Vernon,
That is a bug in an early version of openssl, http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2240. Guessing that you can't patch it, so like Scott mentioned you could try to force a version, one that you have. The following is from the docs in 4.2.0, I did not check if these are still available in 4.3.17.
" Forcing an HTTP or SSL version Some SSL sites will only allow you to connect, if you use specific "dialects" of HTTP or SSL. Normally this is auto-negotiated, but experience shows that this fails on some systems.
bbtest-net can be told to use specific dialects, by adding one or more "dialect names" to the URL scheme, i.e. the "http" or "https" in the URL:
* "2", e.g. https2://www.sample.com/ : use only SSLv2
* "3", e.g. https3://www.sample.com/ : use only SSLv3
* "m", e.g. httpsm://www.sample.com/ : use only 128-bit ciphers
* "h", e.g. httpsh://www.sample.com/ : use only >128-bit ciphers
* "10", e.g. http10://www.sample.com/ : use HTTP 1.0
* "11", e.g. http11://www.sample.com/ : use HTTP 1.1
These can be combined where it makes sense, e.g to force SSLv2 and HTTP 1.0 you would use "https210". "
You could try http10://urltocert and not auto-negotiate the handshake.
Regards,
Tim
From: Xymon [xymon-bounces at xymon.com] on behalf of Vernon Everett [everett.vernon at gmail.com] Sent: Monday, December 8, 2014 3:42 PM To: Scott Pfister Cc: Xymon mailinglist Subject: Re: [Xymon] SSL Errors
Hi Scott
All I get is a new error message. :-(
https3 Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4<http://1.2.3.4>: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
httpt Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4<http://1.2.3.4>: error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list
And the https status remains red.
Regards Vernon
On 8 December 2014 at 20:50, Scott Pfister <icepickjazz at gmail.com<mailto:icepickjazz at gmail.com>> wrote: Good morning,
What version of SSL is on the client with the cert? ? Was SSLv3 disabled due to poodle exploit? Can you try forcing it to connect using only TLS or SSLv3? In host.cfg set https3://... or httpst://...
thanks
On Mon, Dec 8, 2014 at 4:33 AM, Vernon Everett <everett.vernon at gmail.com<mailto:everett.vernon at gmail.com>> wrote: Hi all
Trying to get an https test working to monitor certificate expiry. Test shows up red, with very descriptive "SSL Error".
The xymonnet error appears a little more useful, but I can't find a resolution to the problem. Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4: error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list
Additional info. xymonnet version 4.3.17 SSL library : OpenSSL 1.0.1j 15 Oct 2014 LDAP library: OpenLDAP 20423
Any advice appreciated.
Regards Vernon
-- "Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
Xymon mailing list Xymon at xymon.com<mailto:Xymon at xymon.com> http://lists.xymon.com/mailman/listinfo/xymon
-- "Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton