When created, this object will add the 'Certificate Expiration Monitor', 'Allowed SSL Protocol Monitor', 'Certificate Policy Monitor', 'Certificate Validity Monitor', 'Disabled SSL Protocols Monitor' and 'Weak Certificate Hash Signature Algorithm Monitor' monitors. Note, that certificate expiration warning threshold is set in monitor overrides, not in the object property. Default threshold is 15 days. The 'Collect Performance Data' option is not supported.
This object tries to establish a secure connection to destination and collects information about connection type and remote server certificate. No payload data is being sent or receive during the test, however it generates some traffic to negotiate encryption and receive remote certificate. The test makes several connection attempts in a row to determine all available SSL levels (from SSL 2 to TLS 1.3).
Collect Performance Data is supported: NO
Monitor/Rule | Name | Has Threshold | Alert Suppression | ||
Monitor | Allowed SSL Protocol Monitor | No | Not Supported | ||
Monitor | Certificate Expiration Monitor | Yes
| Not Supported | ||
Monitor | Certificate Policy Monitor | No | Not Supported | ||
Monitor | Certificate Validity Monitor | No | Not Supported | ||
Monitor | Disabled SSL Protocols Monitor | No | Not Supported | ||
Monitor | Weak Certificate Hash Signature Algorithm Monitor | No | Not Supported |
During this operation, the test object tries to establish a secure connection to the remote server defined by the corresponding destination's FQDN. It tries all SSL versions available (from SSL 2 to TLS 1.3 in the current implementation). All connection results are recorded and compared to the 'Allowed SSL Protocols' and 'Disabled SSL Protocols' test object properties. At the end of the operation, remote server certificate properties are being tested. This includes certificate Not Before and Not After timestamps and hash algorithm.
If at least one protocol, listed in the 'Disabled SSL Protocols' property is supported, this will turn the 'Disabled SSL Protocols Monitor' monitor into WARNING state.
If no protocols, listed in the 'Allowed SSL Protocols' property is supported, this will turn the 'Allowed SSL Protocol Monitor' monitor into WARNING state.
If the current UTC date is outside of certificate's validity timestamps, this will turn the 'Certificate Expiration Monitor' monitor into either WARNING state is certificate is about to expire, or into CRITICAL state if it's already expired.
If the hash algorithm used to sign the remote server certificate is listed in the 'Disabled Hash List' property, this will turn the 'Weak Certificate Hash Signature Algorithm Monitor' monitor into WARNING state.
When a secure connection is negotiated, the system may report about some security policy (defined at OS level) breaches. The test object will override any policy warning, and allow the connection, however, all policy error will be recored and alerted.
If any policy errors are reported by .Net/OS during this phase, this will turn the 'Certificate Policy Monitor' monitor into WARNING state.
At the final state, the test object tries to build certificate chain and validate the certificate. The following property can be tuned to enable/disable particular validation aspects:
Property Name | Property Description |
Allow Unknown Certificate Authority | Ignore that the chain cannot be verified due to an unknown certificate authority (CA). |
Application Policy OIDs | Collection of object identifiers (OIDs) specifying which application policies or enhanced key usages (EKUs) the certificate must support. |
Certificate Policy OIDs | Collection of object identifiers (OIDs) specifying which certificate policies the certificate must support. |
Ignore Certificate Authority Revocation Unknown | Ignore that the certificate authority revocation is unknown when determining certificate verification. |
Ignore CTL Not Time Valid | Ignore that the certificate trust list (CTL) is not valid, for reasons such as the CTL has expired, when determining certificate verification. |
Ignore CTL Signer Revocation Unknown | Ignore that the certificate trust list (CTL) signer revocation is unknown when determining certificate verification. |
Ignore End Revocation Unknown | Ignore that the end certificate (the user certificate) revocation is unknown when determining certificate verification. |
Ignore Invalid Basic Constraints | Ignore that the basic constraints are not valid when determining certificate verification. |
Ignore Invalid Name | Ignore that the certificate has an invalid name when determining certificate verification. |
Ignore Invalid Policy | Ignore that the certificate has invalid policy when determining certificate verification. |
Ignore Not Time Nested | Ignore that the CA (certificate authority) certificate and the issued certificate have validity periods that are not nested when verifying the certificate. For example, the CA cert can be valid from January 1 to December 1 and the issued certificate from January 2 to December 2, which would mean the validity periods are not nested. |
Ignore Not Time Valid | Ignore certificates in the chain that are not valid either because they have expired or they are not yet in effect when determining certificate validity. |
Ignore Root Revocation Unknown | Ignore that the root revocation is unknown when determining certificate verification. |
Ignore Wrong Usage | Ignore that the certificate was not issued for the current use when determining certificate verification. |
If the created certificate chain has any issues (excluding any aspects disabled or altered using the properties below), this will turn the 'Certificate Validity Monitor' monitor into WARNING state.
