Add TLS Checker

Author: narbehaj

README.md

@@ -93,6 +93,7 @@ narbeh@narbeh-laptop:~/ssl-checker$ ./ssl_checker.py -H time.com github.com:443
 		Valid from: 2019-09-06
 		Valid to: 2020-10-06 (78 days left)
 		Validity days: 396
+		TLS Version: TLS 1.2
 		Certificate valid: True
 		Certificate S/N: 20641318859548253362475798736742284477
 		Certificate SHA1 FP: D5:CE:1B:77:AB:59:C9:BE:37:58:0F:5D:73:97:64:98:C4:3E:43:30
@@ -112,6 +113,7 @@ narbeh@narbeh-laptop:~/ssl-checker$ ./ssl_checker.py -H time.com github.com:443
 		Valid from: 2020-05-05
 		Valid to: 2022-05-10 (659 days left)
 		Validity days: 735
+		TLS Version: TLS 1.2
 		Certificate valid: True
 		Certificate S/N: 7101927171473588541993819712332065657
 		Certificate SHA1 FP: 5F:3F:7A:C2:56:9F:50:A4:66:76:47:C6:A1:8C:A0:07:AA:ED:BB:8E
@@ -158,6 +160,7 @@ narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H facebook.com -s localhost:9
 		Valid from: 2020-05-14
 		Valid to: 2020-08-05 (16 days left)
 		Validity days: 83
+		TLS Version: TLS 1.2
 		Certificate valid: True
 		Certificate S/N: 19351530099991824979726880175805235719
 		Certificate SHA1 FP: 89:7F:54:63:61:34:2F:7E:B4:B5:68:E2:92:79:D2:98:B4:97:D8:EA
@@ -216,6 +219,7 @@ Warning: -a/--analyze is enabled. It takes more time...
 		Valid from: 2018-04-21
 		Valid to: 2018-07-20 (88 days left)
 		Validity days: 90
+		TLS Version: TLS 1.2
 		Certificate S/N: 338163108483756707389368573553026254634358
 		Certificate version: 2
 		Certificate algorithm: sha256WithRSAEncryption

ssl_checker.py

@@ -41,19 +41,37 @@ def get_cert(self, host, port, socks_host=None, socks_port=None):
             socket.socket = socks.socksocket
 
         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-        osobj = SSL.Context(SSL.TLSv1_2_METHOD)
         sock.settimeout(5)
         sock.connect((host, int(port)))
         sock.settimeout(None)
-        oscon = SSL.Connection(osobj, sock)
-        oscon.set_tlsext_host_name(host.encode())
-        oscon.set_connect_state()
-        oscon.do_handshake()
-        cert = oscon.get_peer_certificate()
-        resolved_ip = socket.gethostbyname(host)
-        sock.close()
-
-        return cert, resolved_ip
+        
+        # Try different TLS versions in order of preference (newest to oldest)
+        tls_methods = [
+            (SSL.TLSv1_2_METHOD, "TLS 1.2"),  # TLS 1.2
+            (SSL.TLSv1_1_METHOD, "TLS 1.1"),  # TLS 1.1
+            (SSL.TLSv1_METHOD, "TLS 1.0"),    # TLS 1.0
+        ]
+        
+        for tls_method, tls_version in tls_methods:
+            try:
+                osobj = SSL.Context(tls_method)
+                oscon = SSL.Connection(osobj, sock)
+                oscon.set_tlsext_host_name(host.encode())
+                oscon.set_connect_state()
+                oscon.do_handshake()
+                cert = oscon.get_peer_certificate()
+                resolved_ip = socket.gethostbyname(host)
+                sock.close()
+                return cert, resolved_ip, tls_version
+            except SSL.SysCallError as e:
+                # If this TLS version fails, try the next one
+                continue
+            except Exception as e:
+                # For other exceptions, try the next TLS version
+                continue
+        
+        # If all TLS versions fail, raise the last exception
+        raise SSL.SysCallError("Failed to establish SSL connection with any supported TLS version")
 
     def border_msg(self, message):
         """Print the message in the box."""
@@ -122,14 +140,15 @@ def get_cert_sans(self, x509cert):
         san = san.replace(',', ';')
         return san
 
-    def get_cert_info(self, host, cert, resolved_ip):
+    def get_cert_info(self, host, cert, resolved_ip, tls_version=None):
         """Get all the information about cert and create a JSON file."""
         context = {}
 
         cert_subject = cert.get_subject()
 
         context['host'] = host
         context['resolved_ip'] = resolved_ip
+        context['tls_version'] = tls_version
         context['issued_to'] = cert_subject.CN
         context['issued_o'] = cert_subject.O
         context['issuer_c'] = cert.get_issuer().countryName
@@ -186,6 +205,7 @@ def print_status(self, host, context, analyze=False):
         print('\t\tValid from: {}'.format(context[host]['valid_from']))
         print('\t\tValid to: {} ({} days left)'.format(context[host]['valid_till'], context[host]['valid_days_to_expire']))
         print('\t\tValidity days: {}'.format(context[host]['validity_days']))
+        print('\t\tTLS Version: {}'.format(context[host]['tls_version']))
         print('\t\tCertificate valid: {}'.format(context[host]['cert_valid']))
         print('\t\tCertificate S/N: {}'.format(context[host]['cert_sn']))
         print('\t\tCertificate SHA1 FP: {}'.format(context[host]['cert_sha1']))
@@ -238,11 +258,11 @@ def show_result(self, user_args):
                         print('{}Socks proxy enabled, connecting via proxy{}\n'.format(Clr.YELLOW, Clr.RST))
 
                     socks_host, socks_port = self.filter_hostname(user_args.socks)
-                    cert, resolved_ip = self.get_cert(host, port, socks_host, socks_port)
+                    cert, resolved_ip, tls_version = self.get_cert(host, port, socks_host, socks_port)
                 else:
-                    cert, resolved_ip = self.get_cert(host, port)
+                    cert, resolved_ip, tls_version = self.get_cert(host, port)
 
-                context[host] = self.get_cert_info(host, cert, resolved_ip)
+                context[host] = self.get_cert_info(host, cert, resolved_ip, tls_version)
                 context[host]['tcp_port'] = int(port)
 
                 # Analyze the certificate if enabled