[Xymon] Feature request: being able to use client certificates for network tests (NOT http)

Bruce Ferrell bferrell at baywinds.org
Thu Mar 21 05:43:10 CET 2019 

On 3/19/19 3:49 AM, SebA wrote:
> On Mon, 18 Mar 2019 at 23:36, Bruce Ferrell <bferrell at baywinds.org <mailto:bferrell at baywinds.org>> wrote:
>
>     On 3/18/19 11:25 AM, SebA wrote:
>     > I want to be able to test a TLS service that use server and client certificates, and the only way seems to be with http, but this is not an http(s) service.  It would need
>     to be
>     > configurable in protocols.cfg or some other way in hosts.cfg. I tried pretending it was https and it says 'SSL error' in the test output.  It doesn't create the sslcert column
>     > either, or I could just disable the https test and still get the certificate monitoring, which is what I wanted most anyway.
>     >
>     > Kind regards,
>     >
>     > SebA
>     >
>
>     What does the openssl s_client test do?
>
>     openssl s_client -connect <host:port>
>
>
> Hi Bruce,
>
> When the certificate is expired the result on openssl-1.0.2k-12.109.amzn1.x86_64 (the local server) is:
>     Verify return code: 10 (certificate has expired)
> However, the result on openssl-1.0.2k-12.el7.x86_64 (on the Xymon server) is:
>     Verify return code: 20 (unable to get local issuer certificate)
>
> Once the certificate is renewed the result on both versions is:
>     Verify return code: 0 (ok)
>
> Kind regards,
>
> SebA
>
That's intriguing enough I did some poking at the issue.  I found some possibilities:

This error can happen if you're using a self-signed certificate with a |keyUsage| missing the value |keyCertSign|.

and

another possible solution is by passing path to a directory where CA keys are stored.  i.e.

|openssl s_client -CApath /etc/ssl/certs/ -connect address.com:443|

|Some systems pre-populate the CA keystore with a package called something like ca-certificates and if that's not loaded adding a CApath parameter will still fail.|

|||I'm not very surprised the the sslcert column isn't created though. Based on looking at my sslcert  column, I think the https test is looking for web server header responses to 
go along with the certificate test and your service may not be sending those.|

|I suspect you may need to craft a custom test in a script, but that shouldn't be too bad.|

|
|

|
|

|
|

|||
|
|


|

More information about the Xymon mailing list