Base Class | Maximus.Connectivity.Monitoring.Test |
Abstract | False |
Hosted | True |
Singleton | False |
Extension | False |
Accessibility | Public |
ElementId | 080ff65c-aedb-01bb-2431-d51f4f1cf036 |
Comment | Enables SSL test for its parent FQDN object. Defines additional testing parameters. |
Property Name | Type | Display Name (ENU) | Description (ENU) | Key | Max Length | Min Length | Case Sensitive | Default Value |
---|---|---|---|---|---|---|---|---|
System.Entity: | ||||||||
string | Display Name | Display name of the object. | false | 4000 | 0 | False | ||
Maximus.Connectivity.Monitoring.Test: | ||||||||
guid | Id | Internal test unique identifier. | true | 256 | 0 | |||
string | Template Reference | If set, test parameters will be overridden from the template and then follow template changes. Direct editing will be prohibited. | false | 256 | 0 | False | ||
int | Test Interval | Interval between probes in seconds. Might be not applicable for some tests. | false | 256 | 0 | 600 | ||
int | Matches To Alert | Number of failed probes in a series before triggering an alert. | false | 256 | 0 | 3 | ||
int | Sample Series Size | Probe series size. Should be greater or equal to 'Matches To Alert'. | false | 256 | 0 | 4 | ||
bool | Collect Performance Data | Enabled performance data collection from the test object if supported. Refer to each test implementation for details. | false | 256 | 0 | false | ||
Maximus.Connectivity.Monitoring.Test.SSL: | ||||||||
string | Schema | Secure schema like https, ldaps, smtps, etc. If schema is set and recognized, then default schema port is used. For example, 443 is the standard port for https. If schema in not known, or a non-standard port is required, don't set schema value, but set explicit port. | false | 256 | 0 | False | ||
int | Port | Remote port number for secure connection testing. Set schema to empty value to use this parameter. | false | 256 | 0 | 0 | ||
bool | Ignore Revocation Check | false | 256 | 0 | ||||
string | Application Policy OIDs | List of OIDs for X509 Chain Application Policy | false | 256 | 0 | False | ||
string | Certificate Policy OIDs | List of OIDs for X509 Chain Certificate Policy | false | 256 | 0 | False | ||
string | Disabled Hash List | List of Signature Algorithm OID friendly names, which should not be used. Allowed values include, but not limited to sha1RSA, md5RSA, sha256NoSign, sha256RSA, etc. See https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnap/a48b02b2-2a10-4eb0-bed4-1807a6d2f5ad for details. Separate multiple values with ',', ';', or '|'. | false | 256 | 0 | False | sha1RSA | |
string | Allowed SSL Protocols | Remote server must implement at least one of these protocols to consider as secure. Allowed values are Ssl2, Ssl3, Tls, Tls11, Tls12, or Tls13, or any combination of these separated by ',', ';', or '|'. | false | 256 | 0 | False | Tls11|Tls12|Tls13 | |
string | Disabled SSL Protocols | Remote server must not implement at least one of these protocols to consider as secure. Allowed values are Ssl2, Ssl3, Tls, Tls11, Tls12, or Tls13, or any combination of these separated by ',', ';', or '|'. | false | 256 | 0 | False | Ssl2|Ssl3 | |
bool | Allow Unknown Certificate Authority | false | 256 | 0 | ||||
bool | Ignore Certificate Authority Revocation Unknown | false | 256 | 0 | ||||
bool | Ignore CTL Not Time Valid | false | 256 | 0 | ||||
bool | Ignore CTL Signer Revocation Unknown | false | 256 | 0 | ||||
bool | Ignore End Revocation Unknown | false | 256 | 0 | ||||
bool | Ignore Invalid Basic Constraints | false | 256 | 0 | ||||
bool | Ignore Invalid Name | false | 256 | 0 | ||||
bool | Ignore Invalid Policy | false | 256 | 0 | ||||
bool | Ignore Not Time Nested | false | 256 | 0 | ||||
bool | Ignore Not Time Valid | false | 256 | 0 | ||||
bool | Ignore Root Revocation Unknown | false | 256 | 0 | ||||
bool | Ignore Wrong Usage | false | 256 | 0 |
<ClassType ID="Maximus.Connectivity.Monitoring.Test.SSL" Accessibility="Public" Base="Maximus.Connectivity.Monitoring.Test" Abstract="false" Hosted="true" Singleton="false" Comment="Enables SSL test for its parent FQDN object. Defines additional testing parameters.">
<Property ID="Schema" Type="string" Comment="Secure schema such as https, ldaps, smtps, etc. If empty or non-standard, then port number should be defined."/>
<Property ID="Port" Type="int" DefaultValue="0" Comment="Defines port for secure connection, overrides default schema's value."/>
<!-- Testing options -->
<Property ID="IgnoreRevocationCheck" Type="bool" Comment="X509ChainPolicy.RevocationMode"/>
<Property ID="ApplicationPolicy" Type="string" Comment="List of OIDs for X509ChainPolicy.ApplicationPolicy"/>
<Property ID="CertificatePolicy" Type="string" Comment="List of OIDs for X509ChainPolicy.CertificatePolicy"/>
<Property ID="DisabledHash" Type="string" DefaultValue="sha1RSA"/>
<Property ID="AllowedSSLProtocols" Type="string" DefaultValue="Tls11|Tls12|Tls13"/>
<Property ID="DisabledSSLProtocols" Type="string" DefaultValue="Ssl2|Ssl3"/>
<Property ID="AllowUnknownCertificateAuthority" Type="bool"/>
<Property ID="IgnoreCertificateAuthorityRevocationUnknown" Type="bool"/>
<Property ID="IgnoreCtlNotTimeValid" Type="bool"/>
<Property ID="IgnoreCtlSignerRevocationUnknown" Type="bool"/>
<Property ID="IgnoreEndRevocationUnknown" Type="bool"/>
<Property ID="IgnoreInvalidBasicConstraints" Type="bool"/>
<Property ID="IgnoreInvalidName" Type="bool"/>
<Property ID="IgnoreInvalidPolicy" Type="bool"/>
<Property ID="IgnoreNotTimeNested" Type="bool"/>
<Property ID="IgnoreNotTimeValid" Type="bool"/>
<Property ID="IgnoreRootRevocationUnknown" Type="bool"/>
<Property ID="IgnoreWrongUsage" Type="bool"/>
</ClassType>