Pierre-Olivier Mercier
90f1b4943f
Generic SRV records checker for happyDomain.
For each SRV record attached to an svcs.UnknownSRV service, the checker
resolves every target and probes reachability:
- DNS resolution (A/AAAA), CNAME detection (RFC 2782 violation),
null-target detection (RFC 2782 "service explicitly unavailable")
- TCP connect to target:port for _tcp SRVs
- UDP probe for _udp SRVs, using ICMP port-unreachable detection
The checker also publishes TLS endpoints (host, port, SNI) for every
SRV target hitting a well-known direct-TLS port (443, 465, 636, 853,
993, 995, 5061, 5223, …) via the EndpointDiscoverer SDK interface, so
a downstream TLS checker can pick them up.
The HTML report groups records as cards and surfaces the most common
failure scenarios (DNS failure, CNAME target, TCP unreachable,
null-target) at the top with remediation guidance.
124 lines
4.2 KiB
Go
124 lines
4.2 KiB
Go
// This file is part of the happyDomain (R) project.
|
|
// Copyright (c) 2020-2026 happyDomain
|
|
// Authors: Pierre-Olivier Mercier, et al.
|
|
//
|
|
// This program is offered under a commercial and under the AGPL license.
|
|
// For commercial licensing, contact us at <contact@happydomain.org>.
|
|
//
|
|
// For AGPL licensing:
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
package checker
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
sdk "git.happydns.org/checker-sdk-go/checker"
|
|
tlsct "git.happydns.org/checker-tls/contract"
|
|
)
|
|
|
|
// Matching on the service name is more authoritative than matching on the
|
|
// port: port 636 could carry anything, but _ldaps._tcp unambiguously
|
|
// designates LDAP over TLS, even on a non-standard port.
|
|
var directTLSServices = map[string]bool{
|
|
"https": true,
|
|
"ftps": true, // FTPS implicit
|
|
"smtps": true, // SMTP over TLS (legacy port 465 semantics)
|
|
"submissions": true, // RFC 8314: SMTP submission over TLS
|
|
"imaps": true,
|
|
"pop3s": true,
|
|
"nntps": true,
|
|
"ircs": true,
|
|
"telnets": true,
|
|
"ldaps": true,
|
|
"sips": true,
|
|
"ipps": true, // IPP over TLS (printing)
|
|
"xmpps-client": true, // XMPP client over direct TLS
|
|
"xmpps-server": true, // XMPP server-to-server over direct TLS
|
|
"mqtts": true,
|
|
"coaps": true,
|
|
"stuns": true,
|
|
"turns": true,
|
|
}
|
|
|
|
type starttlsSpec struct {
|
|
// When two SRV services share the same wire upgrade (submission/smtp both do
|
|
// ESMTP STARTTLS), Proto is the canonical one agreed with checker-tls/contract.
|
|
Proto string
|
|
|
|
// Required is false for opportunistic STARTTLS (e.g. SMTP on port 25, s2s XMPP).
|
|
// The consumer uses this to pick severity when the server does not advertise STARTTLS.
|
|
Required bool
|
|
}
|
|
|
|
// Proto values follow the tls.endpoint.v1 contract's vocabulary; the SDK
|
|
// itself has no opinion on these values, they belong to checker-tls.
|
|
var starttlsServices = map[string]starttlsSpec{
|
|
"submission": {"smtp", true}, // RFC 8314: STARTTLS required
|
|
"smtp": {"smtp", false}, // port 25: opportunistic
|
|
"imap": {"imap", true},
|
|
"pop3": {"pop3", true},
|
|
"xmpp-client": {"xmpp-client", true}, // RFC 7590
|
|
"xmpp-server": {"xmpp-server", false}, // s2s: opportunistic
|
|
"ldap": {"ldap", false},
|
|
"nntp": {"nntp", false},
|
|
"ftp": {"ftp", false},
|
|
"sieve": {"sieve", true},
|
|
"postgresql": {"postgres", false},
|
|
}
|
|
|
|
// DiscoverEntries publishes tls.endpoint.v1 entries for known TLS/STARTTLS services.
|
|
// Unknown service names produce no entries: we lean on the SRV naming
|
|
// convention rather than guessing from the port, since a port alone
|
|
// conveys no protocol semantics.
|
|
func (p *srvProvider) DiscoverEntries(data any) ([]sdk.DiscoveryEntry, error) {
|
|
d, ok := data.(*SRVData)
|
|
if !ok {
|
|
return nil, fmt.Errorf("unexpected data type %T", data)
|
|
}
|
|
var out []sdk.DiscoveryEntry
|
|
for _, r := range d.Records {
|
|
if r.IsNullTarget || r.Target == "" {
|
|
continue
|
|
}
|
|
|
|
if directTLSServices[r.Service] {
|
|
e, err := tlsct.NewEntry(tlsct.TLSEndpoint{
|
|
Host: r.Target,
|
|
Port: r.Port,
|
|
SNI: r.Target,
|
|
})
|
|
if err != nil {
|
|
return nil, fmt.Errorf("build tls entry for %s:%d: %w", r.Target, r.Port, err)
|
|
}
|
|
out = append(out, e)
|
|
continue
|
|
}
|
|
|
|
if spec, ok := starttlsServices[r.Service]; ok {
|
|
e, err := tlsct.NewEntry(tlsct.TLSEndpoint{
|
|
Host: r.Target,
|
|
Port: r.Port,
|
|
SNI: r.Target,
|
|
STARTTLS: spec.Proto,
|
|
RequireSTARTTLS: spec.Required,
|
|
})
|
|
if err != nil {
|
|
return nil, fmt.Errorf("build starttls entry for %s:%d: %w", r.Target, r.Port, err)
|
|
}
|
|
out = append(out, e)
|
|
}
|
|
}
|
|
return out, nil
|
|
}
|