[Xymon] SSL Certificate test failure

J.C. Cleaver cleaver at terabithia.org
Tue Nov 10 15:19:10 CET 2015


On Tue, November 10, 2015 2:24 am, Markus Stoll, junidas GmbH wrote:
> Hi,
>
> xymon would never be fast enough implementing checks against current ssl
> vulnerabilities
>
> ssllabs does provide a webservice API for thorough SSL checking which can
> be accessed from xymon quite easily
>

Agreed. xymonnet isn't doing a deep examination of the response, and isn't
testing against a matrix of possibilities. A few simple things might be
able to be added as a simple "httpcipher=" sort of thing, but our 'http'
syntax is already rather scarily overloaded and I'm not sure it's quite
the best solution there.


>
>> Am 09.11.2015 um 22:24 schrieb Mark Felder <feld at feld.me>:
>> On Mon, Nov 9, 2015, at 15:18, Scot Kreienkamp wrote:
>>> Hi there,
>>>
>>> I am testing a site in Xymon that is testing OK, but throws an SSL
>>> error
>>> in the browser.  Wondering why that was, I looked at the certificate
>>> for
>>> the site... it doesn't match the domain name of the site that's serving
>>> it, which causes the browser to display an SSL error.  I was expecting
>>> Xymon to do the same.  Apparently Xymon doesn't check to make sure the
>>> certificate matches the URL.
>>>
>>
>> Xymon doesn't check the chain of trust or validate the hostname of the
>> certificate. It will gladly tell you if it expires, though :)
>>
>> It would be nice to teach Xymon to validate the certificate more
>> thoroughly.
>>


I thought this had sounded familiar, and it turns out I had written a
small test for this back in the day.

I cleaned up a little of the bit-rot and updated the script at
https://wiki.xymonton.org/doku.php/monitors:sslname.sh

This should do an okay job at CN validation to solve the original problem,
and handles wildcards as well (although it's a bit too eager and will
accept wildcards for further subdomains, which is invalid). It should be
rewritten to perform just a single, mass 'xymondboard' query before it's
used at large sites or on heavily loaded xymond servers, however.

HTH,
-jc




More information about the Xymon mailing list