| Source | Link |
|---|---|
| tools | www.tools.ietf.org/html/rfc5280 |
#TRUSTED 6960c948867f6866ed187206dab8ada89a9f5a838fce2869cb2605ef6113066e298dfd8817048ae07fa44b8a0b8754fd7f775a084b6b3498c88785eaead15895d5cbcdee39aa06948872b673f4f160cb1977cabbaeead3b2f74e77a9ea51a673b3d2ab0bf20eb6652960dd6d11cf4ba2fb2a84ede299acb898ff6925c47c8b697d340e254f7544a0fff89b176fe769beb45c6cd4c264478c02fb23019aa0d137f35530727fdaf4393199797d69c9e468075f0ba9f242d1a84a66f1809889f4393686322748ceeff5e644c49974517bdf0047ae44353b8acc4221e81cb96eebc3890c1bcf2981a662d54d2c7e80d3121a48015f8417785065e5ec8329e01a6d4694ac93c1de09882a6da3a09ec159cbea1246088c46f8f51c41af4769c1643b8306fcc5cfe6ea3e5ea4c83ebd92eecafce0f29db5f6617d3de30c8321957b460c8ffef50de8b1e93454084f1e4f0cff02cd4220e4554c1f57ecd80f270ad8549ffad77ccf8e6b6dbe49ac901e0b956a85b52b503d29b6e0db5648935744835e95b9c0c1db20487df67e0456dd0d3ba38cb37dd8320ade4cfedc455ad9232fba4a893fc3fa990d35b47cb7ec659ae6c5d138e81d8a26e05df696bdb155d1708b57dde5fbefff911a8abd09fec73dd65a17a6085cb15ab724dba624ba824a099e4ad72413ccff60f0d7f33095d179891b8b7059bc8f2c95aa79b6da4244733b6f34
#TRUST-RSA-SHA256 25e068603a5a76f2c1519db1e2fb78adb1f32706f4cbf8189ddcd85811c545fcc4e85febca0aac266385e9d01ccbc0d103db1c1efb8abcdc011ac669bfdf655d3ad7e95b0770b793447d9c119f4659950680a1605e950203c81bf6490a4921abcc1a0d7e349f85e8e8513b622e59c8995986b10b7533a59ff73e9b461ce4151196ed2a169a0ed9452a3be5d9189d393ddb87fa3fc730580b74840654b8b7df7db9a5b9e6c4f48dc40ce01f3abf531287b0ce009fa27e2a70e233fca750d6e4a0127445e2c3c277a3c05091cc12e7ce63963565a345b54d8feaf89fc6c5174471f47ebc95121b3ca819129a1974aa156b189c08eeec78e0a2721f667d0765e5b969c057d30de6b0714537d78ff9470fd1bbc96a01387f6b97363a96db4cc3dde0688219f7f2a25f15d62a985032e73e7fb1b64c629655bd727bf6174b5374bb702b12e5482135286adf2edc0af39f39f056637a84bff41722378c4b3e253da39dc99040c724e513283b85fe41062826f39874ba2416bf880049e9d10680afe1f9e858edf305413e85fe76d20deefcb5e1f45f9d76c70196c611824228bbe2c5f201fa7fd0dbd070d71d26486a3f584b0cc11d3b417cac5f8268c6fea3b37a8aace3bed24bf2c0a53d3aaebea55cb7599d46abaec2c612ce9ebc1c41d1a5b7b0993867b8c81cf6dd63fbd78d5366ba8f850c8ad5a05c74e032de3ebcd5a4ad4504
#%NASL_MIN_LEVEL 5200
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if(description)
{
script_id(72459);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2025/06/16");
script_name(english:"Certificate Revocation List Expiry");
script_summary(english:"Checks if any CRLs have expired.");
script_set_attribute(attribute:"synopsis", value:"The Certificate Revocation List has expired.");
script_set_attribute(attribute:"description", value:
"The X.509 Certificate Revocation List (CRL) has not been updated, and
is currently past its self-reported expiry date. This indicates that
the CRL may be misconfigured.");
script_set_attribute(attribute:"see_also", value:"https://tools.ietf.org/html/rfc5280");
script_set_attribute(attribute:"solution", value:
"Check the Certificate Authority's CRL configuration and the system
clock.");
script_set_attribute(attribute:"risk_factor", value:"None");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/02/12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_END_REPORT);
script_family(english:"General");
script_copyright(english:"This script is Copyright (C) 2014-2025 Tenable Network Security, Inc.");
script_exclude_keys("global_settings/disable_test_ssl_based_services");
exit(0);
}
include("datetime.inc");
include("global_settings.inc");
include("http.inc");
include("misc_func.inc");
include("x509_func.inc");
if(get_kb_item("global_settings/disable_test_ssl_based_services"))
exit(1, "Not testing SSL based services per user config.");
# Start by checking if this script is enabled. Due to its category,
# this script will run by the scheduler regardless of the policy, so
# we have to manually adhere to the policy.
if(!is_plugin_enabled(script_family:"General", plugin_id:72459))
exit(0, "This plugin was not enabled by the policy.");
# This script connects to external hosts, *arbitrary* hosts, pulled
# from an X.509 extension, which anyone that generates a self-signed
# certificate can make point anywhere. So we need to be absolutely
# sure the user wants us to continue.
get_global_kb_item_or_exit("global_settings/enable_crl_checking");
# Get the list of hosts with certs with CRLs.
hosts = get_global_kb_list("SSL/CRL/Host");
if(isnull(hosts))
exit(0, "No hosts were found in the global KB.");
hosts = list_uniq(make_list(hosts));
foreach var host (hosts)
{
ports = get_global_kb_list("SSL/CRL/" + host);
if(isnull(ports))
continue;
ports = list_uniq(make_list(ports));
foreach var port (ports)
{
kb = "SSL/CRL/" + host + "/" + port;
certs = get_global_kb_list(kb);
if(isnull(certs))
continue;
certs = list_uniq(sort(make_list(certs)));
# Create a single, consolidated report for this port.
report = make_list();
foreach var cert (certs)
{
url = get_global_kb_item(kb + "/" + cert + "/URL");
subj = get_global_kb_item(kb + "/" + cert + "/Subject");
issuer = get_global_kb_item(kb + "/" + cert + "/Issuer");
this_update = get_global_kb_item(kb + "/" + cert + "/ThisUpdate");
if(isnull(url) || isnull(subj) || isnull(issuer) || isnull(this_update))
continue;
next_update = get_global_kb_item(kb + "/" + cert + "/Expiry");
if(isnull(next_update) || date_cmp(next_update) < 0)
continue;
info =
'\nThe CRL below was found to be past its self-reported expiry date :' +
'\n' +
'\n URL : ' + url +
'\n Issuer : ' + issuer +
'\n Subject : ' + subj +
'\n Date of Issue : ' + this_update +
'\n Date of Expiry : ' + next_update +
'\n';
report = make_list(report, info);
}
if(max_index(report) != 0)
security_report(host:host, port:port, level:0, extra:join(report, sep:'\n'));
}
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation