[Xymon] SSL Certificate test failure
Henrik Størner
henrik at hswn.dk
Tue Nov 10 22:10:57 CET 2015
Hi,
Den 10-11-2015 kl. 15:27 skrev Mark Felder:
>
> [...] We're simply asking
> Xymon to be able to differentiate between a certificate with a valid
> chain of trust and one that is broken or self-signed.
You are correct that Xymon only checks the expiry-date of the
certificate. This is - more or less - by design, since that is the most
common problem with certificates: Your site works fine on Monday, and on
Tuesday everything is down because the certificate has expired.
If your certificate is broken in the sense that the Common Name (ie the
website name for which the certificate was issued) does not match your
site, then *all* users will see that - so you figure it out pretty fast,
usually before going live.
And name checking is not as simple as it seems. Lots of devices have
self-signed certificates with meaningless names - tons of networking
gear, application server admin consoles, intermediate proxy devices and
so on. All of them can use self-signed certificates, or certificates
issued by your own (company) CA. Xymon cannot validate them, because
technically they are not trusted - you just want the TLS encryption to
work, so you must live with the certificate.
Regards,
Henrik
More information about the Xymon
mailing list