[hobbit] SSL cert testing to match common name with host/URL?
Cleaver, Japheth
jcleaver at soe.sony.com
Wed Jun 16 02:59:55 CEST 2010
> -----Original Message-----
> From: Ralph Mitchell [mailto:ralphmitchell at gmail.com]
> Sent: Tuesday, June 15, 2010 4:03 PM
> To: hobbit at hswn.dk
> Subject: Re: [hobbit] SSL cert testing to match common name with host/URL?
>
> I don't recall anyone else mentioning this as a problem. A fairly easy workaround would be to
> roll your own check. For example, this:
>
> curl -v https://mail.google.com
>
> returns:
>
> * Server certificate:
> * subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=mail.google.com
> * start date: 2009-12-18 00:00:00 GMT
> * expire date: 2011-12-18 23:59:59 GMT
> * common name: mail.google.com (matched)
> * issuer: C=ZA; O=Thawte Consulting (Pty) Ltd.; CN=Thawte SGC CA
> * SSL certificate verify ok.
> > GET / HTTP/1.1
>
> among other things. It wouldn't be too hard to grep out "common name" from that and go from there.
> If there's anything hinky about the cert, curl will return an error. If you use the "-k" option,
> it'll ignore the error and give you the page along with info about what was wrong.
>
> Ralph Mitchell
Yeah, I was resigned to setting up a new test in the short-term, at least.
Still, I think merits being a configurable option for the built-in SSL check. I think a lot more people would be interested in the matching of the common name than, say, encryption bit level, since most user clients will throw a warning if there's a mismatch. =/
Regards,
JC
More information about the Xymon
mailing list