I'd say if someone changed something and didn't check a particular name, that having Xymon check a matching name would be very beneficial.
In simple terms, check https://foo.bar.com - if that would work on the average user's browser, than be green. If not, change the status.
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
On Tue, Nov 10, 2015 at 4:10 PM, Henrik Størner <henrik at hswn.dk> wrote:
Hi,
Den 10-11-2015 kl. 15:27 skrev Mark Felder:
[...] We're simply asking Xymon to be able to differentiate between a certificate with a valid chain of trust and one that is broken or self-signed.
You are correct that Xymon only checks the expiry-date of the certificate. This is - more or less - by design, since that is the most common problem with certificates: Your site works fine on Monday, and on Tuesday everything is down because the certificate has expired.
If your certificate is broken in the sense that the Common Name (ie the website name for which the certificate was issued) does not match your site, then *all* users will see that - so you figure it out pretty fast, usually before going live.
And name checking is not as simple as it seems. Lots of devices have self-signed certificates with meaningless names - tons of networking gear, application server admin consoles, intermediate proxy devices and so on. All of them can use self-signed certificates, or certificates issued by your own (company) CA. Xymon cannot validate them, because technically they are not trusted - you just want the TLS encryption to work, so you must live with the certificate.
Regards, Henrik
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon