From: William Lallemand Date: Mon, 28 Apr 2025 09:35:11 +0000 (+0200) Subject: MINOR: ssl/cli: add a '-t' option to 'show ssl sni' X-Git-Tag: v3.2-dev13~74 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=83975f34e40492aef6d62b6804da202a939e329a;p=thirdparty%2Fhaproxy.git MINOR: ssl/cli: add a '-t' option to 'show ssl sni' Add a -t option to 'show ssl sni', allowing to add an offset to the current date so it would allow to check which certificates are expired after a certain period of time. --- diff --git a/doc/management.txt b/doc/management.txt index b4f21d3cc..6ad31dc6e 100644 --- a/doc/management.txt +++ b/doc/management.txt @@ -3805,7 +3805,7 @@ show ssl providers - fips - base -show ssl sni [-f ] [-A] +show ssl sni [-f ] [-A] [-t ] Dump every SNI configured for the designated frontend, or all frontends if no frontend was specified. It allows to see what SNI are offered for a frontend, and to identify if a SNI is defined multiple times by multiple certificates for @@ -3814,6 +3814,12 @@ show ssl sni [-f ] [-A] The -A option allows to filter the list and only displays the certificates that are past the notAfter date, allowing to show only expired certificates. + The -t option takes an offset in seconds, or with a time unit (s, m, h, d), + which is added to the current time, allowing to check which certificates + expired after the offset when combined with -A. + For example if you want to check which certificates would be expired in 30d, + just do "show ssl sni -A -t 30d". + Columns are separated by a single \t, allowing to parse it simply. The 'Frontend/Bind' column shows the frontend name followed by the bind line @@ -3837,7 +3843,7 @@ show ssl sni [-f ] [-A] leaf certificate. Example: - $ echo "@1 show ssl sni" | socat /var/run/haproxy-master.sock - | column -t -s $'\t' + $ echo "@1 show ssl sni -A -t 30d" | socat /var/run/haproxy-master.sock - | column -t -s $'\t' # Frontend/Bind SNI Negative Filter Type Filename NotAfter NotBefore li1/haproxy.cfg:10021 *.ex.lan !m1.ex.lan rsa example.lan.pem Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT li1/haproxy.cfg:10021 machine10 - ecdsa machine10.pem.ecdsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 5d6dd730e..ea60bd3f3 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -98,6 +98,7 @@ struct show_sni_ctx { struct ebmb_node *n; int nodetype; int options; + unsigned int offset; }; /* CLI context used by "dump ssl cert" */ @@ -1713,7 +1714,7 @@ static int cli_io_handler_show_sni(struct appctx *appctx) #ifdef HAVE_ASN1_TIME_TO_TM if (ctx->options & SHOW_SNI_OPT_NOTAFTER) { time_t notAfter = x509_get_notafter_time_t(sni->ckch_inst->ckch_store->data->cert); - if (!(date.tv_sec > notAfter)) + if (!(date.tv_sec+ctx->offset > notAfter)) continue; } #endif @@ -1788,7 +1789,7 @@ yield: } -/* parsing function for 'show ssl sni [-f ] [-A]' */ +/* parsing function for 'show ssl sni [-f ] [-A] [-t ]' */ static int cli_parse_show_sni(char **args, char *payload, struct appctx *appctx, void *private) { struct show_sni_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx)); @@ -1832,9 +1833,35 @@ static int cli_parse_show_sni(char **args, char *payload, struct appctx *appctx, return cli_err(appctx, "'-A' option is only supported with OpenSSL >= 1.1.1!\n"); #endif + } else if (strcmp(args[cur_arg], "-t") == 0) { + unsigned int offset; + const char *res; + char *err = NULL; + + if (*args[cur_arg+1] == '\0') + return cli_err(appctx, "'-t' requires an offset argument!\n"); + + res = parse_time_err(args[cur_arg+1], &offset, TIME_UNIT_S); + + if (res == PARSE_TIME_OVER) { + return cli_dynerr(appctx, memprintf(&err, "offset overflow '%s' (maximum value is 2147483647s or ~24855 days)", args[cur_arg+1])); + } + else if (res == PARSE_TIME_UNDER) { + return cli_dynerr(appctx, memprintf(&err, "timer underflow '%s' (minimum non-null value is 1s)", args[cur_arg+1])); + } + else if (res) { + return cli_dynerr(appctx, memprintf(&err, "'%s %s' : unexpected character '%c'", args[cur_arg], args[cur_arg+1], *res)); + } + + if (!offset) { + return cli_dynerr(appctx, memprintf(&err, "'%s' expects a positive value", args[cur_arg])); + } + + ctx->offset = offset; + cur_arg++; /* skip the argument */ } else { - return cli_err(appctx, "Invalid parameters, 'show ssl sni' only supports '-f', or '-A' options!\n"); + return cli_err(appctx, "Invalid parameters, 'show ssl sni' only supports '-f', '-A' or '-t' options!\n"); } cur_arg++; }