[hobbit] SSL cert testing to match common name with host/URL?
Cleaver, Japheth
jcleaver at soe.sony.com
Wed Jun 16 20:45:56 CEST 2010
> -----Original Message-----
> From: Buchan Milne [mailto:bgmilne at staff.telkomsa.net]
> Sent: Wednesday, June 16, 2010 1:05 AM
> To: hobbit at hswn.dk
> Cc: Cleaver, Japheth
> Subject: Re: [hobbit] SSL cert testing to match common name with host/URL?
>
> On Tuesday, 15 June 2010 19:55:24 Cleaver, Japheth wrote:
> > I've been adding testing of https URLs into our system and noticed that
> > while the expiration date checking is nice, Xymon doesn't seem to be
> > checking testing the common name at all for validity (in the manner that a
> > browser might).
>
> But, surely this isn't something you need to monitor? I mean, if you update a
> cert, you'll check it yourself (also to ensure that your client software has
> the relevant CA cert etc. etc.).
>
> Regards,
> Buchan
O how I wish that were the case :). Actually, part of this is discovery. We have a lot of secure sites using different certs and with virtualhosts forwarding through load-balancers and HTTPS-HTTP or HTTP-HTTPS gateways. I'd like for Xymon to be able to catch unintended consequences when a virtual host suddenly ends up giving out the right content (that's checked for elsewhere) but the wrong credentials.
Like I said, it's not a huge requirement since I can build the check externally; just more of a nice-to-have if the data is available in the context of the built-in check.
Regards,
-jc
More information about the Xymon
mailing list