On Tue, Nov 10, 2015, at 08:19, J.C. Cleaver wrote:
On Tue, November 10, 2015 2:24 am, Markus Stoll, junidas GmbH wrote:
Hi,
xymon would never be fast enough implementing checks against current ssl vulnerabilities
ssllabs does provide a webservice API for thorough SSL checking which can be accessed from xymon quite easily
Agreed. xymonnet isn't doing a deep examination of the response, and isn't testing against a matrix of possibilities. A few simple things might be able to be added as a simple "httpcipher=" sort of thing, but our 'http' syntax is already rather scarily overloaded and I'm not sure it's quite the best solution there.
Am 09.11.2015 um 22:24 schrieb Mark Felder <feld at feld.me>: On Mon, Nov 9, 2015, at 15:18, Scot Kreienkamp wrote:
Hi there,
I am testing a site in Xymon that is testing OK, but throws an SSL error in the browser. Wondering why that was, I looked at the certificate for the site... it doesn't match the domain name of the site that's serving it, which causes the browser to display an SSL error. I was expecting Xymon to do the same. Apparently Xymon doesn't check to make sure the certificate matches the URL.
Xymon doesn't check the chain of trust or validate the hostname of the certificate. It will gladly tell you if it expires, though :)
It would be nice to teach Xymon to validate the certificate more thoroughly.
I thought this had sounded familiar, and it turns out I had written a small test for this back in the day.
I cleaned up a little of the bit-rot and updated the script at https://wiki.xymonton.org/doku.php/monitors:sslname.sh
This should do an okay job at CN validation to solve the original problem, and handles wildcards as well (although it's a bit too eager and will accept wildcards for further subdomains, which is invalid). It should be rewritten to perform just a single, mass 'xymondboard' query before it's used at large sites or on heavily loaded xymond servers, however.
HTH, -jc
You can just yank a couple subroutines out of testssl.sh and you'll be in better shape. It will cover certificates that are unreadable, revoked, chain incomplete, self signed, expired, not yet valid, etc.
https://github.com/drwetter/testssl.sh
-- Mark Felder feld at feld.me