do chain checks also with starttls #345
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For "normal" https/ssl checks, check_ssl_cert checks the entire chain,
but for checks for a given protocol (openssl s_client -starttls ),
this is not being done. However, it should.
} weasel@sarek:~/ssl$ ./check_ssl_cert.1.1 --ignore-ocsp -H '2600:3c01::f03c:91ff:fe2c:2b9f' -p 25 -P smtp --cn ms.lwn.net
} SSL_CERT OK - x509 certificate 'ms.lwn.net' from 'R3' valid until Nov 16 00:39:50 2021 GMT (expires in 46 days)|days_chain_elem1=46;20;15;;
} weasel@sarek:~/ssl$ ./check_ssl_cert.2.1 --ignore-ocsp -H '2600:3c01::f03c:91ff:fe2c:2b9f' -p 25 -P smtp --cn ms.lwn.net
} SSL_CERT OK - x509 certificate 'ms.lwn.net' from 'R3' valid until Nov 16 00:39:50 2021 GMT (expires in 46 days)|days_chain_elem1=46;20;15;; days_chain_elem2=1446;20;15;; days_chain_elem3=1096;20;15;;