-----Original Message-----
From: Ralph Mitchell [mailto:user-00a5e44c48c0@xymon.invalid]
Sent: Tuesday, June 15, 2010 4:03 PM
To: user-ae9b8668bcde@xymon.invalid
Subject: Re: [hobbit] SSL cert testing to match common name with host/URL?
I don't recall anyone else mentioning this as a problem. A fairly easy workaround would be to
roll your own check. For example, this:
curl -v https://mail.google.com
returns:
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=mail.google.com
* start date: 2009-12-18 00:00:00 GMT
* expire date: 2011-12-18 23:59:59 GMT
* common name: mail.google.com (matched)
* issuer: C=ZA; O=Thawte Consulting (Pty) Ltd.; CN=Thawte SGC CA
* SSL certificate verify ok.GET / HTTP/1.1
among other things. It wouldn't be too hard to grep out "common name" from that and go from there.
If there's anything hinky about the cert, curl will return an error. If you use the "-k" option,
it'll ignore the error and give you the page along with info about what was wrong.
Ralph Mitchell
Yeah, I was resigned to setting up a new test in the short-term, at least.
Still, I think merits being a configurable option for the built-in SSL check. I think a lot more people would be interested in the matching of the common name than, say, encryption bit level, since most user clients will throw a warning if there's a mismatch. =/
Regards,
JC