data is", data)
>
> _______________________________________________
> Uta mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/uta
>

_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta

Reply via email to