Hello Icinga Community,
How do you check the SSL/TLS version of your certificates? I want to create a monitoring check to notify if SSL2, SSL3, TLS1 or TLS1.1 are used. These protocols have vulnerabilities, and I want a monitoring alert if these protocols are still available for authentication on the certificate.
I tried using check_ssl_cert using the ‘—require-no-tsl1’ option but it did not provide a critical alert state when checking a certificate that has TSL1 available.
Here is the check_ssl_cert command with the critical if TSL1 enable setting and it comes back with an Okay state.
check_ssl_cert -H x.x.x.x -p 443 -s --ignore-maximum-validity --require-no-tls1 --ignore-exp --ignore-sig-alg
SSL_CERT OK - x.x.x.x:443, https, x509 self signed certificate 'x.x.x.x' from 'Cisco Systems Inc.' valid until Jan 1 00:00:01 2010 GMT
Here is the openssl command to confirm TSL1 is available.
openssl s_client -connect x.x.x.x:443 -tls1 </dev/null
CONNECTED(00000003)
depth=0 C = US, O = Cisco Systems Inc., OU = DeviceSSL (WebAdmin), CN = x.x.x.x
verify error:num=18:self signed certificate
verify return:1
A small clarification first: A TLS (formerly known as SSL) certificate is actually a X.509 certificate, being used by the TLS protocol of a certain version. Thus, the certificate itself is independent of the used TLS protocol version.
However, services speaking TLS have a version of the TLS protocol configured. One can check which versions are being supported, e.g., with the check_ssl_cert check plugin you are already using.
According to its document, passing the --require-no-tls1 command line argument flag results in the check to go “[c]ritical if TLS 1 is offered”. Having taken a short look at the implementation, this check is performed via nmap. On a setup without nmap, this flag had no effect, on another with nmap, it went CRITICAL as desired.
Unfortunately, this information is only shown in the verbose logs.
# Without nmap
./check_ssl_cert --require-no-tls1 -H google.com -p 443 -r /etc/ssl/certs/ca-certificates.crt -v
cannot find nmap: disabling connection checks and ciphers checks
The certificate for this site contains a Subject Alternative Name extension
Certificate element 1 (*.google.com) is valid for 54 days
OCSP check for element 1 OK
Certificate element 2 (WR2) is valid for 1554 days
OCSP check for element 2 OK
Certificate element 3 (GTS Root R1) is valid for 1164 days
OCSP check for element 3 OK
The certificate was successfully verified
The certificate contains signed certificate timestamps (SCT)
The certificate validity (83) is shorter then the maximum (397)
SSL_CERT OK - google.com:443, https, x509 certificate '*.google.com' (google.com) from 'Google Trust Services' valid until Jan 13 08:36:56 2025 GMT (expires in 54 days)|days_chain_elem1=54;20;15;; days_chain_elem2=1554;20;15;; days_chain_elem3=1164;20;15;;
# With nmap
./check_ssl_cert --require-no-tls1 -H google.com -p 443 -r /etc/ssl/certs/ca-certificates.crt -v
CRITICAL error: TLSv1.0 is offered
The certificate for this site contains a Subject Alternative Name extension
Certificate element 1 (*.google.com) is valid for 54 days
OCSP check for element 1 OK
Certificate element 2 (WR2) is valid for 1554 days
OCSP check for element 2 OK
Certificate element 3 (GTS Root R1) is valid for 1164 days
OCSP check for element 3 OK
The certificate was successfully verified
The certificate contains signed certificate timestamps (SCT)
The certificate validity (83) is shorter then the maximum (397)
SSL_CERT CRITICAL google.com:443: TLSv1.0 is offered|days_chain_elem1=54;20;15;; days_chain_elem2=1554;20;15;; days_chain_elem3=1164;20;15;;
Could you please verify that all necessary requirements are available and maybe post your check output with verbose (-v) information?
