Checking HTTPS SSL / TLS Protocols with CheckMK

Constey · August 22, 2023, 3:55pm

Hi there,
it comes often to the case that we have to monitor https pages and need to know for example that tls 1.0 is disabled and tls 1.2 is enabled. So it would be awesome if there would be an check where we can specify simply port and allowed protocols and ciphers for tls. If they dont match = Warning.

With check_mk board tools this is i guess not possible right? I’ve already check_ssl_cert in production (GitHub - matteocorti/check_ssl_cert: A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection.) which is a lot more powerfull in https checks, to check aswell for correct intermediate certificates and more granular stuff.
But this does not help out in the case specified above.
I’ve aswell the ssllabs plugin active, for external pages.

For Internal cases we’re good with GitHub - rbsec/sslscan: sslscan tests SSL/TLS enabled services to discover supported cipher suites but i can’t embed this into checkmk

Maybe some of you have some ideas how to check for those tls settings with checkmk?

Kind regards,
Constantin

paulosantanabr · August 22, 2023, 7:24pm

Have you tried forcing the version that you want to evaluate?

If the specified version is not being use an error should be generated.
You could monitor the same URL several times using different values in that field and in the service name you could add the version that is being utilized.

Constey · August 23, 2023, 6:40am

Thanks for the hint - but this means that we need to do for example at least 4 checks per HTTP Service to are sure that sslv3, sslv2, tlsv1 and tls v1.1 is disabled right? That makes it a bit messy :-/

paulosantanabr · August 23, 2023, 9:44am

It depends, if your URLs dont contain an URI you could create those 4 checks and point to a folder.
Then you could create hosts using the URL of your sites and use $HOSTNAME$ in the service name. Another alternative is to create a script using check_http and reading the URLs from a list.

robin.gierse · August 23, 2023, 11:49am

I am just leaving this here:

Maybe you can build a local check or custom plugin based on this for intranet-facing systems: GitHub - nabla-c0d3/sslyze: Fast and powerful SSL/TLS scanning library.
Personally I use this plugin for internet-facing services: Checkmk Exchange

system · August 22, 2024, 11:49am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.