This is an old revision of the document!
| Author | jccleaver |
| Compatibility | Xymon 4.2.3 |
| Requirements | perl, unix |
| Download | None |
| Last Update | 2010-08-02 |
Originating thread here: http://www.xymon.com/archive/2010/06/msg00148.html
A small script that checks “sslcert” tests and tries to verify that the common name (“CN=”) in the resulting ssl certificate matches the URL that we tried to reach (eg, https://secure.example.com/) It reports the status under a new test name, “sslname”. Wildcard certificates are taken into account, since we're matching using extended grep.
Client side
Server side
1. Copy the script into the ext/ directory (or wherever you're storing external scripts) and edit your tasks.cfg file by adding a new block:
# "sslname" runs the ssl certificate checker to verify that sslcert test results match
# the URL we tried to access
#
[sslname]
ENVFILE /etc/xymon/xymonserver.cfg
NEEDS xymond
CMD /etc/xymon/ext/sslname.sh
LOGFILE /var/log/xymon/sslname.log
- sslname.sh
#!/bin/sh
# sslname.sh
#
# Retrieve a list of all "sslcert" tests, which come out of any SSL-enabled
# check Xymon does using a built-in (probably https, but also things like imaps)
#
# After getting this list, we go through each one looking for the common-
# name that the certificate responded with, verifying that it matched the
# url we were trying to reach in the originating test. Normally this means
# the address for the http test, but it could be just the hostname in the event
# of another SSL service.
#
# Japheth Cleaver <jcleaver@soe.sony.com>
# No warranty. YMMV. Use at your own risk. This is not supported by my employer.
#
# Set some defaults - I'm running this from hobbitlaunch, YMMV
[ -z "$TESTNAME" ] && TESTNAME=sslname
[ -z "$BBDISP" ] && BBDISP=0.0.0.0
[ -z "$COLOR" ] && COLOR="clear"
[ -z "$BB" ] && BB=/usr/bin/bb
# Get a list of all valid sslcert tests
SSLHOSTS="`$BB $BBDISP \"hobbitdboard test=sslcert fields=hostname\"`"
[ -z "$SSLHOSTS" ] && exit 0
# Loop over them and compare the common name with any URL we can find
for THISHOST in $SSLHOSTS ; do
# Return the details of this host's sslcert data, unescaping on the way
SSLDATA="`$BB $BBDISP \"hobbitdboard host=^$THISHOST test=sslcert fields=hostname,msg\" | perl -pe 's/>/>/g, s/</</g, s/&/&/g;' -e 's/\\\n/\n/g;'`"
# Find the common name...
COMMONNAME="`echo \"$SSLDATA\" | grep CN= | perl -pe 's/^.*CN=([\w\.\-\*]+).*$/\1/'`"
if [ -z "$COMMONNAME" ] ; then
echo "Couldn't find a 'common name' for $THISHOST..." >&2
continue
fi
# echo " -- Common name for $THISHOST is '$COMMONNAME'"
# Isolate what hostname we were trying to access and store as URL,
# if found. The HUMANURL is the full string, including any port number
URL="`echo \"$SSLDATA\" | grep -c https://`"
if [ $URL -eq 1 ] ; then
# Great, a simple https address to look at
URL="`echo \"$SSLDATA\" | grep https:// | perl -pe 's#^.*https://([\w\.\-]+)(:\d+)?/.*$#\1#'`"
HUMANURL="`echo \"$SSLDATA\" | grep https:// | perl -pe 's#^.*(https://[\w\.\-]+(:\d+)?/).*$#\1#'`"
else
URL=$THISHOST
HUMANURL=$THISHOST
fi
# Build our Xymon report
if [ "`echo $URL | grep -cE $COMMONNAME`" -eq 1 ] ; then
STATUS="SSL cert ok"
COLOR="green"
BODY="&green $HUMANURL matches certificate $COMMONNAME"
else
STATUS="SSL cert name MISMATCH"
COLOR="red"
BODY="&red $HUMANURL does NOT match certificate $COMMONNAME
<A HREF=\"$BBWEBHOST$BBSERVERCGIURL/bb-hostsvc.sh?HOST=$THISHOST&SERVICE=sslcert\">See 'sslcert' test results</A>"
fi
# Send results to Xymon
THISCOMMA="`echo $THISHOST | sed -e 's/\./,/g'`"
## echo "$BODY" | $BB $BBDISP --both "status ${THISCOMMA}.${TESTNAME} ${COLOR} `date` - ${STATUS}"
$BB $BBDISP "status ${THISCOMMA}.${TESTNAME} ${COLOR} `date` - ${STATUS}
$BODY"
done
# fin
exit 0
Known Bugs and Issues
This is targeted mainly at https:// tests; YMMV with “sslcert” results from other types of tests (imaps, smtps, pop3s, etc).