SSL certificate name match monitor

Author Japheth Cleaver
Compatibility Xymon 4.2.3
Requirements perl, unix
Download None
Last Update 2015-11-09

Antivirus-Norton Internet Security is a security software product from Symantec. Packed with features to protect your PC from all kinds of online threats and the main programs in this award-winning software are antivirus, anti-spyware, firewall and antispam protection. Download Norton antivirus from . norton.com/setup Author:John Smith0, a creative person who puts his skills in Technical writing by making everything easier for readers to understand the complexity of any tech related issue. Many popular e-magazines have released his articles. He has also been writing to people’s query related to technology like office.com/setup, McAfee, Norton and many more. mcafee.com/activate | mcafee.com/activate | bitstamp login

Client side

No change needed.

Server side

1. Copy the script into the ext/ directory (or wherever you're storing external scripts) and edit your tasks.cfg file by adding a new block:

# "sslname" runs the ssl certificate checker to verify that sslcert test results match
# the URL we tried to access
# 

[sslname]
        ENVFILE /etc/xymon/xymonserver.cfg
        NEEDS xymond
        CMD /etc/xymon/ext/sslname.sh
        LOGFILE /var/log/xymon/sslname.log
        INTERVAL 5m

sslname.sh

Show Code ⇲

Hide Code ⇱

sslname.sh
#!/bin/sh
 
# sslname.sh v2
# 
# Retrieve a list of all "sslcert" tests, which come out of any SSL-enabled
# check Xymon does using a built-in (probably https, but also things like imaps)
# 
# After getting this list, we go through each one looking for the common-
# name that the certificate responded with, verifying that it matched the
# url we were trying to reach in the originating test. Normally this means
# the address for the http test, but it could be just the hostname in the event
# of another SSL service.
# 
# Japheth Cleaver <cleaver@terabithia.org>
# No warranty. YMMV. Use at your own risk.
# 
# First pass: 2010-08-02
# http://xymonton.org/monitors:sslname.sh
# 
# v2 2012-04-27 -- update from hobbit -> xymon and optionally use "modify" 
# instead of our own status
 
 
 [ -z "$XYMON" ] && -x /usr/bin/xymoncmd && exec /usr/bin/xymoncmd $0 $*
 
# Set some defaults - I'm running this from xymonlaunch, YMMV
 [ -z "$TESTNAME" ] 	&& TESTNAME=sslname
 [ -z "$XYMSRV" ] 	&& XYMSRV=0.0.0.0
 [ -z "$COLOR" ] 	&& COLOR="clear"
 [ -z "$XYMON" ] 	&& XYMON=/usr/bin/xymon
 
# Modify the sslcert test result, or create our own?
# MODIFY=1
 
# Get a list of all valid sslcert tests
 SSLHOSTS="`$XYMON $XYMSRV \"xymondboard test=sslcert fields=hostname\"`"
 [ -z "$SSLHOSTS" ] && exit 0
 
 
# Loop over them and compare the common name with any URL we can find
 for THISHOST in $SSLHOSTS ; do
 
   # Return the details of this host's sslcert data, unescaping on the way
    SSLDATA="`$XYMON $XYMSRV \"xymondboard host=^$THISHOST test=sslcert fields=hostname,msg\" | perl -pe 's/&gt;/>/g, s/&lt;/</g, s/&amp;/&/g;' -e 's/\\\n/\n/g;'`"
    THISCOMMA="`echo $THISHOST | sed -e 's/\./,/g'`"
 
   # Find the common name...
   # TODO: We should loop over all common names and try to figure out what the relevant URLs are below
   #   For now, we sort and take the first one.
    COMMONNAME="`echo \"$SSLDATA\" | grep -v issuer: | grep CN= | perl -pe 's/^.*CN=([\w\.\-\*]+).*$/\1/' | sort | uniq | head -n 1`"
    if [ -z "$COMMONNAME" ] ; then
	echo "Couldn't find a 'common name' for $THISHOST..." >&2
	continue
    fi
    # echo " -- Common name for $THISHOST is '$COMMONNAME'"
 
 
   # Isolate what hostname we were trying to access and store as URL,
   # if found. The HUMANURL is the full string, including any port number
    export URL="`echo \"$SSLDATA\" | grep -c https://`"
    if [ $URL -eq 1 ] ; then
	# Great, a simple https address to look at
   	URL="`echo \"$SSLDATA\" | grep https:// | perl -pe 's#^.*https://([\w\.\-]+)(:\d+)?/.*$#\1#'`"
   	HUMANURL="`echo \"$SSLDATA\" | grep https:// | perl -pe 's#^.*(https://[\w\.\-]+(:\d+)?/).*$#\1#'`"
    else
	URL=$THISHOST
	HUMANURL=$THISHOST
    fi
 
    ISMATCH="`echo $URL | grep -cE $COMMONNAME`"
 
    # Check if we're just modifying the existing status
    if [ -n "$MODIFY" ] ; then
	[ $ISMATCH -ne 1 ] && $XYMON $XYMSRV "modify ${THISCOMMA}.sslcert red $TESTNAME Certificate $COMMONNAME does NOT match $HUMANURL"
	continue
    fi
 
   # Build our Xymon report
    if [ $ISMATCH -eq 1 ] ; then
	STATUS="SSL cert ok"
	COLOR="green"
	BODY="&green $HUMANURL matches certificate $COMMONNAME"
    else
	STATUS="SSL cert name MISMATCH"
	COLOR="red"
	BODY="&red $HUMANURL does NOT match certificate $COMMONNAME
 
<A HREF=\"$XYMONWEBHOST$XYMONSERVERCGIURL/svcstatus.sh?HOST=$THISHOST&SERVICE=sslcert\">See 'sslcert' test results</A>" 
    fi
 
    # Send results to Xymon
    $XYMON $XYMSRV "status ${THISCOMMA}.${TESTNAME} ${COLOR} `date` - ${STATUS}
${BODY}"
 
done
 
 
# fin
exit 0

sslcert tests that are a result of multiple SSL_enabled services tested by xymonnet should be tested individually against the URLs (or server name) in question and the worst state flagged.

Wildcards are handled via regex, however this will lead to a false negative if your wildcard is for a more root-ward subdomain. Eg, *.example.net will be seen as an acceptable common name for https://server.dc.example.net/ when it really isn't.

This was targeted mainly at https:// tests; “sslcert” results from other types of tests (imaps, smtps, pop3s, etc) are tested against the server name only. YMMV.

Suggestions?

  • 2015-11-10
    • Minor bug fixes and clean-up
  • 2012-04-27
    • update from hobbit → xymon
    • optionally use “modify” of sslcert test instead of our own status
  • 2010-08-02
    • Initial public release
  • monitors/sslname.sh.txt
  • Last modified: 2019/08/28 08:24
  • by antivirusnoeron