vessl is a bash script that can fetch and verify the SSL certificate of a remote server.
It was originally written in order to script up the ability to verify SSL certificates across a large network.
Key features
- vessl will connect to any service that OpenSSL can
- It will extract and verify against a given CA Pem file
- It will check that certificate matches the host it is on
- It produce a map going from IPs to hostname
- Checks to see if certificate is based on a blacklisted Debian key
Dependencies
- openssl
- ping
- openssl-vulnkey
- mktemp
- CA Pem File
Usage
vessl -h host [-p port] [-c certfile] [-v]
Output Files
By default the output will be 3 files:
ip:port.verify
ip:port.cert
sslmap
The first is the verification data, the second is the certificate and the third maps IP to SSL Hostname, e.g.
77.75.105.66:443, labs.portcullis.co.uk (77.75.105.66)
Generating a CA PEM file
Gentoo
emerge ca-certificates mkdir /etc/certs cat /usr/share/ca-certificates/mozilla/* > /etc/certs/mozilla.pem
Debian
apt-get install ca-certificates mkdir /etc/certs cat /usr/share/ca-certificates/mozilla/* > /etc/certs/mozilla.pem