-
-
Notifications
You must be signed in to change notification settings - Fork 1
/
tls-tofu.sh
executable file
·45 lines (40 loc) · 1.5 KB
/
tls-tofu.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#!/usr/bin/env sh
set -eo pipefail
# Trust On First Use (TOFU) for TLS certificates.
#
# Environment:
#
# Enable TLS_TOFU
TLS_TOFU="${TLS_TOFU:-true}"
# Host to do tls-tofu with
TLS_TOFU_HOST="${TLS_TOFU_HOST:-"google.com"}"
# Port on host
TLS_TOFU_PORT="${TLS_TOFU_PORT:-"443"}"
# Additional arguments for openssl s_client
TLS_TOFU_S_CLIENT_ARGS="${TLS_TOFU_S_CLIENT_ARGS:-"-servername ${TLS_TOFU_HOST}"}"
# Path to the kamikaze binary
TLS_TOFU_KAMIKAZE_BIN="${TLS_TOFU_KAMIKAZE_BIN:-/kamikaze}"
# Path to the ca-certificates file
TLS_TOFU_CA_CERTIFICATES="${TLS_TOFU_CA_CERTIFICATES:-/etc/ssl/certs/ca-certificates.crt}"
# Enable debug output
TLS_TOFU_DEBUG="${TLS_TOFU_DEBUG:-false}"
# Derived constants
S_CLIENT_ARGS="-connect "${TLS_TOFU_HOST}:${TLS_TOFU_PORT}" ${TLS_TOFU_S_CLIENT_ARGS}"
TTY="$(tty)" || TTY="/dev/null"
# Ensure that the kamikaze binary is destroyed when we exit
function destroy_kamikaze(){
if [ -x "${TLS_TOFU_KAMIKAZE_BIN}" ]; then "${TLS_TOFU_KAMIKAZE_BIN}" true; fi
}
trap "destroy_kamikaze" EXIT
[ "${TLS_TOFU_DEBUG}" = "true" ] && set -x
if [ "${TLS_TOFU}" = "true" ]; then
if ! openssl s_client -verify_return_error ${S_CLIENT_ARGS} &>/dev/null < /dev/null; then
# Only install certificates if the initial verification failed
openssl s_client -showcerts ${S_CLIENT_ARGS} 2>/dev/null < /dev/null \
| tee "${TTY}" \
| sed -n '/-----BEGIN/,/-----END/p' \
| "${TLS_TOFU_KAMIKAZE_BIN}" tee -a "${TLS_TOFU_CA_CERTIFICATES}" > /dev/null
fi
fi
destroy_kamikaze
exec sh -c "${*}"