test_tls.sh 1.18 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
#!/bin/bash -

#
# Test if DoT certificates are trustworthy.
#
# ummeegge 08.12.2018
###########################################
#

# Formatting
COLUMNS="$(tput cols)";
seperator(){ printf -v _hr "%*s" ${COLUMNS} && echo ${_hr// /${1-=}}; }

# Check if kdig is presant
command -v kdig >/dev/null 2>&1 || { echo >&2 "kdig is required but it's not installed.  Aborting."; exit 1; }

# Paths
LOCALD="/etc/unbound/local.d/*"
BUNDLE="/etc/ssl/certs/ca-bundle.crt"

21 22
# Check for DoT forwarder
if ! grep -ERw "forward-addr: ([0-9.]+){4}@853#[a-zA-Z0-9]+([-.]?[a-zA-Z0-9]+)*.[a-zA-Z]+$" ${LOCALD} > /dev/null 2>&1; then
23
	echo "Haven´t found usable DoT forwarders in ${LOCALD}. Need to quit... "
24 25 26
	exit 1
fi

27 28 29 30 31 32 33 34 35 36 37 38 39
# Get DoT data and write it to files
DOT="/tmp/DOT"
HOST="/tmp/host.in"
IP="/tmp/ip.in"
grep -hERo "([0-9.]+){4}@853#.*" ${LOCALD} > ${DOT}
awk -F'#' '{ print $2 }' ${DOT} > ${HOST}
awk -F'@' '{ print $1 }' ${DOT} > ${IP}

# Mainpart
echo
seperator
while read -u 3 -r ip && read -u 4 -r host; do
	echo
40
	kdig -d @"${ip}" +tls-ca="${BUNDLE}" +tls-host="${host}" google.com; exit=$?
41 42 43 44 45 46 47 48 49 50 51 52
	echo
	echo "Exit status: $exit"
	echo
	seperator
	sleep 5
done 3<${IP} 4<${HOST}

# Clean up
rm -rf ${DOT} ${IP} ${HOST}


# EOF