SSL cert testing to match common name with host/URL?

-----Original Message-----
From: Buchan Milne [mailto:user-9b139aff4dec@xymon.invalid]
Sent: Wednesday, June 16, 2010 1:05 AM
To: user-ae9b8668bcde@xymon.invalid
Cc: Cleaver, Japheth
Subject: Re: [hobbit] SSL cert testing to match common name with host/URL?

On Tuesday, 15 June 2010 19:55:24 Cleaver, Japheth wrote:

I've been adding testing of https URLs into our system and noticed that
 while the expiration date checking is nice, Xymon doesn't seem to be
 checking testing the common name at all for validity (in the manner that a
 browser might).

But, surely this isn't something you need to monitor? I mean, if you update a
cert, you'll check it yourself (also to ensure that your client software has
the relevant CA cert etc. etc.).

Regards,
Buchan

O how I wish that were the case :). Actually, part of this is discovery. We have a lot of secure sites using different certs and with virtualhosts forwarding through load-balancers and HTTPS-HTTP or HTTP-HTTPS gateways. I'd like for Xymon to be able to catch unintended consequences when a virtual host suddenly ends up giving out the right content (that's checked for elsewhere) but the wrong credentials.

Like I said, it's not a huge requirement since I can build the check externally; just more of a nice-to-have if the data is available in the context of the built-in check.

Regards,
-jc