monitors:sslname.sh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Last revisionBoth sides next revision
monitors:sslname.sh [2015/11/10 03:54] – Update for xymon jccleavermonitors:sslname.sh [2015/11/10 13:12] – [Changelog] jccleaver
Line 1: Line 1:
 ====== SSL certificate name match monitor ====== ====== SSL certificate name match monitor ======
  
-^ Author | [[ jcleaver@soe.sony.com jccleaver ]] |+^ Author | [[ cleaver-xymon@terabithia.org Japheth Cleaver ]] |
 ^ Compatibility | Xymon 4.2.3 | ^ Compatibility | Xymon 4.2.3 |
 ^ Requirements | perl, unix | ^ Requirements | perl, unix |
 ^ Download | None | ^ Download | None |
-^ Last Update | 2010-08-02 |+^ Last Update | 2015-11-09 |
  
 ===== Description ===== ===== Description =====
Line 11: Line 11:
 Originating thread here: http://www.xymon.com/archive/2010/06/msg00148.html Originating thread here: http://www.xymon.com/archive/2010/06/msg00148.html
  
-A small script that checks "sslcert" tests and tries to verify that the common name ("CN=") in the resulting ssl certificate matches the URL that we tried to reach (eg, https://secure.example.com/) It reports the status under a new test name, "sslname". Wildcard certificates are taken into account, since we're matching using extended grep.+A small script that checks "sslcert" tests and tries to verify that the common name ("CN=") in the resulting ssl certificate matches the URL that we tried to reach (eg, https://secure.example.com/) It reports the status under a new test name, "sslname", or can optionally send a 'modify' message to alter the original "sslcert" test. Wildcard certificates are taken into account, since we're matching using extended grep.
  
 ===== Installation ===== ===== Installation =====
Line 33: Line 33:
         CMD /etc/xymon/ext/sslname.sh         CMD /etc/xymon/ext/sslname.sh
         LOGFILE /var/log/xymon/sslname.log         LOGFILE /var/log/xymon/sslname.log
 +        INTERVAL 5m
 </code> </code>
  
Line 41: Line 42:
 <code bash sslname.sh> <code bash sslname.sh>
 #!/bin/sh #!/bin/sh
- +  
-# sslname.sh+# sslname.sh v2
  
 # Retrieve a list of all "sslcert" tests, which come out of any SSL-enabled # Retrieve a list of all "sslcert" tests, which come out of any SSL-enabled
Line 53: Line 54:
 # of another SSL service. # of another SSL service.
  
-# Japheth Cleaver <jcleaver@soe.sony.com+# Japheth Cleaver <cleaver@terabithia.org
-# No warranty. YMMV. Use at your own risk. This is not supported by my employer.+# No warranty. YMMV. Use at your own risk.
  
 +# First pass: 2010-08-02
 +# http://xymonton.org/monitors:sslname.sh
 +
 +# v2 2012-04-27 -- update from hobbit -> xymon and optionally use "modify" 
 +# instead of our own status
  
 + 
 + [ -z "$XYMON" ] && -x /usr/bin/xymoncmd && exec /usr/bin/xymoncmd $0 $*
  
-# Set some defaults - I'm running this from hobbitlaunch, YMMV+# Set some defaults - I'm running this from xymonlaunch, YMMV
  [ -z "$TESTNAME" ] && TESTNAME=sslname  [ -z "$TESTNAME" ] && TESTNAME=sslname
- [ -z "$BBDISP" ] && BBDISP=0.0.0.0+ [ -z "$XYMSRV" ] && XYMSRV=0.0.0.0
  [ -z "$COLOR" ] && COLOR="clear"  [ -z "$COLOR" ] && COLOR="clear"
- [ -z "$BB" ]  && BB=/usr/bin/bb + [ -z "$XYMON" ]  && XYMON=/usr/bin/xymon
  
