[Xymon] Fwd: Re: Subject: Re: SSL OCSP monitoring

Ralph Mitchell ralphmitchell at gmail.com
Wed Apr 16 14:45:24 CEST 2014


Resending because it didn't go to the mailing list.  I don't remember why
it was deemed a good idea not to direct replies to the list by default.  I
wonder how many conversations have "gone off list" like this without the
participants noticing??

Ralph Mitchell
---------- Forwarded message ----------
From: "Ralph Mitchell" <ralphmitchell at gmail.com>
Date: Apr 16, 2014 7:23 AM
Subject: Re: [Xymon] Subject: Re: SSL OCSP monitoring
To: "Steff Watkins" <s.watkins at nhm.ac.uk>
Cc:

OCSP is a little different to expiry - it's for checking that the
certificate has not been revoked.  Say you have some kind of national ID
card with certificate and key issued by a nationwide trusted entity. You
could use it to access banking and health services, sign documents, encrypt
email, etc.  If the card is lost or stolen, you call it in, the certificate
is revoked and they send you a new one.

If the stolen card is subsequently used to try to gain access to your bank
account, the bank calls an OCSP responder to validate the card and then
rejects it.  Clients, such as web browsers, can do the same to check if
server certificates have been revoked before trusting them.

I'm not sure what anyone would gain from testing revocation status, given
that you're generally monitoring certs on your own network and servers.

Ralph Mitchell



On Wed, Apr 16, 2014 at 5:40 AM, Steff Watkins <s.watkins at nhm.ac.uk> wrote:

> > Hi,
> >
> > Can we monitor SSL certificate's revoke status ?
> >
> > Thanks,
> > Deepak
>
> Hello Deepak,
>
>  Not sure if this is what you're after but I've found a way of getting
> Xymon to give yellow alerts when the SSL certificate on a webserver has 30
> days (or less) until expiry, and red alerts on 14 days (or less).
>
> The first part is to give a secure URL in the comment section of the host
> definition in the hosts.cfg file, such as:
>
>    192.168.12.12    www  # conn ssh http://www. yabadabadoo.blah.uk/
> https://yabadabadoo.blah.uk/
>
> This tells Xymon to check the secure HTTP instance on, in this case,
> www.yabadabadoo.blah.uk . So it picks up the SSL certificate and reports
> on its presence. This should create an "sslcert" column on your Xymon
> display. You can view the retrieved certificate in that column.
>
> However the next step is needed if you wanted alerts raised when an SSL
> certificate is getting near expiry date.
>
> In the tasks.cfg file you need to setup a clause to force the system to
> raise a warning if the SSL certificate gets near expiry date. I have done
> this by adding the "sslwarn" and "sslalarm" options to the definition for
> xymonnet.
>
> The actual definition I am using is shown below:
>
> -----
> [xymonnet]
>         ENVFILE /usr/local/hobbit/server/etc/xymonserver.cfg
>         NEEDS xymond
>         CMD xymonnet --no-ares --report --ping --checkresponse
> --sslwarn=30 --sslalarm=14 '--dnslog=/var/log/xymon/dns.log'
> '--concurrency=5' '--debug' '--dump=both'
>         LOGFILE $XYMONSERVERLOGS/xymonnet.log
>         INTERVAL 5m
>  -----
>
> As you can see I have '-sslwarn=30' which causes the sslcert column for a
> host to go yellow when the SSL certificate for that host has 30 days or
> less until expiry. The '--sslalarm=14' raises the alert level to red when
> there is 14 days or less until the SSL certificate's expiry date.
>
> I have this running in  a live environment at the moment and can confirm
> that it does work. I'm fairly sure that you should be able to use this sort
> of setup for testing the revocation dates of SSL certificates for other
> protocols, such as secure smtp.
>
> Hope this helps.
>
> Regards,
> Steff Watkins
> -----
> Steff Watkins                           Natural History Museum, Cromwell
> Road, London,SW75BD
> Systems programmer                      Email: s.watkins at nhm.ac.uk
> Systems Team                            Phone: +44 (0)20 7942 6000 opt 2
> ========
> "Many were increasingly of the opinion that they'd all made a big mistake
> in coming down from the trees in the first place. And some said that even
> the trees had been a bad move, and that no one should ever have left the
> oceans." - HHGTTG
>
>
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20140416/c72476ed/attachment.html>


More information about the Xymon mailing list