Add option to omit Subject Alternative Names (SANs) list instead of listing all entries #993
Assignees
Labels
app/lscert
config
documentation
Improvements or additions to documentation
enhancement
New feature or request
output/extended
Long Service Output (aka, "extended" or "detailed")
plugin/check_cert
Milestone
Comments
atc0005
added
documentation
atc0005
changed the title
atc0005
added a commit
that referenced
this issue
Nov 4, 2024
Add new flag which allows omitting the entries for a lengthy SANs list. This provides a way to trim plugin output in an intentional way with minimal impact vs omitting by default. While of somewhat limited use by itself, this new flag is intended to help reduce plugin output to make room for an optional encoded payload. If requested, this payload would be emitted by the plugin and later available for retrieval from the monitoring system by downstream evaluation/reporting tooling). This new behavior/flag is disabled by default. refs GH-993
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As a test I measured the stdout content from the
check_certplugin for a certificate chain with 4 entries and a leaf cert with only one SANs entry:2651 bytes.
I then measured the stdout content for a cert chain of equal length but 73 SANs entries:
4408 bytes.
Still well beneath the current maximum plugin output length, but a little over halfway there.
By emitting a summary or a placeholder to indicate they were omitted a notable amount of output could be "saved" allowing for a potential payload (#960) to be included where it might not otherwise fit.
EDIT: Updated focus of this GH issue to provide a way to omit the list instead of strictly to summarize it.
The compromise is to include the number of entries along with explicit text noting that the list is omitted by request.
The text was updated successfully, but these errors were encountered: