[hobbit] SSL cert testing to match common name with host/URL?

Cleaver, Japheth jcleaver at soe.sony.com
Wed Jun 16 20:45:56 CEST 2010



> -----Original Message-----
> From: Buchan Milne [mailto:bgmilne at staff.telkomsa.net]
> Sent: Wednesday, June 16, 2010 1:05 AM
> To: hobbit at hswn.dk
> Cc: Cleaver, Japheth
> Subject: Re: [hobbit] SSL cert testing to match common name with host/URL?
> 
> On Tuesday, 15 June 2010 19:55:24 Cleaver, Japheth wrote:
> > I've been adding testing of https URLs into our system and noticed that
> >  while the expiration date checking is nice, Xymon doesn't seem to be
> >  checking testing the common name at all for validity (in the manner that a
> >  browser might).
> 
> But, surely this isn't something you need to monitor? I mean, if you update a
> cert, you'll check it yourself (also to ensure that your client software has
> the relevant CA cert etc. etc.).
> 
> Regards,
> Buchan

O how I wish that were the case :). Actually, part of this is discovery. We have a lot of secure sites using different certs and with virtualhosts forwarding through load-balancers and HTTPS-HTTP or HTTP-HTTPS gateways. I'd like for Xymon to be able to catch unintended consequences when a virtual host suddenly ends up giving out the right content (that's checked for elsewhere) but the wrong credentials.

Like I said, it's not a huge requirement since I can build the check externally; just more of a nice-to-have if the data is available in the context of the built-in check.

Regards,
-jc


More information about the Xymon mailing list