Xymon Mailing List Archive search

SSL Certificate test failure

list Mark Felder
Tue, 10 Nov 2015 08:43:29 -0600
Message-Id: <user-75c57e669815@xymon.invalid>


On Tue, Nov 10, 2015, at 08:19, J.C. Cleaver wrote:
On Tue, November 10, 2015 2:24 am, Markus Stoll, junidas GmbH wrote:
Hi,

xymon would never be fast enough implementing checks against current ssl
vulnerabilities

ssllabs does provide a webservice API for thorough SSL checking which can
be accessed from xymon quite easily

Agreed. xymonnet isn't doing a deep examination of the response, and
isn't
testing against a matrix of possibilities. A few simple things might be
able to be added as a simple "httpcipher=" sort of thing, but our 'http'
syntax is already rather scarily overloaded and I'm not sure it's quite
the best solution there.


Am 09.11.2015 um 22:24 schrieb Mark Felder <user-db141d317836@xymon.invalid>:
On Mon, Nov 9, 2015, at 15:18, Scot Kreienkamp wrote:
Hi there,

I am testing a site in Xymon that is testing OK, but throws an SSL
error
in the browser.  Wondering why that was, I looked at the certificate
for
the site... it doesn't match the domain name of the site that's serving
it, which causes the browser to display an SSL error.  I was expecting
Xymon to do the same.  Apparently Xymon doesn't check to make sure the
certificate matches the URL.

Xymon doesn't check the chain of trust or validate the hostname of the
certificate. It will gladly tell you if it expires, though :)

It would be nice to teach Xymon to validate the certificate more
thoroughly.

I thought this had sounded familiar, and it turns out I had written a
small test for this back in the day.

I cleaned up a little of the bit-rot and updated the script at
https://wiki.xymonton.org/doku.php/monitors:sslname.sh

This should do an okay job at CN validation to solve the original
problem,
and handles wildcards as well (although it's a bit too eager and will
accept wildcards for further subdomains, which is invalid). It should be
rewritten to perform just a single, mass 'xymondboard' query before it's
used at large sites or on heavily loaded xymond servers, however.

HTH,
-jc

You can just yank a couple subroutines out of testssl.sh and you'll be
in better shape. It will cover certificates that are unreadable,
revoked, chain incomplete, self signed, expired, not yet valid, etc.

https://github.com/drwetter/testssl.sh

-- 
  Mark Felder
  user-db141d317836@xymon.invalid