summaryrefslogtreecommitdiff
path: root/tools/qmail-tls-check_certs
diff options
context:
space:
mode:
Diffstat (limited to 'tools/qmail-tls-check_certs')
-rwxr-xr-xtools/qmail-tls-check_certs84
1 files changed, 84 insertions, 0 deletions
diff --git a/tools/qmail-tls-check_certs b/tools/qmail-tls-check_certs
new file mode 100755
index 0000000..d8f97de
--- /dev/null
+++ b/tools/qmail-tls-check_certs
@@ -0,0 +1,84 @@
+#!/bin/sh
+#
+# Author: Jason Haar <jhaar@users.sourceforge.net>
+# Date: 09-Nov-2004
+# Version: 1.0
+# Copyright: GPL
+#
+# This script simply checks the status of the certificates used by
+# Qmail with Frederik Vermeulen's TLS patch - to ensure they are
+# valid, non-expired certs with the appropriate KeyUsage extensions
+# required to get their jobs done.
+# This script can be run on a nightly basis to check the cert status.
+# Note that when it marked as cert as "bad" (typically because it's
+# expired), it will be renamed, a syslog event generated, and probably
+# Qmail will STOP WORKING FOR NEW TLS SESSIONS.
+#
+# That may sound bad, but the alternative is that Qmail will stop working
+# for new TLS sessions *anyway* - it's just that this script will tell
+# you why...
+
+LOGGER="logger -i -t qmail-tls-check_certs"
+
+dir=''
+dirlist="/etc/qmail/control /var/qmail/control"
+for trydir in $dirlist ; do
+ if test -d $trydir ; then
+ dir=$trydir
+ break
+ fi
+done
+if test -z "$dir" ; then
+ 1>&2 echo "Cannot find any control director ($dirlist)"
+ exit 1
+fi
+
+for cert in servercert.pem clientcert.pem ; do
+ if ! test -f "$dir/$cert"; then
+ echo "Certificate missing: $dir/$cert"
+ else
+ #First, check that it's a valid cert for the task
+ TEMP_PURPOSE=`openssl x509 -in $dir/$cert -noout -purpose 2>/dev/null`
+ if [ "$?" != "0" ]; then
+ echo "$dir/$cert is a broken cert. Disabled"
+ mv -f $dir/$cert $dir/BROKEN-${cert}
+ $LOGGER "$dir/$cert is a broken cert. Disabled"
+ continue
+ fi
+
+ #Now check it hasn't expired
+ TEMP_DATE=$( openssl x509 -in $dir/$cert -noout -dates 2>/dev/null | \
+ grep -i after|cut -d= -f2 )
+ EXPIRE_IN_SECS=`date +%s --date $TEMP_DATE 2>/dev/null`
+ if [ "`echo $EXPIRE_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then
+ NOW_IN_SECS=`date +%s 2>/dev/null`
+ if [ "`echo $NOW_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then
+ if [ $NOW_IN_SECS -gt $EXPIRE_IN_SECS ]; then
+ echo "$dir/$cert has EXPIRED. Disabling"
+ mv -f $dir/$cert $dir/EXPIRED-${cert}
+ $LOGGER "$dir/$cert has EXPIRED. Disabling"
+ continue
+ fi
+ fi
+ fi
+
+ if [ "`echo $cert|grep server`" != "" ] ; then
+ if [ "_$( echo $TEMP_PURPOSE | \
+ egrep -i '(any purpose|server).* yes' )" = "_" ]; then
+ echo "$dir/$cert is NOT a server cert. Disabled"
+ mv -f $dir/$cert $dir/NOT-A-SERVER-CERT-${cert}
+ $LOGGER "$dir/$cert is NOT a server cert. Disabled"
+ continue
+ fi
+ fi
+ if [ "`echo $cert|grep client`" != "" ] ; then
+ if [ "_$( echo $TEMP_PURPOSE |
+ egrep -i '(any purpose|client).* yes' )" = "_" ]; then
+ echo "$dir/$cert is NOT a client cert. Disabled"
+ mv -f $dir/$cert $dir/NOT-A-CLIENT-CERT-${cert}
+ $LOGGER "$dir/$cert is NOT a client cert. Disabled"
+ fi
+ fi
+ fi
+
+done