...

xymon would never be fast enough implementing checks against current ssl vulnerabilities

ssllabs does provide a webservice API for thorough SSL checking which can be accessed from xymon quite easily

I don't think anybody asked for this functionality. We're simply asking Xymon to be able to differentiate between a certificate with a valid chain of trust and one that is broken or self-signed.

in general, if you are using SSL w/ official certificates, it will not sufficient just to check if the chain would be ok and if the cert is still valid (it's a start, but it won't be enough - at least soon).

Browsers are starting to deprecate some SSL-features, and they are talking about to drop SHA1 signatures soon.

so you need to check at least:

• does the certificate contain the name
  • CN / single name certificates
  • SAN / multidomain name certficiates (SNI)
• is the cert still valid
• is the chain of trust ok
• which size is server key
• which signature algorithm is used
• [...]

I don't want to see this IN the xymonnet script, as the needs will change faster than you want to upgrade your running xymon server.

Therefore I would recommend to do this via an external script and use testssl.sh <https://github.com/drwetter/testssl.sh/>

The benefit would be to be able to check not only a valid trust chain but also more things that need to be checked if you work with SSL.

for example:

• all mentioned things above plus:
• supported ciphers
• offered encryption grades
• testing against known vulnerabilities

so one could check exactly what is needed - there are big differences in production requirements vs. private webhosts.

regards,

Werner Maier

Dipl.-Ing. Univ. Werner Maier http://www.maiers.de/