<p dir="ltr">Resending because it didn't go to the mailing list. I don't remember why it was deemed a good idea not to direct replies to the list by default. I wonder how many conversations have "gone off list" like this without the participants noticing??</p>
<p dir="ltr">Ralph Mitchell </p>
<div class="gmail_quote">---------- Forwarded message ----------<br>From: "Ralph Mitchell" <<a href="mailto:ralphmitchell@gmail.com">ralphmitchell@gmail.com</a>><br>Date: Apr 16, 2014 7:23 AM<br>Subject: Re: [Xymon] Subject: Re: SSL OCSP monitoring<br>
To: "Steff Watkins" <<a href="mailto:s.watkins@nhm.ac.uk">s.watkins@nhm.ac.uk</a>><br>Cc: <br><br type="attribution"><div dir="ltr">OCSP is a little different to expiry - it's for checking that the certificate has not been revoked. Say you have some kind of national ID card with certificate and key issued by a nationwide trusted entity. You could use it to access banking and health services, sign documents, encrypt email, etc. If the card is lost or stolen, you call it in, the certificate is revoked and they send you a new one.<div>
<br></div><div>If the stolen card is subsequently used to try to gain access to your bank account, the bank calls an OCSP responder to validate the card and then rejects it. Clients, such as web browsers, can do the same to check if server certificates have been revoked before trusting them.<div>
<div><br></div><div>I'm not sure what anyone would gain from testing revocation status, given that you're generally monitoring certs on your own network and servers.</div><div><br></div><div>Ralph Mitchell</div>
<div><br></div></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Apr 16, 2014 at 5:40 AM, Steff Watkins <span dir="ltr"><<a href="mailto:s.watkins@nhm.ac.uk" target="_blank">s.watkins@nhm.ac.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">> Hi,<br>
><br>
> Can we monitor SSL certificate's revoke status ?<br>
><br>
> Thanks,<br>
> Deepak<br>
<br>
Hello Deepak,<br>
<br>
Not sure if this is what you're after but I've found a way of getting Xymon to give yellow alerts when the SSL certificate on a webserver has 30 days (or less) until expiry, and red alerts on 14 days (or less).<br>
<br>
The first part is to give a secure URL in the comment section of the host definition in the hosts.cfg file, such as:<br>
<br>
192.168.12.12 www # conn ssh <a href="http://www" target="_blank">http://www</a>. <a href="http://yabadabadoo.blah.uk/" target="_blank">yabadabadoo.blah.uk/</a> <a href="https://yabadabadoo.blah.uk/" target="_blank">https://yabadabadoo.blah.uk/</a><br>
<br>
This tells Xymon to check the secure HTTP instance on, in this case, <a href="http://www.yabadabadoo.blah.uk" target="_blank">www.yabadabadoo.blah.uk</a> . So it picks up the SSL certificate and reports on its presence. This should create an "sslcert" column on your Xymon display. You can view the retrieved certificate in that column.<br>
<br>
However the next step is needed if you wanted alerts raised when an SSL certificate is getting near expiry date.<br>
<br>
In the tasks.cfg file you need to setup a clause to force the system to raise a warning if the SSL certificate gets near expiry date. I have done this by adding the "sslwarn" and "sslalarm" options to the definition for xymonnet.<br>
<br>
The actual definition I am using is shown below:<br>
<br>
-----<br>
[xymonnet]<br>
ENVFILE /usr/local/hobbit/server/etc/xymonserver.cfg<br>
NEEDS xymond<br>
CMD xymonnet --no-ares --report --ping --checkresponse --sslwarn=30 --sslalarm=14 '--dnslog=/var/log/xymon/dns.log' '--concurrency=5' '--debug' '--dump=both'<br>
LOGFILE $XYMONSERVERLOGS/xymonnet.log<br>
INTERVAL 5m<br>
-----<br>
<br>
As you can see I have '-sslwarn=30' which causes the sslcert column for a host to go yellow when the SSL certificate for that host has 30 days or less until expiry. The '--sslalarm=14' raises the alert level to red when there is 14 days or less until the SSL certificate's expiry date.<br>
<br>
I have this running in a live environment at the moment and can confirm that it does work. I'm fairly sure that you should be able to use this sort of setup for testing the revocation dates of SSL certificates for other protocols, such as secure smtp.<br>
<br>
Hope this helps.<br>
<br>
Regards,<br>
Steff Watkins<br>
-----<br>
Steff Watkins Natural History Museum, Cromwell Road, London,SW75BD<br>
Systems programmer Email: <a href="mailto:s.watkins@nhm.ac.uk" target="_blank">s.watkins@nhm.ac.uk</a><br>
Systems Team Phone: <a href="tel:%2B44%20%280%2920%207942%206000" value="+442079426000" target="_blank">+44 (0)20 7942 6000</a> opt 2<br>
========<br>
"Many were increasingly of the opinion that they'd all made a big mistake in coming down from the trees in the first place. And some said that even the trees had been a bad move, and that no one should ever have left the oceans." - HHGTTG<br>
<br>
<br>
<br>
_______________________________________________<br>
Xymon mailing list<br>
<a href="mailto:Xymon@xymon.com" target="_blank">Xymon@xymon.com</a><br>
<a href="http://lists.xymon.com/mailman/listinfo/xymon" target="_blank">http://lists.xymon.com/mailman/listinfo/xymon</a><br>
</blockquote></div><br></div>
</div>