httpstat icon indicating copy to clipboard operation
httpstat copied to clipboard

Published 20 hours ago verified publisher icon reorx

Add option for detailing SSL/TLS Certificate

Open InAnimaTe opened this issue 8 years ago • 5 comments

This would be super useful to have for learning more about the certificate a particular site uses. It could be an add-on option (not default) which shows issuer information, if its valid, start/expire, and possibly other details.

Just an idea!

InAnimaTe avatar Jan 27 '17 03:01 InAnimaTe

That's a good idea! I always use commands like

openssl s_client -connect reorx.com:443 -servername reorx.com | openssl x509 -noout -dates

to check the expiration date for my website, but that is ridiculously verbose and complex. If there's a tool that can handle these TLS stuff like what httpstat do to http, life will be much easier.

Because the TLS info could not be get from curl, if we want to do this, we can only wrap around openssl and involve other command(s) in this process. To keep the simplicity and the do one thing and do it well rule, I don't think that add this feature in httpstat main cli is a very good idea, but I think this could be another tool, may be called sslstat or sth, to do this job specificly.

reorx avatar Jan 27 '17 03:01 reorx

I know a guy who's very familiar with openssl command, he can write out all the commands you mentioned (show issuer info, if valid etc) without a blink in the eye :)

@wzyboy how do you think the idea of making that TLS cli tool?

reorx avatar Jan 27 '17 03:01 reorx

In relation to your comment about curl, I did find a command that utilizes curl and awk to pull out cert related information; not clean though:

└[~]> curl --insecure -v https://www.google.com 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
*  start date: Jan 18 18:50:00 2017 GMT
*  expire date: Apr 12 18:50:00 2017 GMT
*  issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
*  SSL certificate verify ok.
* Connection #0 to host www.google.com left intact

But yeah, this would be super useful and openssl is most likely the best way to do it. In our case, pyopenssl/cryptography I'd presume would be good goto's

InAnimaTe avatar Jan 27 '17 04:01 InAnimaTe

Well. curl does show TLS info when being invoked with -v flag (as @InAnimaTe shows). If you do not want to add additional complecity to httpstat, you may parse the output of curl in the current codebase. @reorx

wzyboy avatar Jan 27 '17 10:01 wzyboy

Oops, I find that I was using a curl of version 7.43.0, which only showed very limited TLS info, I tried with the newer version and now see the expire date info. In this case it's possible to make httpstat parse and show these info in a better way.

reorx avatar Jan 27 '17 19:01 reorx