SNI: Alert if returned certificate does not contain requested SNI hostname

[chas0rde]

We started implementing x509 module to get a better overview on our certificates
We found that the certificate still shows as valid even if the certificate is misconfigured and the returned certificate does not match the SNI

It seems only expiry is validated but not if the certificate is valid for the SNI
This would be very helpful to not only monitor for expiry but also misconfigurations
Currently we plan to implement workarounds via Director Automations to do transforms and have a check applied that does an OpenSSL check for the validity but that would be an additional unnecessary connect to the monitored host that could already be evaluated by the x509 module

Best regards