Den 11.01.2014 18:44, Mark Felder skrev:
I think the safe solution everywhere is "off by default", and further testing of the HTTPS checking code with OpenSSL 1.0+ against servers that don't support the latest TLS, or maybe not even TLS at all -- just SSLv3. You're going to have users with appliances that can't be upgraded but they still should be able to get monitored.
Just to finish this thread: In 4.3.14 I have implemented a global option for xymonnet "--sni=[on|off]" to globally enable/disable SNI for SSL tests. Default is OFF. In addition there are two now tags for hosts.cfg, "sni" and "nosni" so regardless of the global option you can override it per host.
I think that is the best way to avoid unnecessary surprises when upgrading, while still making SNI available for those who need it.
Regards, Henrik