Munin should be able to check the Subject DN in an X.509 Certificate when doing SSL/TLS

[e_tews]

Hi

I would like to configure munin in a way, so that the SDN in an X.509 certificate is checked, when doing SSL/TLS. Just having a certificate signed by a CA is not sufficient. I have written a patch for that.

The patch contains some debugging output which can be removed.

[janl]

We want this. Unfortunately it's too hard for myself to integrate it into the current trunk. Deferring.

[snide]

Pushing it for a later time since I don't know how to handle it for 1.5.

If someone has the skill to test/integrate the provided patch, he just has to set the correct milestone.

[bldewolf]

Unfortunately, SSLeay is working against us when we try to do this. The patch that's submitted adds the code for verifying the SDN to the verify_certificate callback because that is where we can access the client certificate and choose specific fields. Unfortunately, this callback is used for both the local and remote certs, so this check could potentially fail on the local cert and mark the remote cert as untrusted.

Outside of the callback, I can't find a way to retrieve just the SDN or certain parts of the cert. I was hoping to be able to make a directive for matching just the CN, or verifying the CN matches reverse DNS, but I can't find any functions in SSLeay for inspection of certificates from the data structures available outside of the verification callback.

The best I can find is the dump certificate string, which does contain the SDN along with the Issuer DN. In r3483, I've added a directive named "tls_match" which is a regex applied to this string if it exists. In this way, one can match on the SDN. I've added more detail to the man page for munin.conf and munin-node.conf.