[Xymon] SSL Certificate test failure
feld at feld.me
Tue Nov 10 15:43:29 CET 2015
On Tue, Nov 10, 2015, at 08:19, J.C. Cleaver wrote:
> On Tue, November 10, 2015 2:24 am, Markus Stoll, junidas GmbH wrote:
> > Hi,
> > xymon would never be fast enough implementing checks against current ssl
> > vulnerabilities
> > ssllabs does provide a webservice API for thorough SSL checking which can
> > be accessed from xymon quite easily
> Agreed. xymonnet isn't doing a deep examination of the response, and
> testing against a matrix of possibilities. A few simple things might be
> able to be added as a simple "httpcipher=" sort of thing, but our 'http'
> syntax is already rather scarily overloaded and I'm not sure it's quite
> the best solution there.
> >> Am 09.11.2015 um 22:24 schrieb Mark Felder <feld at feld.me>:
> >> On Mon, Nov 9, 2015, at 15:18, Scot Kreienkamp wrote:
> >>> Hi there,
> >>> I am testing a site in Xymon that is testing OK, but throws an SSL
> >>> error
> >>> in the browser. Wondering why that was, I looked at the certificate
> >>> for
> >>> the site... it doesn't match the domain name of the site that's serving
> >>> it, which causes the browser to display an SSL error. I was expecting
> >>> Xymon to do the same. Apparently Xymon doesn't check to make sure the
> >>> certificate matches the URL.
> >> Xymon doesn't check the chain of trust or validate the hostname of the
> >> certificate. It will gladly tell you if it expires, though :)
> >> It would be nice to teach Xymon to validate the certificate more
> >> thoroughly.
> I thought this had sounded familiar, and it turns out I had written a
> small test for this back in the day.
> I cleaned up a little of the bit-rot and updated the script at
> This should do an okay job at CN validation to solve the original
> and handles wildcards as well (although it's a bit too eager and will
> accept wildcards for further subdomains, which is invalid). It should be
> rewritten to perform just a single, mass 'xymondboard' query before it's
> used at large sites or on heavily loaded xymond servers, however.
You can just yank a couple subroutines out of testssl.sh and you'll be
in better shape. It will cover certificates that are unreadable,
revoked, chain incomplete, self signed, expired, not yet valid, etc.
feld at feld.me
More information about the Xymon