Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add riemann-tls-check to monitor TLS certificates #253

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add riemann-tls-check to monitor TLS certificates #253

wants to merge 1 commit into from

Conversation

smortex
Copy link
Collaborator

@smortex smortex commented Nov 11, 2022
edited

Add a riemann-tls-check that accept a list of URI of resources to check TLS certificates.

For each URI, resolve the IP addresses that provide the service, and for each IP address perform a TLS handshake and generate events from the certificate:

  1. availability: 馃啑/馃挜 global status of all the following metrics + reachability;
  2. not after: 馃啑/馃挜 + 馃搲 number of seconds until the certificate is expired;
  3. not before: 馃啑/馃挜 + 馃搱 number of seconds since the certificate is valid;
  4. identity: 馃啑/馃挜 certificate subject match the URI hostname;
  5. trust: 馃啑/馃挜 validity of the certificate trust chain;
  6. OCSP satus: 馃啑/馃挜 validity of the OCSP status if applicable.

A STARTTLS handshake is automatically done for imap://, ldap:// and smtp:// URI.

A protocol specific handshake is done for mysql:// and postgres:// URI.

Limitations

The required API in OpenSSL to check for OCSP Stapling is not currently part of the openssl gem, so this cannot be tested at the moment: ruby/openssl#401

@smortex smortex added the enhancement New feature or request label Nov 11, 2022
@smortex smortex changed the title Add riemann-tls-check to monitor TLS resources Add riemann-tls-check to monitor TLS certificates Dec 2, 2022
@smortex smortex mentioned this pull request May 22, 2023
Merged
@smortex smortex force-pushed the tls branch 2 times, most recently from 4c06573 to fa8f899 Compare May 31, 2024 01:50
@smortex
Add riemann-tls-check to monitor TLS resources
747df08 
Add a riemann-tls-check that accept a list of URI of resources to check
TLS certificates. For each URI, resolve the IP addresses that provide
the service, and for each IP address generate 6 events for:

1. availability: state (reachability + status of all the following
   metrics);
2. not after: state + metric (number of seconds until the certificate is
   expired);
3. not before: state + metric (number of seconds since the certificate
   is valid);
4. identity: state (certificate subject match the URI hostname);
5. trust: state (validity of the certificate trust chain);
6. OCSP satus: state (validity of the OCSP status if applicable).

A STARTTLS handshake is automatically done for imap://, ldap:// and
smtp://; a protocol specific handshake is done for mysql:// and
postgres:// URI.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@smortex