🔐 👊 💥 🔥

mislav · mislav · commit ea97ca159252 · 2013-07-28T14:26:23.000+02:00
diff --git a/create-cert b/create-cert
@@ -0,0 +1,17 @@
+#!/bin/sh
+# Usage: create-cert [CNAME=localhost] [ORGANIZATION]
+#
+# Creates a self-signed certificate and outputs it and its private key.
+set -e
+
+name="${1:-localhost}"
+org="$2"
+temp="${TMPDIR:-/tmp}/openssl-req.$$.$(date +%s)"
+
+openssl req \
+  -x509 -nodes -days 365 \
+  -subj "/O=$org/CN=$name" \
+  -newkey rsa:1024 -keyout "$temp" -out "$temp" 2>/dev/null
+
+cat "$temp"
+rm -f "$temp"
diff --git a/der2pem b/der2pem
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+while [ -n "$1" ]; do
+  if ! [ -f "$1" ]; then
+    echo "invalid .cer file: \`$1'" >&2
+    exit 1
+  fi
+  openssl x509 -inform der -in "$1" -outform pem
+  shift 1
+done
diff --git a/doctor.rb b/doctor.rb
@@ -0,0 +1,87 @@
+# Usage: ruby doctor.rb [HOST=status.github.com[:PORT=443]]
+require 'rbconfig'
+require 'net/https'
+
+if ARGV[0] =~ /^[^-]/
+  host, port = ARGV[0].split(':', 2)
+else
+  host = 'status.github.com'
+end
+port ||= 443
+
+ruby = File.join(RbConfig::CONFIG['bindir'], RbConfig::CONFIG['ruby_install_name'])
+ruby_version = RUBY_VERSION
+if patch = RbConfig::CONFIG['PATCHLEVEL']
+  ruby_version += "-p#{patch}"
+end
+puts "%s (%s)" % [ruby, ruby_version]
+
+openssl_dir = OpenSSL::X509::DEFAULT_CERT_AREA
+mac_openssl = '/System/Library/OpenSSL' == openssl_dir
+puts "%s: %s" % [OpenSSL::OPENSSL_VERSION, openssl_dir]
+[OpenSSL::X509::DEFAULT_CERT_DIR_ENV, OpenSSL::X509::DEFAULT_CERT_FILE_ENV].each do |key|
+  puts "%s=%s" % [key, ENV[key].to_s.inspect]
+end
+
+ca_file = ENV[OpenSSL::X509::DEFAULT_CERT_FILE_ENV] || OpenSSL::X509::DEFAULT_CERT_FILE
+ca_path = (ENV[OpenSSL::X509::DEFAULT_CERT_DIR_ENV] || OpenSSL::X509::DEFAULT_CERT_DIR).chomp('/')
+
+puts "\nHEAD https://#{host}:#{port}"
+http = Net::HTTP.new(host, port)
+http.use_ssl = true
+
+# Explicitly setting cert_store like this is not needed in most cases but it
+# seems necessary in edge cases such as when using `verify_callback` in some
+# combination of Ruby + OpenSSL versions.
+http.cert_store = OpenSSL::X509::Store.new
+http.cert_store.set_default_paths
+
+http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+failed_cert = failed_cert_reason = nil
+
+if mac_openssl
+  warn "warning: unable show failed certificate info on OS X's OpenSSL"
+  # This drives me absolutely nuts. It seems that on Rubies compiled against OS X's
+  # system OpenSSL, the mere fact of defining a `verify_callback` makes the
+  # cert verification fail for requests that would otherwise be successful.
+else
+  http.verify_callback = lambda { |verify_ok, store_context|
+    if !verify_ok
+      failed_cert = store_context.current_cert
+      failed_cert_reason = "%d: %s" % [ store_context.error, store_context.error_string ]
+    end
+    verify_ok
+  }
+end
+
+user_agent = "net/http #{ruby_version}"
+req = Net::HTTP::Head.new('/', 'user-agent' => user_agent)
+
+begin
+  res = http.start { http.request(req) }
+  abort res.inspect if res.code.to_i >= 500
+  puts "OK"
+rescue Errno::ECONNREFUSED
+  puts "Error: connection refused"
+  exit 1
+rescue OpenSSL::SSL::SSLError => e
+  puts "#{e.class}: #{e.message}"
+
+  if failed_cert
+    puts "\nThe server presented a certificate that could not be verified:"
+    puts "subject: #{failed_cert.subject}"
+    puts "issuer: #{failed_cert.issuer}"
+    puts "error code %s" % failed_cert_reason
+  end
+
+  ca_file_missing = !File.exist?(ca_file) && !mac_openssl
+  ca_path_empty = Dir["#{ca_path}/*"].empty?
+
+  if ca_file_missing || ca_path_empty
+    puts "\nPossible causes:"
+    puts "- `%s' does not exist" % ca_file if ca_file_missing
+    puts "- `%s/' is empty" % ca_path if ca_path_empty
+  end
+
+  exit 1
+end
diff --git a/readme.md b/readme.md
@@ -0,0 +1,30 @@
+# SSL tools
+
+    der2pem FILES...
+
+    remote-cert status.github.com | show-cert
+
+    create-cert example.com "My Organization" > cert_and_key.pem
+
+    ruby doctor.rb example.com:443
+
+Sample output of `doctor.rb`:
+
+```
+/Users/mislav/.rbenv/versions/2.0.0-p247/bin/ruby (2.0.0-p247)
+OpenSSL 1.0.1e 11 Feb 2013: /usr/local/etc/openssl
+SSL_CERT_DIR=""
+SSL_CERT_FILE=""
+
+HEAD https://status.github.com:443
+OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
+
+The server presented a certificate that could not be verified:
+subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
+issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
+error code 20: unable to get local issuer certificate
+
+Possible causes:
+- `/usr/local/etc/openssl/cert.pem' does not exist
+- `/usr/local/etc/openssl/certs/' is empty
+```
diff --git a/remote-cert b/remote-cert
@@ -0,0 +1,14 @@
+#!/bin/sh
+# Usage: remote-cert HOST[:PORT] [HOST[:PORT] ...]
+set -e
+
+while [ -n "$1" ]; do
+  host="${1%:*}"
+  port="${1#*:}"
+  [ "$host" = "$port" ] && port=443
+
+  echo | openssl s_client -connect ${host}:${port} 2>&1 |\
+    sed -nEe '/^-+BEGIN/,/^-+END/p'
+
+  shift 1
+done
diff --git a/show-cert b/show-cert
@@ -0,0 +1,17 @@
+#!/bin/sh
+# Display human-readable information from a certificate.
+set -e
+
+file="$1"
+[ "$file" = "-" ] && file=""
+
+if [ -n "$file" -a ! -f "$file" ] || [ -z "$file" -a -t 0 ]; then
+  echo "Usage: show-cert <file>" >&2
+  exit 1
+fi
+
+format=pem
+[ "${file##*.}" = "cer" ] && format=der
+
+exec openssl x509 -inform "$format" ${1:+-in "$1"} -noout -text \
+  -nameopt multiline -certopt no_pubkey,no_sigdump
