On 1/2/26 6:26 AM, Adam Thorn via Xymon wrote:
I don't think the builtin SSL test can handle this: "man xymonnet" only refers to STARTTLS in the context of the ldap test.
I wasn't aware of it. Hence asking. :-)
You could write an extension script using openssl to get and parse the certficate, though:
Where can I find more about writing an extension script?
Aside: I wonder if I might be able to (ab)use this to make some nicer SMTP et al. checks that actually speak more of the SMTP protocol to less likely annoy some security monitors; e.g. "<client IP> didn't issue any commands" or "<client IP> sent pre-greeting traffic". -- I can see a lot of value in such extensions, more than just SMTP.
$ echo | openssl s_client -connect outlook.office.com:587 -starttls smtp 2>/dev/null
will print the certificate, and so you can e.g. get the expiry date via
$ echo | openssl s_client -connect outlook.office.com:587 -starttls smtp 2>/dev/null | openssl x509 -noout -dates
notBefore=Nov 10 00:00:00 2025 GMT notAfter=Nov 9 23:59:59 2026 GMT
Yep. I'm well versed in the openssl command. ;-)
What I wasn't aware was possible until reading your reply is creating an extension that can run whatever test I create.
I'm assuming that the extension script is not the same as extensions that are run client side to test additional things. I've got many such client side extensions checking things in Oracle, system multipath, etc.
I'd love to learn that there's a way to extend things on the Xymon server (or proxy server) to test from the central point in more ways.
I've skimmed many Xymon manual pages, but seem to have missed something or otherwise failed to grock server side extensions.
-- Grant. . . .