 +# Modify the sslcert test result, or create our own?
 +# MODIFY=1
 + 
 # Get a list of all valid sslcert tests # Get a list of all valid sslcert tests
- SSLHOSTS="`$BB $BBDISP \"hobbitdboard test=sslcert fields=hostname\"`"+ SSLHOSTS="`$XYMON $XYMSRV \"xymondboard test=sslcert fields=hostname\"`"
  [ -z "$SSLHOSTS" ] && exit 0  [ -z "$SSLHOSTS" ] && exit 0
- +  
 + 
 # Loop over them and compare the common name with any URL we can find # Loop over them and compare the common name with any URL we can find
  for THISHOST in $SSLHOSTS ; do  for THISHOST in $SSLHOSTS ; do
 + 
    # Return the details of this host's sslcert data, unescaping on the way    # Return the details of this host's sslcert data, unescaping on the way
-    SSLDATA="`$BB $BBDISP \"hobbitdboard host=^$THISHOST test=sslcert fields=hostname,msg\" | perl -pe 's/&gt;/>/g, s/&lt;/</g, s/&amp;/&/g;' -e 's/\\\n/\n/g;'`" +    SSLDATA="`$XYMON $XYMSRV \"xymondboard host=^$THISHOST test=sslcert fields=hostname,msg\" | perl -pe 's/&gt;/>/g, s/&lt;/</g, s/&amp;/&/g;' -e 's/\\\n/\n/g;'`" 
 +    THISCOMMA="`echo $THISHOST | sed -e 's/\./,/g'`" 
 + 
    # Find the common name...    # Find the common name...
-    COMMONNAME="`echo \"$SSLDATA\" | grep CN= | perl -pe 's/^.*CN=([\w\.\-\*]+).*$/\1/'`"+   # TODO: We should loop over all common names and try to figure out what the relevant URLs are below 
 +   #   For now, we sort and take the first one. 
 +    COMMONNAME="`echo \"$SSLDATA\" | grep -v issuer: | grep CN= | perl -pe 's/^.*CN=([\w\.\-\*]+).*$/\1/' | sort | uniq | head -n 1`"
     if [ -z "$COMMONNAME" ] ; then     if [ -z "$COMMONNAME" ] ; then
  echo "Couldn't find a 'common name' for $THISHOST..." >&2  echo "Couldn't find a 'common name' for $THISHOST..." >&2
Line 83: Line 96:
     fi     fi
     # echo " -- Common name for $THISHOST is '$COMMONNAME'"     # echo " -- Common name for $THISHOST is '$COMMONNAME'"
- +  
 + 
    # Isolate what hostname we were trying to access and store as URL,    # Isolate what hostname we were trying to access and store as URL,
    # if found. The HUMANURL is the full string, including any port number    # if found. The HUMANURL is the full string, including any port number
-    URL="`echo \"$SSLDATA\" | grep -c https://`"+    export URL="`echo \"$SSLDATA\" | grep -c https://`"
     if [ $URL -eq 1 ] ; then     if [ $URL -eq 1 ] ; then
  # Great, a simple https address to look at  # Great, a simple https address to look at
Line 96: Line 109:
  HUMANURL=$THISHOST  HUMANURL=$THISHOST
     fi     fi
 + 
 +    ISMATCH="`echo $URL | grep -cE $COMMONNAME`"
  
 +    # Check if we're just modifying the existing status
 +    if [ -n "$MODIFY" ] ; then
 + [ $ISMATCH -ne 1 ] && $XYMON $XYMSRV "modify ${THISCOMMA}.sslcert red $TESTNAME Certificate $COMMONNAME does NOT match $HUMANURL"
 + continue
 +    fi
  
    # Build our Xymon report    # Build our Xymon report
-    if [ "`echo $URL | grep -cE $COMMONNAME`" -eq 1 ] ; then+    if [ $ISMATCH -eq 1 ] ; then
  STATUS="SSL cert ok"  STATUS="SSL cert ok"
  COLOR="green"  COLOR="green"
  BODY="&green $HUMANURL matches certificate $COMMONNAME"  BODY="&green $HUMANURL matches certificate $COMMONNAME"
- 
     else     else
  STATUS="SSL cert name MISMATCH"  STATUS="SSL cert name MISMATCH"
  COLOR="red"  COLOR="red"
  BODY="&red $HUMANURL does NOT match certificate $COMMONNAME  BODY="&red $HUMANURL does NOT match certificate $COMMONNAME
- +  
-<A HREF=\"$BBWEBHOST$BBSERVERCGIURL/bb-hostsvc.sh?HOST=$THISHOST&SERVICE=sslcert\">See 'sslcert' test results</A>" +<A HREF=\"$XYMONWEBHOST$XYMONSERVERCGIURL/svcstatus.sh?HOST=$THISHOST&SERVICE=sslcert\">See 'sslcert' test results</A>" 
     fi     fi
- +  
-   # Send results to Xymon +    # Send results to Xymon 
-    THISCOMMA="`echo $THISHOST | sed -e 's/\./,/g'`" +    $XYMON $XYMSRV "status ${THISCOMMA}.${TESTNAME} ${COLOR} `date` - ${STATUS} 
-    ## echo "$BODY" | $BB $BBDISP --both "status ${THISCOMMA}.${TESTNAME} ${COLOR} `date` - ${STATUS}" +${BODY}" 
-    $BB $BBDISP "status ${THISCOMMA}.${TESTNAME} ${COLOR} `date` - ${STATUS} + 
-$BODY+
 done done
- +  
 + 
 # fin # fin
 exit 0 exit 0
Line 130: Line 146:
 ===== Known Bugs and Issues ===== ===== Known Bugs and Issues =====
  
-This is targeted mainly at %%https://%% tests; YMMV with "sslcert" results from other types of tests (imaps, smtps, pop3s, etc).+sslcert tests that are a result of multiple SSL_enabled services tested by xymonnet should be tested individually against the URLs (or server name) in question and the worst state flagged. 
 + 
 +Wildcards are handled via regex, however this will lead to a false negative if your wildcard is for a more root-ward subdomain. Eg, *.example.net will be seen as an acceptable common name for https://server.dc.example.net/ when it really isn't. 
 + 
 +This was targeted mainly at %%https://%% tests; "sslcert" results from other types of tests (imaps, smtps, pop3s, etc) are tested against the server name only. YMMV.
  
 ===== To Do ===== ===== To Do =====
Line 139: Line 159:
  
 ===== Changelog ===== ===== Changelog =====
 +
 +  * **2015-11-10**
 +    * Minor bug fixes and clean-up
 +
 +  * **2012-04-27**
 +    * update from hobbit -> xymon
 +    * optionally use "modify" of sslcert test instead of our own status
  
   * **2010-08-02**   * **2010-08-02**
     * Initial public release     * Initial public release
  
  • monitors/sslname.sh.txt
  • Last modified: 2019/08/28 08:24
  • by antivirusnoeron