[Xymon] SSL Certificate test failure

Werner Maier werner at maiers.de
Tue Nov 10 15:52:46 CET 2015

>> xymon would never be fast enough implementing checks against current ssl
>> vulnerabilities
>> ssllabs does provide a webservice API for thorough SSL checking which can
>> be accessed from xymon quite easily
> I don't think anybody asked for this functionality. We're simply asking
> Xymon to be able to differentiate between a certificate with a valid
> chain of trust and one that is broken or self-signed.

in general, if you are using SSL w/ official certificates, it will
not sufficient just to check if the chain would be ok and if the cert
is still valid (it's a start, but it won't be enough - at least soon).

Browsers are starting to deprecate some SSL-features, and they are talking
about to drop SHA1 signatures soon.

so you need to check at least:
- does the certificate contain the name
  * CN / single name certificates
  * SAN / multidomain name certficiates (SNI)
- is the cert still valid
- is the chain of trust ok
- which size is server key
- which signature algorithm is used
- [...]

I don't want to see this IN the xymonnet script, as the needs will change
faster than you want to upgrade your running xymon server.

Therefore I would recommend to do this via an external script and use
testssl.sh <https://github.com/drwetter/testssl.sh/>

The benefit would be to be able to check not only a valid trust chain
but also more things that need to be checked if you work with SSL.

for example:
- all mentioned things above plus:
- supported ciphers
- offered encryption grades
- testing against known vulnerabilities

so one could check exactly what is needed - there are big differences in
production requirements vs. private webhosts.


Werner Maier
Dipl.-Ing. Univ. Werner Maier

More information about the Xymon mailing list