Xymon Mailing List Archive search

Feature request: being able to use client certificates for network tests (NOT http)

list Bruce Ferrell
Wed, 20 Mar 2019 21:43:10 -0700
Message-Id: <user-8fff5b7987f9@xymon.invalid>

On 3/19/19 3:49 AM, SebA wrote:
On Mon, 18 Mar 2019 at 23:36, Bruce Ferrell <user-24fbf1912cfe@xymon.invalid <mailto:user-24fbf1912cfe@xymon.invalid>> wrote:

    On 3/18/19 11:25 AM, SebA wrote:
I want to be able to test a TLS service that use server and client certificates, and the only way seems to be with http, but this is not an http(s) service.  It would need
    to be
configurable in protocols.cfg or some other way in hosts.cfg. I tried pretending it was https and it says 'SSL error' in the test output.  It doesn't create the sslcert column
either, or I could just disable the https test and still get the certificate monitoring, which is what I wanted most anyway.

Kind regards,

SebA

    What does the openssl s_client test do?

    openssl s_client -connect <host:port>


Hi Bruce,

When the certificate is expired the result on openssl-1.0.2k-12.109.amzn1.x86_64 (the local server) is:
    Verify return code: 10 (certificate has expired)
However, the result on openssl-1.0.2k-12.el7.x86_64 (on the Xymon server) is:
    Verify return code: 20 (unable to get local issuer certificate)

Once the certificate is renewed the result on both versions is:
    Verify return code: 0 (ok)

Kind regards,

SebA

That's intriguing enough I did some poking at the issue.  I found some possibilities:

This error can happen if you're using a self-signed certificate with a |keyUsage| missing the value |keyCertSign|.

and

another possible solution is by passing path to a directory where CA keys are stored.  i.e.

|openssl s_client -CApath /etc/ssl/certs/ -connect address.com:443|

|Some systems pre-populate the CA keystore with a package called something like ca-certificates and if that's not loaded adding a CApath parameter will still fail.|

|||I'm not very surprised the the sslcert column isn't created though. Based on looking at my sslcert  column, I think the https test is looking for web server header responses to 
go along with the certificate test and your service may not be sending those.|

|I suspect you may need to craft a custom test in a script, but that shouldn't be too bad.|

|
|

|
|

|
|

|||
|
|


|