Check SSL altname too

diff --git a/status/CHANGELOG b/status/CHANGELOG
index 08da6ab..3814ebb 100644 (file)
--- a/status/CHANGELOG
+++ b/status/CHANGELOG
@@ -75,3 +75,5 @@ The Check File or Directory monitor can now use a pattern like /tmp/* to check s
 Added a monitor-level option to run a command if the monitor times out.
 ---- Changes since 1.520 ----
 Enhanced the free memory monitor to be able to check virtual memory as well.
+---- Changes since 1.530 ----
+Update the SSL certificate monitor to check alternate names as well when looking for hostname mismatches.

diff --git a/status/sslcert-monitor.pl b/status/sslcert-monitor.pl
index 97e2cc9..093b44b 100755 (executable)
--- a/status/sslcert-monitor.pl
+++ b/status/sslcert-monitor.pl
@@ -68,7 +68,25 @@ elsif ($_[0]->{'mismatch'} && $_[0]->{'url'} &&
        local $cn = $1;
        local $match = $1;
        $match =~ s/\*/\.\*/g;  # Make perl RE
-       if ($host !~ /^$match$/i) {
+       local @matches = ( $match );
+       if ($info =~ /Subject\s+Alternative\s+Name.*\r?\n\s*(.*)\n/) {
+               # Add UCC alternate names
+               local $alts = $1;
+               $alts =~ s/^\s+//;
+               $alts =~ s/\s+$//;
+               foreach my $a (split(/[, ]+/, $alts)) {
+                       if ($a =~ /^DNS:(\S+)/) {
+                               $match = $1;
+                               $match =~ s/\*/\.\*/g;  # Make perl RE
+                               push(@matches, $match);
+                               }
+                       }
+               }
+       local $ok = 0;
+       foreach $match (@matches) {
+               $ok++ if ($host =~ /^$match$/i);
+               }
+       if (!$ok) {
                $desc = &text('sslcert_ematch', "<tt>$host</tt>",
                              "<tt>$cn</tt>");
                }