[Xymon] SSL Certificate test failure
Werner Maier
werner at maiers.de
Tue Nov 10 15:52:46 CET 2015
>> xymon would never be fast enough implementing checks against current ssl
>> vulnerabilities
>>
>> ssllabs does provide a webservice API for thorough SSL checking which can
>> be accessed from xymon quite easily
>>
> I don't think anybody asked for this functionality. We're simply asking
> Xymon to be able to differentiate between a certificate with a valid
> chain of trust and one that is broken or self-signed.
in general, if you are using SSL w/ official certificates, it will
not sufficient just to check if the chain would be ok and if the cert
is still valid (it's a start, but it won't be enough - at least soon).
Browsers are starting to deprecate some SSL-features, and they are talking
about to drop SHA1 signatures soon.
so you need to check at least:
- does the certificate contain the name
* CN / single name certificates
* SAN / multidomain name certficiates (SNI)
- is the cert still valid
- is the chain of trust ok
- which size is server key
- which signature algorithm is used
- [...]
I don't want to see this IN the xymonnet script, as the needs will change
faster than you want to upgrade your running xymon server.
Therefore I would recommend to do this via an external script and use
testssl.sh <https://github.com/drwetter/testssl.sh/>
The benefit would be to be able to check not only a valid trust chain
but also more things that need to be checked if you work with SSL.
for example:
- all mentioned things above plus:
- supported ciphers
- offered encryption grades
- testing against known vulnerabilities
so one could check exactly what is needed - there are big differences in
production requirements vs. private webhosts.
regards,
Werner Maier
--
Dipl.-Ing. Univ. Werner Maier
http://www.maiers.de/
More information about the Xymon
mailing list