Reports Certificate Serial number

[rhysxevans]

Adds serialnumber to probe_ssl_last_chain_info

Output looks like

Test: curl -s http://localhost:9115/probe\?target\=https://example.com\&module\=http_2xx

probe_ssl_last_chain_info{fingerprint_sha256="efba26d8c1ce3779ac77630a90f82163a3d6892ed6afee408672cf19eba7a362",issuer="CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US",serialnumber="075bcef30689c8addf13e51af4afe187",subject="CN=www.example.org,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US",subjectalternative="www.example.org,example.net,example.edu,example.com,example.org,www.example.com,www.example.edu,www.example.net"} 1

Relates to #1103

[rhysxevans]

Confirmed to work on grpc , with local test grpc server

curl -s http://localhost:9115/probe\?target\=https://127.0.0.1:4001\&module\=grpc
# HELP probe_dns_lookup_time_seconds Returns the time taken for probe dns lookup in seconds
# TYPE probe_dns_lookup_time_seconds gauge
probe_dns_lookup_time_seconds 1.0041e-05
# HELP probe_duration_seconds Returns how long the probe took to complete in seconds
# TYPE probe_duration_seconds gauge
probe_duration_seconds 0.021027084
# HELP probe_grpc_duration_seconds Duration of gRPC request by phase
# TYPE probe_grpc_duration_seconds gauge
probe_grpc_duration_seconds{phase="check"} 0.020359792
probe_grpc_duration_seconds{phase="resolve"} 1.0041e-05
# HELP probe_grpc_healthcheck_response Response HealthCheck response
# TYPE probe_grpc_healthcheck_response gauge
probe_grpc_healthcheck_response{serving_status="NOT_SERVING"} 0
probe_grpc_healthcheck_response{serving_status="SERVICE_UNKNOWN"} 0
probe_grpc_healthcheck_response{serving_status="SERVING"} 1
probe_grpc_healthcheck_response{serving_status="UNKNOWN"} 0
# HELP probe_grpc_ssl Indicates if SSL was used for the connection
# TYPE probe_grpc_ssl gauge
probe_grpc_ssl 1
# HELP probe_grpc_status_code Response gRPC status code
# TYPE probe_grpc_status_code gauge
probe_grpc_status_code 0
# HELP probe_ip_addr_hash Specifies the hash of IP address. It's useful to detect if the IP address changes.
# TYPE probe_ip_addr_hash gauge
probe_ip_addr_hash 3.668918509e+09
# HELP probe_ip_protocol Specifies whether probe ip protocol is IP4 or IP6
# TYPE probe_ip_protocol gauge
probe_ip_protocol 4
# HELP probe_ssl_earliest_cert_expiry Returns last SSL chain expiry in unixtime
# TYPE probe_ssl_earliest_cert_expiry gauge
probe_ssl_earliest_cert_expiry 1.738933197e+09
# HELP probe_ssl_last_chain_info Contains SSL leaf certificate information
# TYPE probe_ssl_last_chain_info gauge
probe_ssl_last_chain_info{fingerprint_sha256="67617ba6d9b3e61dc400024655c6f9b33e64e2c66fb2d1b5ece5849a99608c0a",issuer="CN=*.test,OU=Test,O=Test Org,L=Toulouse,ST=Occitanie,C=FR,1.2.840.113549.1.9.1=#0c0e7465737440676d61696c2e636f6d",serialnumber="1b49d32e9ac0afa11f1da7e18b62930080e29a55",subject="CN=*.tls,OU=Server,O=Server TLS,L=Paris,ST=Ile de France,C=FR,1.2.840.113549.1.9.1=#0c0d746c7340676d61696c2e636f6d",subjectalternative="*.tls,localhost"} 1
# HELP probe_success Displays whether or not the probe was a success
# TYPE probe_success gauge
probe_success 1
# HELP probe_tls_version_info Returns the TLS version used or NaN when unknown
# TYPE probe_tls_version_info gauge
probe_tls_version_info{version="TLS 1.3"} 1

[rhysxevans]

Hi @electron0zero

Apologies for pinging you directly, but are you able to assist with the process to get this PR reviewed?

Thanks

[citrocity]

plus one

[rhysxevans]

Apologies, extending the list @roidelapluie @mem

Apologies for pinging you directly, but are you able to assist with the process to get this PR reviewed?

Thanks

[electron0zero]

I would love to better understand the use-case here to evaluate the feature.

what would be use-case where the existing fingerprint_sha256 is not enough, and serial number is required?

[citrocity]

I would love to better understand the use-case here to evaluate the feature.

what would be use-case where the existing fingerprint_sha256 is not enough, and serial number is required?

For CDN, it is possible to have multiple certificates with the same pub/priv key pair issued for different purposes. These certificates will share the same fingerprint but will have distinct serial numbers.

Also, if I am not wrong when a CA is compromised, OCSP responses typically identify certificates by their serial numbers.
If you are monitorinng/alerting for serial numbers known to be issued by a compromised CA, this would help.

[rhysxevans]

Hi

My, primary, use case is around normalising the language used in communicating certificate status etc.

So outside of technical circles, I almost never hear business people using the fingerprint is is always, from my experience across various orgs, CommonName and SerialNumber (in its varous forms). So in my view this is not a technical issue, but an non technical issue that can be solved by a technical fix.

This would allow me at present not to build another "translation" layer between technical and non-technical people (think governance, compliance, etc etc).

With this both teams could look at the relevant dashboards and get the informantion they need, and when talking to each other, they will have a common data set and "language"

Te reason for including SN (Serial number) and CN (Common Name) is this convo particularly, is around the fact I have multiple certs issued via different CA's with the same common name.

Note: I think the comment about OCSP, relying on the serial number is mentioend in https://www.rfc-editor.org/rfc/rfc6960.txt

I hope this helps, but let me know, if you need any further info

Thanks

[electron0zero]

I see, now that use-cases are more clear to me.

l will do reviews and we can get this in after review.

[electron0zero]

other then the two comments, rest of the PR looks good to me. I will ✅ after the comment is addressed. thanks for adding the test.

before I merge, I will give time to other maintainers to review.

please feel free to remind me, if I don't come back to it in few weeks.