Home Directory Plugins Security check_cert_signing_algorithm_secure

Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

Directory Tree

check_cert_signing_algorithm_secure

Current Version
1.0.0
Last Release Date
2016-01-07
Compatible With
  • Nagios XI
Owner
License
GPL
Hits
6033
Files:
FileDescription
CWSI_check_cert_signing_algorithm_secure.phpCWSI_check_cert_signing_algorithm_secure.php
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
This check connects to a specified host:port with OpenSSL to determine if the signing algorithm used on the server certificate is secure.
This check connects to a specified host:port with OpenSSL to determine the signing algorithm used on the server certificate. If the signing algorithm is on your specified list of "untrusted" algorithms the check will return WARNING/CRITICAL, otherwise it will return OK.

Requires OpenSSL on the system.

Tested on NagiosXI but cannot see why it would not support any other versions.

Commands/Services you might use:
define command {
command_name CWSI_check_cert_signing_algorithm_secure
command_line /usr/local/uptime/nagios/resources/scripts/CWSI_check_cert_signing_algorithm_secure.php -H $HOSTADDRESS$ -p $ARG1$ -u $ARG2$ -f $ARG3$
}

define service {
name CWSI_check_cert_signing_algorithm_secure_service
service_description CWSI_check_cert_signing_algorithm_secure_service
check_command CWSI_check_cert_signing_algorithm_secure!443!md5WithRSAEncryption,sha1WithRSAEncryption!WARNING!!!!!
}


Full help output from the check -
CWSI_check_cert_signing_algorithm_secure.php - v1.0.0

This plugin checks that the SSL certificate presented by a host is signed with a secure algorithm

Usage: CWSI_check_cert_signing_algorithm_secure.php -h | -H -p -u -f
NOTE: -H, -p, -u, -f are all required

Options:
-h
Print this help and usage message
-H
Host to query for certificate
-p
Port on the host to query
-u
Comma separated list of untrusted signature algorithms that should cause a failure of this check, eg. md5WithRSAEncryption,sha1WithRSAEncryption
-f
The code to be returned if an untrusted algorithm is detected, must be WARNING or CRITICAL

This plugin will use the openssl service to get the expiration date for the domain name.
Example:
$./CWSI_check_cert_signing_algorithm_secure.php -H www.google.com -p 443 -u md5WithRSAEncryption,sha1WithRSAEncryption -f CRITICAL