On Sun, Feb 18, 2024 at 08:07:26PM +0100, Andreas Klein via dane-users wrote:
Thanks for the comprehensive explanations.
To monitor my SMTP with Nagois/Icinga2, I found
https://github.com/matteocorti/check_ssl_cert
useful, as it has options to check the different TLSA entries.
Wow! That shell script is 7327 lines long!
Here's an update for danesmtp() that adds a "-u <usages>" option. The default list of usages is "23", but you can specify just "3" or just "2" (or for some reason choose to support WebPKI with "0123", ...). This is now 40 lines long. :-)
danesmtp () { local OPTIND=1 opt local -a rrs sigs sslopts local rr i=0 host addr usages=23 local rsa=rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512 local ecdsa=ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512
while getopts a:u:s: opt; do case $opt in a) addr=$OPTARG case $addr in *:*) addr="[$addr]";; esac;; u) usages=$OPTARG;; s) case $OPTARG in rsa|RSA) sigs=("-sigalgs" "$rsa" -cipher aRSA);; ecdsa|ECDSA) sigs=("-sigalgs" "$ecdsa" -cipher aECDSA);; *) printf '%s: Only RSA and ECDSA signatures supported\n' "$0" return 1;; esac;; *) printf 'usage: danesmtp [-a addr] [-u usages] [-k rsa|ecdsa] host [ssloption ...]\n' return 1;; esac done shift $((OPTIND - 1)) host=$1 shift if [[ -z "$addr" ]]; then addr="$host" fi sslopts=(-starttls smtp -connect "$addr:25" "${sigs[@]}" -verify 9 -verify_return_error -dane_ee_no_namechecks -dane_tlsa_domain "$host") rrs=( $(dig +short +nosplit -t tlsa "_25._tcp.$host" | grep -Ei "^[$usages]"' [01] [012] [0-9a-f]+$') ) while (( i < ${#rrs[@]} - 3 )); do rr=${rrs[@]:$i:4} i=$((i+4)) sslopts=("${sslopts[@]}" "-dane_tlsa_rrdata" "$rr") done ( sleep 1; printf "QUIT\r\n" ) | openssl s_client -brief "${sslopts[@]}" "$@" }
Admittedly, this does not have any Icinga-specific signalling, so if more than an return code is required, some more glue would be needed.