[Xymon] SSL Certificate test failure
cleaver at terabithia.org
Tue Nov 10 15:19:10 CET 2015
On Tue, November 10, 2015 2:24 am, Markus Stoll, junidas GmbH wrote:
> xymon would never be fast enough implementing checks against current ssl
> ssllabs does provide a webservice API for thorough SSL checking which can
> be accessed from xymon quite easily
Agreed. xymonnet isn't doing a deep examination of the response, and isn't
testing against a matrix of possibilities. A few simple things might be
able to be added as a simple "httpcipher=" sort of thing, but our 'http'
syntax is already rather scarily overloaded and I'm not sure it's quite
the best solution there.
>> Am 09.11.2015 um 22:24 schrieb Mark Felder <feld at feld.me>:
>> On Mon, Nov 9, 2015, at 15:18, Scot Kreienkamp wrote:
>>> Hi there,
>>> I am testing a site in Xymon that is testing OK, but throws an SSL
>>> in the browser. Wondering why that was, I looked at the certificate
>>> the site... it doesn't match the domain name of the site that's serving
>>> it, which causes the browser to display an SSL error. I was expecting
>>> Xymon to do the same. Apparently Xymon doesn't check to make sure the
>>> certificate matches the URL.
>> Xymon doesn't check the chain of trust or validate the hostname of the
>> certificate. It will gladly tell you if it expires, though :)
>> It would be nice to teach Xymon to validate the certificate more
I thought this had sounded familiar, and it turns out I had written a
small test for this back in the day.
I cleaned up a little of the bit-rot and updated the script at
This should do an okay job at CN validation to solve the original problem,
and handles wildcards as well (although it's a bit too eager and will
accept wildcards for further subdomains, which is invalid). It should be
rewritten to perform just a single, mass 'xymondboard' query before it's
used at large sites or on heavily loaded xymond servers, however.
More information about the Xymon