Thursday, December 31, 2020

Test website SSL with Windows PowerShell

How to test a website SSL certificate with Windows PowerShell





#-----------------------------------------------
#  Test Website SSL Certificate
#  by: Larry Billinghurst
#  date: 31 Dec 2020
#-----------------------------------------------

# Example:   .\test-ssl.ps1 -SiteURL https:\\dmv.utah.gov -ReportFile "C:\support\temp99.txt"


param(
    [parameter()]
    [string]$SiteURL = "https://www.facebook.com",
    [string]$ReportFile = $env:TEMP + "\sslreport.txt"
    )

$TempCerFile = $env:TEMP + "\sslchecktemp.cer"
$tempReportFile = "sslreport.txt"

#------------------------- Functions

function Get-WebsiteCertificate {
  [CmdletBinding()]
  param (
    [Parameter(Mandatory=$true)] [System.Uri]
      $Uri,
    [Parameter()] [System.IO.FileInfo]
      $OutputFile,
    [Parameter()] [Switch]
      $UseSystemProxy,  
    [Parameter()] [Switch]
      $UseDefaultCredentials,
    [Parameter()] [Switch]
      $TrustAllCertificates
  )
  try {
    $request = [System.Net.WebRequest]::Create($Uri)
    if ($UseSystemProxy) {
      $request.Proxy = [System.Net.WebRequest]::DefaultWebProxy
    }

    if ($UseSystemProxy -and $UseDefaultCredentials) {
      $request.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
    }

    if ($TrustAllCertificates) {
      # Create a compilation environment
      $Provider=New-Object Microsoft.CSharp.CSharpCodeProvider
      $Compiler=$Provider.CreateCompiler()
      $Params=New-Object System.CodeDom.Compiler.CompilerParameters
      $Params.GenerateExecutable=$False
      $Params.GenerateInMemory=$True
      $Params.IncludeDebugInformation=$False
      $Params.ReferencedAssemblies.Add("System.DLL") > $null
      $TASource=@'
        namespace Local.ToolkitExtensions.Net.CertificatePolicy {
          public class TrustAll : System.Net.ICertificatePolicy {
            public TrustAll() { 
            }
            public bool CheckValidationResult(System.Net.ServicePoint sp,
              System.Security.Cryptography.X509Certificates.X509Certificate cert, 
              System.Net.WebRequest req, int problem) {
              return true;
            }
          }
        }
'@ 
      $TAResults=$Provider.CompileAssemblyFromSource($Params,$TASource)
      $TAAssembly=$TAResults.CompiledAssembly

      ## We now create an instance of the TrustAll and attach it to the ServicePointManager
      $TrustAll=$TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll")
      [System.Net.ServicePointManager]::CertificatePolicy=$TrustAll
    }

    $response = $request.GetResponse()
    $servicePoint = $request.ServicePoint
    $certificate = $servicePoint.Certificate

    if ($OutputFile) {
      $certBytes = $certificate.Export(
          [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert
        )
      [System.IO.File]::WriteAllBytes( $OutputFile$certBytes )
      $OutputFile.Refresh()
      return $OutputFile
    } else {
      return $certificate
    }
  } catch {
    Write-Error "Failed to get website certificate. The error was '$_'."
    return $null
  }

  <#
    .SYNOPSIS
      Retrieves the certificate used by a website.

    .DESCRIPTION
      Retrieves the certificate used by a website. Returns either an object or file.

    .PARAMETER  Uri
      The URL of the website. This should start with https.

    .PARAMETER  OutputFile
      Specifies what file to save the certificate as.

    .PARAMETER  UseSystemProxy
      Whether or not to use the system proxy settings.

    .PARAMETER  UseDefaultCredentials
      Whether or not to use the system logon credentials for the proxy.

    .PARAMETER  TrustAllCertificates
      Ignore certificate errors for certificates that are expired, have a mismatched common name or are self signed.

    .EXAMPLE
      PS C:\> Get-WebsiteCertificate "https://www.gmail.com" -UseSystemProxy -UseDefaultCredentials -TrustAllCertificates -OutputFile C:\gmail.cer

    .INPUTS
      Does not accept pipeline input.

    .OUTPUTS
      System.Security.Cryptography.X509Certificates.X509Certificate, System.IO.FileInfo
  #>
}


#-------------------- Main 


#Get Website SSL certificate and save to temp file
Get-WebsiteCertificate -Uri $SiteURL -OutputFile $TempCerFile
# Check Certifacate 
Write-Host
Write-Host "------------------------- SSL Report -------------------------"
Write-Host
certutil -f -urlfetch -verify $TempCerFile |Tee-Object $ReportFile


# Remove Report file if not requested
if ($tempReportFile -eq ($ReportFile|Split-Path -Leaf)) {Remove-Item $ReportFile}

# Remove Temp Cert File
Remove-Item $TempCerFile




Monday, December 21, 2020

Export SonicWALL config to text

Needed a way to export the SonicWALL config file to plane text.


It did not work correctly with Python3.

PS C:\support\fw> python.exe .\parser2.py .\sonicwall-NSA_2600.exp
  File ".\parser2.py", line 454
    print ""
          ^

I found the 2to3.exe tool in the Python tools directory.
 
C:\Users\"user-name"\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0\LocalCache\local-packages\Python38\Scripts

Made a copy of the file
.\copy C:\temp\parser2.py C:\temp\parser2-3.py 

Ran the tool
.\2to3.exe C:\temp\parser2-3.py -w


After converting with 2to3.exe tool still received a error

python.exe .\parser2-3.py .\sonicwall-NSA_2600.exp

Traceback (most recent call last):
  File ".\parser2-3.py", line 14, in <module>
    decoded_data =  decoded_data.split("&")
TypeError: a bytes-like object is required, not 'str'


A little research found we needed to convert the byte-like object to string
decoded_data = decoded_data.decode(encoding="utf-8"# Python 3

After the update the parser worked without issue.
python.exe .\parser3.py .\sonicwall-NSA_2600.exp  >test.txt

I posted the updated files on GitHub