From b579ea5b2d278302a249b3650eec836896cdccb2 Mon Sep 17 00:00:00 2001
From: Luke Bratch <luke@bratch.co.uk>
Date: Thu, 19 Dec 2019 10:13:42 +0000
Subject: Add a timeout wrapper to the initial OpenSSL to deal with bad hosts.

---
 certexpiry.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/certexpiry.sh b/certexpiry.sh
index aafd57b..d564a5f 100755
--- a/certexpiry.sh
+++ b/certexpiry.sh
@@ -6,6 +6,8 @@ set -euo pipefail
 WARNSECONDS=1209600 # Two weeks
 # File containing a newline separated list of host:port combinations to be checked
 HOSTSANDPORTS="hostsandports.txt"
+# Number of seconds before OpenSSL should timeout when connecting to hosts
+TIMEOUT=10
 # ==== Variables ====
 
 # Loop through all host:port combinations
@@ -45,7 +47,7 @@ while read -r HOSTANDPORT ; do
     fi
     set +e
     # Get the "Not After" field for the certificate expiry
-    EXPIRYSTRING=$(echo "Q" | openssl s_client $STARTTLS -connect "$HOST:$PORT" -servername "$HOST" "$PROTOCOL" 2> /dev/null | openssl x509 -noout -text 2> /dev/null | grep "Not After" | sed -r 's/\s*Not After : //')
+    EXPIRYSTRING=$(echo "Q" | timeout "$TIMEOUT" openssl s_client $STARTTLS -connect "$HOST:$PORT" -servername "$HOST" "$PROTOCOL" 2> /dev/null | openssl x509 -noout -text 2> /dev/null | grep "Not After" | sed -r 's/\s*Not After : //')
     RETCODE="$?"
     set -e
   done
-- 
cgit v1.2.3