The SSLCertMonitor only does plain TLS on the socket. Useful for protocols that assume TLS always (like HTTPS, secure SIP, etc), but does not allow for testing expiration of certs for services that use some form of STARTTLS. Examples noted in the docs include: IMAP, POP3, SMTP, FTP, XMPP, LDAP, and NNTP.
The requestor's need is for XMPP. Doing TLS on XMPP requires you the client start a session normally, and if the server responds with some indication that TLS is supported or required, the client then sends the starttls verb and should get a proceed message in response. At that point normal TLS negotiation takes place, followed by a repeat of the session starting exchange to avoid MITM attacks.
To facilitate the required message passing for TLS on XMPP (and likely most other STARTTLS-like protocols) I propose to add four new optional parameters to SSLCertMonitor:
- starttls-preamble, which is a string sent to the server prior to the starttls verb. In the case of XMPP it would be the initial session request
- starttls-preamble-response, which is an optional regular expression that must match the server's response in order for the STARTTLS verb to be attempted
- starttls-start, which is the actual STARTTLS verb.
- starttls-start-response, another regular expression used to validate that the server accepted the STARTTLS request