[Xymon] SSL Certificate test failure

Mark Felder feld at feld.me
Tue Nov 10 15:43:29 CET 2015 


On Tue, Nov 10, 2015, at 08:19, J.C. Cleaver wrote:
> On Tue, November 10, 2015 2:24 am, Markus Stoll, junidas GmbH wrote:
> > Hi,
> >
> > xymon would never be fast enough implementing checks against current ssl
> > vulnerabilities
> >
> > ssllabs does provide a webservice API for thorough SSL checking which can
> > be accessed from xymon quite easily
> >
> 
> Agreed. xymonnet isn't doing a deep examination of the response, and
> isn't
> testing against a matrix of possibilities. A few simple things might be
> able to be added as a simple "httpcipher=" sort of thing, but our 'http'
> syntax is already rather scarily overloaded and I'm not sure it's quite
> the best solution there.
> 
> 
> >
> >> Am 09.11.2015 um 22:24 schrieb Mark Felder <feld at feld.me>:
> >> On Mon, Nov 9, 2015, at 15:18, Scot Kreienkamp wrote:
> >>> Hi there,
> >>>
> >>> I am testing a site in Xymon that is testing OK, but throws an SSL
> >>> error
> >>> in the browser.  Wondering why that was, I looked at the certificate
> >>> for
> >>> the site... it doesn't match the domain name of the site that's serving
> >>> it, which causes the browser to display an SSL error.  I was expecting
> >>> Xymon to do the same.  Apparently Xymon doesn't check to make sure the
> >>> certificate matches the URL.
> >>>
> >>
> >> Xymon doesn't check the chain of trust or validate the hostname of the
> >> certificate. It will gladly tell you if it expires, though :)
> >>
> >> It would be nice to teach Xymon to validate the certificate more
> >> thoroughly.
> >>
> 
> 
> I thought this had sounded familiar, and it turns out I had written a
> small test for this back in the day.
> 
> I cleaned up a little of the bit-rot and updated the script at
> https://wiki.xymonton.org/doku.php/monitors:sslname.sh
> 
> This should do an okay job at CN validation to solve the original
> problem,
> and handles wildcards as well (although it's a bit too eager and will
> accept wildcards for further subdomains, which is invalid). It should be
> rewritten to perform just a single, mass 'xymondboard' query before it's
> used at large sites or on heavily loaded xymond servers, however.
> 
> HTH,
> -jc
> 

You can just yank a couple subroutines out of testssl.sh and you'll be
in better shape. It will cover certificates that are unreadable,
revoked, chain incomplete, self signed, expired, not yet valid, etc.

https://github.com/drwetter/testssl.sh

-- 
  Mark Felder
  feld at feld.me

More information about the Xymon mailing list