我循环遍历域名列表以查看a)是否有443个侦听器和b)收集ssl证书过期,签名算法和公用名。所有拥有443监听器的域都会报告正确的ssl证书(与Chrome报告的内容相匹配),但是,有一个域无法正确报告 - myproair.com,它报告了parkinsonsed.com的证书 - 任何想法?
# ssl cert lookup
begin
timeout(1) do
tcp_client = TCPSocket.new("#{instance["domain"]}", 443)
ssl_client = OpenSSL::SSL::SSLSocket.new(tcp_client)
ssl_client.connect
cert = OpenSSL::X509::Certificate.new(ssl_client.peer_cert)
ssl_client.sysclose
tcp_client.close
#http://ruby-doc.org/stdlib-2.0/libdoc/openssl/rdoc/OpenSSL/X509/Certificate.html
date = Date.parse((cert.not_after).to_s)
row.push("#{date.strftime('%F')} #{cert.signature_algorithm} #{cert.subject.to_a.select{|name, _, _| name == 'CN' }.first[1]}".downcase.ljust(57))
end
rescue SocketError
row.push("down".ljust(57))
rescue Errno::ECONNREFUSED
row.push("connection refused".ljust(57))
rescue Errno::ECONNRESET
row.push("connection reset".ljust(57))
rescue Timeout::Error
row.push("no 443 listener".ljust(57))
rescue Exception => ex
row.push("error: #{ex.class}".ljust(57))
end
更新 :以下是与我合作的版本:
$ ruby --version
ruby 2.0.0p481 (2014-05-08 revision 45883) [universal.x86_64-darwin14]
$ openssl version
OpenSSL 0.9.8zc 15 Oct 2014
我已使用ClientHello,s_client和-connect选项验证了使用OpenSSL -tls1 -servername发送的SNI扩展名。< / p>
答案 0 :(得分:1)
但是,有一个域无法正确报告 - myproair.com,它报告了parkinsonsed.com的证书 - 任何想法?
看起来共享主机与SSL相结合是罪魁祸首。显然, parkinsonsed.com 是服务器的默认站点。
您应该使用SNI来克服这些限制。 SNI适用于TLS 1.0及以上版本。另请参阅Server Name Indication support in Net::HTTP?
myproair.com,SSLv3且无SNI :
$ openssl s_client -ssl3 -connect myproair.com:443 | openssl x509 -text -noout | grep -A 1 -i name
...
X509v3 Subject Alternative Name:
DNS:parkinsonsed.com, DNS:www.parkinsonsed.com, DNS:test.parkinsonsed.com, DNS:dev.parkinsonsed.com
myproair.com,TLS 1.0和SNI :
$ openssl s_client -tls1 -connect myproair.com:443 -servername myproair.com | openssl x509 -text -noout | grep -A 1 -i name
...
X509v3 Subject Alternative Name:
DNS:myproair.com, DNS:www.myproair.com, DNS:dev.myproair.com, DNS:test.myproair.com