openssldir=/etc/ssl
@@ -0,0 +1,29 @@ | ||
1 | +## Stage 1 IPREV - DNS round-robin | |
2 | + | |
3 | +better deal with this kind of situation... | |
4 | + | |
5 | + $ host 194.224.177.201 | |
6 | + 201.177.224.194.in-addr.arpa domain name pointer meg02.aena.es. | |
7 | + 201.177.224.194.in-addr.arpa domain name pointer correosmtp.aena.es. | |
8 | + 201.177.224.194.in-addr.arpa domain name pointer spf.aena.es. | |
9 | + 201.177.224.194.in-addr.arpa domain name pointer meg04.aena.es. | |
10 | + | |
11 | + $ host 217.130.124.201 | |
12 | + 201.124.130.217.in-addr.arpa domain name pointer meg04.aena.es. | |
13 | + 201.124.130.217.in-addr.arpa domain name pointer meg02.aena.es. | |
14 | + 201.124.130.217.in-addr.arpa domain name pointer correosmtp.aena.es. | |
15 | + 201.124.130.217.in-addr.arpa domain name pointer spf.aena.es. | |
16 | + | |
17 | +## Stage ENFORCE CHECK | |
18 | + | |
19 | +need to fix | |
20 | + | |
21 | + zimbra.oxygen8.comsend: spawn id exp4 not open | |
22 | + while executing | |
23 | + "send "EHLO $ehlo\r"" | |
24 | + (file "/root/masspie/checksmtp.exp" line 41) | |
25 | + | |
26 | +## Stage ENFORCE CHECK - output formatting | |
27 | + | |
28 | +in case expect got killed by `timeout`, then a carriage return is missing in stderr. we currently workaround this by the fact we're parsing the right-hand part of the results anyway, meaning a that kind of failing hosts will have no result at all. we otherwise look at the raw SMTP status codes from stdout which also works around the issue | |
29 | + |
@@ -0,0 +1,43 @@ | ||
1 | +## shot3 | |
2 | + | |
3 | +- stage 1 iprev - wait 3 seconds instead of the default 5 (udp) or 10 (tcp) seconds | |
4 | + | |
5 | +## shot2 | |
6 | + | |
7 | +_second shot for Feb 2020_ | |
8 | + | |
9 | +- stage 1 iprev - better ip address splitting with ip??? instead of x?? x???? files | |
10 | +- stage 2 smtp gets done against ALL PTRs, not only IPREV hosts | |
11 | +- stage 2 smtp - timeout 1m+5s, yes that is slow bug some nasty mxen like to play that way and we wouldn't like to discard them (see Postfix Postscreen Howto) | |
12 | + | |
13 | +The order is as follows | |
14 | + | |
15 | +- stage 1 iprev - look for PTR vs IPREV resolving hosts | |
16 | +- stage 2 smtp - | |
17 | + | |
18 | +## shot1 | |
19 | + | |
20 | +_initial version, for Jan 2020_ | |
21 | + | |
22 | +The order was as follows | |
23 | + | |
24 | +- mass seek of 25/tcp & raw split into x?? x???? (no uniq nor ip field) | |
25 | +- checkiprev - ptr/iprev check into separate .ptr files | |
26 | +- checksan - san check into .nossl .nocert .validcn .wrongcn | |
27 | +- checkvalid - verify check into .validcn.return | |
28 | +- (then came the problem of dealing with DANE/TLSA records, we needed to lookup true MX records to start with, hence the need for domains to start with) | |
29 | +- checkdomains - domains/ - deferencing domain names | |
30 | +- checkmx - domains/mx/ - got mx record? | |
31 | +- checkssl - domains/mx/dane/ - valid cert? looking for 'Cipher is|Verify return code' against mx records | |
32 | + * .ssl | |
33 | + * .ssl.issuer | |
34 | + * .ssl.cipher | |
35 | +- checkdane - valid dane? | |
36 | + * .dane $NF notlsa // timeout // ... | |
37 | + * .dane.results | |
38 | + * .dane.weird | |
39 | +- checksmtp - starttls enforced? | |
40 | + * stdout .starttls full session | |
41 | + * stderr .starttls.enforce $NF connect-bad-dns // ... | |
42 | +- count.ksh - parsing results and producing stats | |
43 | + |
@@ -88,11 +88,21 @@ | ||
88 | 88 | git clone git://git.openssl.org/openssl.git |
89 | 89 | cd openssl/ |
90 | 90 | patch -p1 < ../openssl-shut.patch |
91 | - ./config --openssldir=/usr/local | |
91 | + | |
92 | + removepkg openssl | |
93 | + #keep openssl-solibs as the whole system depends on it | |
94 | + mv /etc/ssl/ /etc/ssl.old/ | |
95 | + | |
96 | + ./config --openssldir=/etc/ssl | |
97 | + #perl configdata.pm --dump | |
92 | 98 | time make -j8 >/dev/null && echo BUILT |
93 | 99 | time make -j8 install >/dev/null && echo INSTALLED |
94 | - grep /usr/local /etc/ld.so.conf | |
100 | + ls -lF /usr/local/lib64/libssl.so | |
101 | + ls -lF /usr/local/lib64/libcrypto.so | |
102 | + ls -lF /usr/local/include/openssl/aes.h | |
103 | + #cat /etc/ld.so.conf | |
95 | 104 | ldconfig |
105 | + update-ca-certificates | |
96 | 106 | |
97 | 107 | ## VALID CN/SAN CHECK |
98 | 108 |
@@ -101,11 +111,15 @@ | ||
101 | 111 | |
102 | 112 | ## CERTIFICATE CHECK |
103 | 113 | |
104 | -Grab the [latest concatenated Mozilla CA bundle](https://curl.haxx.se/docs/caextract.html). As for the bundle dating 2020/01/01, hash is `adf770dfd574a0d6026bfaa270cb6879b063957177a991d453ff1d302c02081f`. | |
114 | +Grab the [latest concatenated Mozilla CA bundle](https://curl.haxx.se/docs/caextract.html) | |
105 | 115 | |
106 | - curl -s --remote-name --time-cond - https://curl.haxx.se/ca/cacert.pem && echo done || echo FAIL | |
107 | - sha256sum cacert.pem | |
116 | + cd /etc/ssl/ | |
117 | + curl -s --remote-name --time-cond - https://curl.haxx.se/ca/cacert.pem | |
118 | + sha256sum cacert.pem | tee -a cacert.pem.sha2 | |
108 | 119 | |
120 | + #2020/01/01 | |
121 | + #adf770dfd574a0d6026bfaa270cb6879b063957177a991d453ff1d302c02081f cacert.pem | |
122 | + | |
109 | 123 | Now make sure you're in position to validate certificates. |
110 | 124 | |
111 | 125 | ehlo=YOUR-IPREV |