Differences

This shows you the differences between two versions of the page.

--- monitors:sslname.sh [2015/11/10 03:55] – Updated to v2 - hobbit -> xymon and allow modify of existing test jccleaver
+++ monitors:sslname.sh [2015/11/10 13:12] – [Changelog] jccleaver
@@ Line 1: / Line 1: @@
 ====== SSL certificate name match monitor ======
-^ Author | [[ jcleaver@soe.sony.com | jccleaver ]] |
+^ Author | [[ cleaver-xymon@terabithia.org | Japheth Cleaver ]] |
 ^ Compatibility | Xymon 4.2.3 |
 ^ Requirements | perl, unix |
 ^ Download | None |
-^ Last Update | 2010-08-02 |
+^ Last Update | 2015-11-09 |
 ===== Description =====
@@ Line 11: / Line 11: @@
 Originating thread here: http://www.xymon.com/archive/2010/06/msg00148.html
-A small script that checks "sslcert" tests and tries to verify that the common name ("CN=") in the resulting ssl certificate matches the URL that we tried to reach (eg, https://secure.example.com/) It reports the status under a new test name, "sslname". Wildcard certificates are taken into account, since we're matching using extended grep.
+A small script that checks "sslcert" tests and tries to verify that the common name ("CN=") in the resulting ssl certificate matches the URL that we tried to reach (eg, https://secure.example.com/) It reports the status under a new test name, "sslname", or can optionally send a 'modify' message to alter the original "sslcert" test. Wildcard certificates are taken into account, since we're matching using extended grep.
 ===== Installation =====
@@ Line 33: / Line 33: @@
         CMD /etc/xymon/ext/sslname.sh
         LOGFILE /var/log/xymon/sslname.log
+        INTERVAL 5m
 </code>
@@ Line 89: / Line 90: @@
    # TODO: We should loop over all common names and try to figure out what the relevant URLs are below
    #   For now, we sort and take the first one.
-    COMMONNAME="`echo \"$SSLDATA\" | grep CN= | perl -pe 's/^.*CN=([\w\.\-\*]+).*$/\1/' | sort | uniq | head -n 1`"
+    COMMONNAME="`echo \"$SSLDATA\" | grep -v issuer: | grep CN= | perl -pe 's/^.*CN=([\w\.\-\*]+).*$/\1/' | sort | uniq | head -n 1`"
     if [ -z "$COMMONNAME" ] ; then
 	echo "Couldn't find a 'common name' for $THISHOST..." >&2
@@ Line 145: / Line 146: @@
 ===== Known Bugs and Issues =====
-This is targeted mainly at %%https://%% tests; YMMV with "sslcert" results from other types of tests (imaps, smtps, pop3s, etc).
+sslcert tests that are a result of multiple SSL_enabled services tested by xymonnet should be tested individually against the URLs (or server name) in question and the worst state flagged.
+Wildcards are handled via regex, however this will lead to a false negative if your wildcard is for a more root-ward subdomain. Eg, *.example.net will be seen as an acceptable common name for https://server.dc.example.net/ when it really isn't.
+This was targeted mainly at %%https://%% tests; "sslcert" results from other types of tests (imaps, smtps, pop3s, etc) are tested against the server name only. YMMV.
 ===== To Do =====
@@ Line 154: / Line 159: @@
 ===== Changelog =====
+  * **2015-11-10**
+    * Minor bug fixes and clean-up
+  * **2012-04-27**
+    * update from hobbit -> xymon
+    * optionally use "modify" of sslcert test instead of our own status
   * **2010-08-02**
     * Initial public release