Feature request: being able to use client certificates for network tests (NOT http)
list Sebastian Auriol
I want to be able to test a TLS service that use server and client certificates, and the only way seems to be with http, but this is not an http(s) service. It would need to be configurable in protocols.cfg or some other way in hosts.cfg. I tried pretending it was https and it says 'SSL error' in the test output. It doesn't create the sslcert column either, or I could just disable the https test and still get the certificate monitoring, which is what I wanted most anyway. Kind regards, SebA
list Bruce Ferrell
▸
On 3/18/19 11:25 AM, SebA wrote:
I want to be able to test a TLS service that use server and client certificates, and the only way seems to be with http, but this is not an http(s) service. It would need to be configurable in protocols.cfg or some other way in hosts.cfg. I tried pretending it was https and it says 'SSL error' in the test output. It doesn't create the sslcert column either, or I could just disable the https test and still get the certificate monitoring, which is what I wanted most anyway. Kind regards, SebA
What does the openssl s_client test do? openssl s_client -connect <host:port>
list Sebastian Auriol
▸
On Mon, 18 Mar 2019 at 23:36, Bruce Ferrell <user-24fbf1912cfe@xymon.invalid> wrote:
On 3/18/19 11:25 AM, SebA wrote:I want to be able to test a TLS service that use server and client certificates, and the only way seems to be with http, but this is not an http(s) service. It would need to be configurable in protocols.cfg or some other way in hosts.cfg. I tried pretending it was https and it says 'SSL error' in the test output. It doesn't create the sslcert column either, or I could just disable the https test and still get the certificate monitoring, which is what I wanted most anyway. Kind regards, SebAWhat does the openssl s_client test do? openssl s_client -connect <host:port>
Hi Bruce,
When the certificate is expired the result on
openssl-1.0.2k-12.109.amzn1.x86_64 (the local server) is:
Verify return code: 10 (certificate has expired)
However, the result on openssl-1.0.2k-12.el7.x86_64 (on the Xymon server)
is:
Verify return code: 20 (unable to get local issuer certificate)
Once the certificate is renewed the result on both versions is:
Verify return code: 0 (ok)
Kind regards,
SebA
list Bruce Ferrell
▸
On 3/19/19 3:49 AM, SebA wrote:
On Mon, 18 Mar 2019 at 23:36, Bruce Ferrell <user-24fbf1912cfe@xymon.invalid <mailto:user-24fbf1912cfe@xymon.invalid>> wrote: On 3/18/19 11:25 AM, SebA wrote:I want to be able to test a TLS service that use server and client certificates, and the only way seems to be with http, but this is not an http(s) service. It would need to be configurable in protocols.cfg or some other way in hosts.cfg. I tried pretending it was https and it says 'SSL error' in the test output. It doesn't create the sslcert column either, or I could just disable the https test and still get the certificate monitoring, which is what I wanted most anyway. Kind regards, SebAWhat does the openssl s_client test do? openssl s_client -connect <host:port> Hi Bruce, When the certificate is expired the result on openssl-1.0.2k-12.109.amzn1.x86_64 (the local server) is: Verify return code: 10 (certificate has expired) However, the result on openssl-1.0.2k-12.el7.x86_64 (on the Xymon server) is: Verify return code: 20 (unable to get local issuer certificate) Once the certificate is renewed the result on both versions is: Verify return code: 0 (ok) Kind regards, SebA
That's intriguing enough I did some poking at the issue. I found some possibilities: This error can happen if you're using a self-signed certificate with a |keyUsage| missing the value |keyCertSign|. and another possible solution is by passing path to a directory where CA keys are stored. i.e. |openssl s_client -CApath /etc/ssl/certs/ -connect address.com:443| |Some systems pre-populate the CA keystore with a package called something like ca-certificates and if that's not loaded adding a CApath parameter will still fail.| |||I'm not very surprised the the sslcert column isn't created though. Based on looking at my sslcert column, I think the https test is looking for web server header responses to go along with the certificate test and your service may not be sending those.| |I suspect you may need to craft a custom test in a script, but that shouldn't be too bad.| | | | | | | ||| | | |