[Xymon] SSL Certificate test failure
josh at imaginenetworksllc.com
Tue Nov 10 22:14:49 CET 2015
I'd say if someone changed something and didn't check a particular name,
that having Xymon check a matching name would be very beneficial.
In simple terms, check https://foo.bar.com - if that would work on the
average user's browser, than be green. If not, change the status.
1100 Wayne St
Troy, OH 45373
On Tue, Nov 10, 2015 at 4:10 PM, Henrik Størner <henrik at hswn.dk> wrote:
> Den 10-11-2015 kl. 15:27 skrev Mark Felder:
>> [...] We're simply asking
>> Xymon to be able to differentiate between a certificate with a valid
>> chain of trust and one that is broken or self-signed.
> You are correct that Xymon only checks the expiry-date of the certificate.
> This is - more or less - by design, since that is the most common problem
> with certificates: Your site works fine on Monday, and on Tuesday
> everything is down because the certificate has expired.
> If your certificate is broken in the sense that the Common Name (ie the
> website name for which the certificate was issued) does not match your
> site, then *all* users will see that - so you figure it out pretty fast,
> usually before going live.
> And name checking is not as simple as it seems. Lots of devices have
> self-signed certificates with meaningless names - tons of networking gear,
> application server admin consoles, intermediate proxy devices and so on.
> All of them can use self-signed certificates, or certificates issued by
> your own (company) CA. Xymon cannot validate them, because technically they
> are not trusted - you just want the TLS encryption to work, so you must
> live with the certificate.
> Xymon mailing list
> Xymon at xymon.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Xymon