Skip to content

Commit

Permalink
Reports Certificate Serial number
Browse files Browse the repository at this point in the history
Adds `serialnumber` to `probe_ssl_last_chain_info`

Output looks like

Test: `curl -s http://localhost:9115/probe\?target\=https://example.com\&module\=http_2xx`

```
probe_ssl_last_chain_info{fingerprint_sha256="efba26d8c1ce3779ac77630a90f82163a3d6892ed6afee408672cf19eba7a362",issuer="CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US",serialnumber="075bcef30689c8addf13e51af4afe187",subject="CN=www.example.org,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US",subjectalternative="www.example.org,example.net,example.edu,example.com,example.org,www.example.com,www.example.edu,www.example.net"} 1
```

Relates to #1103

Signed-off-by: rhysxevans <[email protected]>
  • Loading branch information
rhys-evans committed Dec 7, 2024
1 parent 7e25c6f commit 0982412
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 7 deletions.
4 changes: 2 additions & 2 deletions prober/grpc.go
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ func ProbeGRPC(ctx context.Context, target string, module config.Module, registr
Name: "probe_ssl_last_chain_info",
Help: "Contains SSL leaf certificate information",
},
[]string{"fingerprint_sha256", "subject", "issuer", "subjectalternative"},
[]string{"fingerprint_sha256", "subject", "issuer", "subjectalternative", "serialnumber"},
)
)

Expand Down Expand Up @@ -206,7 +206,7 @@ func ProbeGRPC(ctx context.Context, target string, module config.Module, registr
isSSLGauge.Set(float64(1))
probeSSLEarliestCertExpiryGauge.Set(float64(getEarliestCertExpiry(&tlsInfo.State).Unix()))
probeTLSVersion.WithLabelValues(getTLSVersion(&tlsInfo.State)).Set(1)
probeSSLLastInformation.WithLabelValues(getFingerprint(&tlsInfo.State), getSubject(&tlsInfo.State), getIssuer(&tlsInfo.State), getDNSNames(&tlsInfo.State)).Set(1)
probeSSLLastInformation.WithLabelValues(getFingerprint(&tlsInfo.State), getSubject(&tlsInfo.State), getIssuer(&tlsInfo.State), getDNSNames(&tlsInfo.State), getSerialNumber(&tlsInfo.State)).Set(1)
} else {
isSSLGauge.Set(float64(0))
}
Expand Down
4 changes: 2 additions & 2 deletions prober/http.go
Original file line number Diff line number Diff line change
Expand Up @@ -273,7 +273,7 @@ func ProbeHTTP(ctx context.Context, target string, module config.Module, registr
Name: "probe_ssl_last_chain_info",
Help: "Contains SSL leaf certificate information",
},
[]string{"fingerprint_sha256", "subject", "issuer", "subjectalternative"},
[]string{"fingerprint_sha256", "subject", "issuer", "subjectalternative", "serialnumber"},
)

probeTLSVersion = prometheus.NewGaugeVec(
Expand Down Expand Up @@ -647,7 +647,7 @@ func ProbeHTTP(ctx context.Context, target string, module config.Module, registr
probeTLSVersion.WithLabelValues(getTLSVersion(resp.TLS)).Set(1)
probeTLSCipher.WithLabelValues(getTLSCipher(resp.TLS)).Set(1)
probeSSLLastChainExpiryTimestampSeconds.Set(float64(getLastChainExpiry(resp.TLS).Unix()))
probeSSLLastInformation.WithLabelValues(getFingerprint(resp.TLS), getSubject(resp.TLS), getIssuer(resp.TLS), getDNSNames(resp.TLS)).Set(1)
probeSSLLastInformation.WithLabelValues(getFingerprint(resp.TLS), getSubject(resp.TLS), getIssuer(resp.TLS), getDNSNames(resp.TLS), getSerialNumber(resp.TLS)).Set(1)
if httpConfig.FailIfSSL {
logger.Error("Final request was over SSL")
success = false
Expand Down
6 changes: 3 additions & 3 deletions prober/tcp.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ func ProbeTCP(ctx context.Context, target string, module config.Module, registry
Name: "probe_ssl_last_chain_info",
Help: "Contains SSL leaf certificate information",
},
[]string{"fingerprint_sha256", "subject", "issuer", "subjectalternative"},
[]string{"fingerprint_sha256", "subject", "issuer", "subjectalternative", "serialnumber"},
)
probeTLSVersion := prometheus.NewGaugeVec(
probeTLSInfoGaugeOpts,
Expand Down Expand Up @@ -147,7 +147,7 @@ func ProbeTCP(ctx context.Context, target string, module config.Module, registry
probeSSLEarliestCertExpiry.Set(float64(getEarliestCertExpiry(&state).Unix()))
probeTLSVersion.WithLabelValues(getTLSVersion(&state)).Set(1)
probeSSLLastChainExpiryTimestampSeconds.Set(float64(getLastChainExpiry(&state).Unix()))
probeSSLLastInformation.WithLabelValues(getFingerprint(&state), getSubject(&state), getIssuer(&state), getDNSNames(&state)).Set(1)
probeSSLLastInformation.WithLabelValues(getFingerprint(&state), getSubject(&state), getIssuer(&state), getDNSNames(&state), getSerialNumber(&state)).Set(1)
}
scanner := bufio.NewScanner(conn)
for i, qr := range module.TCP.QueryResponse {
Expand Down Expand Up @@ -216,7 +216,7 @@ func ProbeTCP(ctx context.Context, target string, module config.Module, registry
probeSSLEarliestCertExpiry.Set(float64(getEarliestCertExpiry(&state).Unix()))
probeTLSVersion.WithLabelValues(getTLSVersion(&state)).Set(1)
probeSSLLastChainExpiryTimestampSeconds.Set(float64(getLastChainExpiry(&state).Unix()))
probeSSLLastInformation.WithLabelValues(getFingerprint(&state), getSubject(&state), getIssuer(&state), getDNSNames(&state)).Set(1)
probeSSLLastInformation.WithLabelValues(getFingerprint(&state), getSubject(&state), getIssuer(&state), getDNSNames(&state), getSerialNumber(&state)).Set(1)
}
}
return true
Expand Down
12 changes: 12 additions & 0 deletions prober/tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import (
"crypto/sha256"
"crypto/tls"
"encoding/hex"
"fmt"
"strings"
"time"
)
Expand Down Expand Up @@ -69,6 +70,17 @@ func getLastChainExpiry(state *tls.ConnectionState) time.Time {
return lastChainExpiry
}

func getSerialNumber(state *tls.ConnectionState) string {
cert := state.PeerCertificates[0]
// Actual serial number = 0B:FF:BC5:11:F1:90:7D:02:AF:71:9A:FC:D6:4F:B2:53
// serialNumber := cert.SerialNumber.Text(16) // drops leading zeros outputs = BFFBC511F1907D02AF719AFCD64FB253 in lower case, telgraf follows this https://github.com/influxdata/telegraf/blob/a9c91f162ddbe453364f68a89799535c43328a3c/plugins/inputs/x509_cert/x509_cert.go#L218
// https://github.com/atc0005/check-cert retains the leading zero with some aditional formatting

serialNumber := strings.ToLower(fmt.Sprintf("%X", cert.SerialNumber.Bytes()))

return serialNumber
}

func getTLSVersion(state *tls.ConnectionState) string {
switch state.Version {
case tls.VersionTLS10:
Expand Down

0 comments on commit 0982412

Please sign in to comment.