/usr/lib/python2.7/dist-packages/linkcheck/plugins/sslcertcheck.py is in linkchecker 9.3-5.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 | # -*- coding: iso-8859-1 -*-
# Copyright (C) 2000-2014 Bastian Kleineidam
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
"""
Handle https links.
"""
import time
import threading
from . import _ConnectionPlugin
from .. import strformat, LinkCheckerError
from ..decorators import synchronized
_lock = threading.Lock()
# configuration option names
sslcertwarndays = "sslcertwarndays"
class SslCertificateCheck(_ConnectionPlugin):
"""Check SSL certificate expiration date. Only internal https: links
will be checked. A domain will only be checked once to avoid duplicate
warnings.
The expiration warning time can be configured with the sslcertwarndays
option."""
def __init__(self, config):
"""Initialize clamav configuration."""
super(SslCertificateCheck, self).__init__(config)
self.warn_ssl_cert_secs_valid = config[sslcertwarndays] * strformat.SECONDS_PER_DAY
# do not check hosts multiple times
self.checked_hosts = set()
def applies_to(self, url_data):
"""Check validity, scheme, extern and url_connection."""
return url_data.valid and url_data.scheme == 'https' and \
not url_data.extern[0] and url_data.url_connection is not None
@synchronized(_lock)
def check(self, url_data):
"""Run all SSL certificate checks that have not yet been done.
OpenSSL already checked the SSL notBefore and notAfter dates.
"""
host = url_data.urlparts[1]
if host in self.checked_hosts:
return
self.checked_hosts.add(host)
cert = url_data.ssl_cert
config = url_data.aggregate.config
if cert and 'notAfter' in cert:
self.check_ssl_valid_date(url_data, cert)
elif config['sslverify']:
msg = _('certificate did not include "notAfter" information')
url_data.add_warning(msg)
else:
msg = _('SSL verification is disabled; enable the sslverify option')
url_data.add_warning(msg)
def check_ssl_valid_date(self, url_data, cert):
"""Check if the certificate is still valid, or if configured check
if it's at least a number of days valid.
"""
import ssl
try:
notAfter = ssl.cert_time_to_seconds(cert['notAfter'])
except ValueError as msg:
msg = _('Invalid SSL certficate "notAfter" value %r') % cert['notAfter']
url_data.add_warning(msg)
return
curTime = time.time()
# Calculate seconds until certifcate expires. Can be negative if
# the certificate is already expired.
secondsValid = notAfter - curTime
args = dict(expire=cert['notAfter'])
if secondsValid < 0:
msg = _('SSL certficate is expired on %(expire)s.')
url_data.add_warning(msg % args)
else:
args['valid'] = strformat.strduration_long(secondsValid)
if secondsValid < self.warn_ssl_cert_secs_valid:
msg = _('SSL certificate expires on %(expire)s and is only %(valid)s valid.')
url_data.add_warning(msg % args)
else:
msg = _('SSL certificate expires on %(expire)s and is %(valid)s valid.')
url_data.add_info(msg % args)
@classmethod
def read_config(cls, configparser):
"""Read configuration file options."""
config = dict()
section = cls.__name__
option = sslcertwarndays
if configparser.has_option(section, option):
num = configparser.getint(section, option)
if num > 0:
config[option] = num
else:
msg = _("invalid value for %s: %d must not be less than %d") % (option, num, 0)
raise LinkCheckerError(msg)
else:
# set the default
config[option] = 30
return config
|