Verify SSL Expiration with Python 3

If you’ve ever had a need to verify multiple SSL certificates for expiration times in a batch and wanted to script it in Python, you’ll find this article interesting.

When I try to solve a problem, programatically, I usually start with the “what makes sense” question. In this case, the SSL cert main problem was not knowing when a site expired. With that said, there are several other things that are important to know:

  • HTTP Response Codes
  • Known text on the URI
  • Which Cipher Suites are Used on the SSL?
  • What version of SSL/TLS
  • What is the key strength of the cipher in use
  • SSL Serials
  • Domain Matching
  • Other tests such as Beast vulnerability
  • Is TLS compression in use? (CRIME vulnerability)
  • Do I have Session Ticket Support?
  • Do I have Ephemeral Key Support?

And the list goes on! As new vulnerabilities come up you need to know things about the certs you’ve chosen to use on your servers, and the clients you connect with.

Filter On Important/Wanted Info

As you can see there are many reasons you should review your SSL certs. For this script, I started with just a few:

TLS Version
Reason: Vulnerability attacks such as Beast on version 1.0
SSl x.509 Version
Reason: 1, 2, or 3 with 3 being the preferred
Expiration Date
Reason: For simple SSL cert management I need to know when to renew my certs!
Cipher Suite
Reason: Currently RSA 256*8 (2048) length is probably ok, but knowing the length and cipher suite is important to know what needs to be upgraded when the next attack of the day proves a cipher is no longer strong enough. There are several weak ciphers and both the client and server must agree on one. This shows my python client at least.

Tools such as SSLyze, sslcaudit and tlssled (all in the Kali toolset and available on git), show this type of information too. However, I wanted to send warning emails for certificate renewals and provide reports across an enterprise environment (and learn more about SSL/TLS in general).

Sample Data to Scan SSL

First, we need sample data and a list of servers to check. This could easily be made much larger (thousands of sites), but for our demo/tutorial purposes we will use the following 4 sites. This type of data structure is a dictionary {} of lists []. YOu can see that I also added a key (1000-1003) as I intend to eventually track these records in mysql using pymsql. The “200” you see is the expected http status code field, but I didn’t actually do anything with it in the script.

Script to Test SSL Expirations

The final version of this script will send email to alert, store periodic checks for DNS load times, TCP handshake times, and page load times as well as scanning the page for specific text to make sure the page is up. In this way we can monitor thousands of sites. Being proactive when issues appear, before they are issues is always the best way!

You will also notice that this python script does the SSL scans fast. The first version was single threaded. We had to wait on DNS look ups, TCP Handshake, etc 1 at a time. I rewrote it to use threading and now it’s very fast. It will scan hundreds of sites in just a few seconds.

Anyway, here is the script as-is. It is simple enough to learn from, but is missing some of the features that I will be putting into it over the next few days/weeks:

  • Add Email Alert Function
  • Add Text on URI verification
  • Store in MySQL
  • Finally – run from Cron

Sample Output

SSL Expiration Test

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.