On Tue, Apr 14, 2015 at 07:50:32AM -0500, Mark Felder wrote:
On Tue, Apr 14, 2015, at 06:47, Dito wrote:
I saw a post back that someone suggested to use "httpst://url" but that is not working either. I am running build .17 , not sure if upgrading to .18 or .19 will work, I'll read the notes.
Is there another way to fix?
From hosts.cfg man page:
- "t", e.g. httpst://www.sample.com/ : use only TLSv1
Looks like we need to patch xymonnet to let us specify TLS 1.1 and 1.2
Please see the attached patch. I can successfully build on FreeBSD 8.4 and 9.3 which use OpenSSL versions that don't support TLS 1.1 and 1.2, so I'm certain I have not broken that functionality.
Considering how simple this patch is, I expect it to work reliably. Using this patch you should be able to specify httpst1_1:// and httpst1_2:// to get TLS 1.1 and 1.2
The default for https:// connections is as follows:
default:
item->sslctx = SSL_CTX_new(SSLv23_client_method()); break;And the OpenSSL docs[1] describe this method:
SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
A TLS/SSL connection established with these methods may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
If extensions are required (for example server name) a client willsend out TLSv1 client hello messages including extensions and will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. This is the best choice when compatibility is a concern.
So I would expect Xymon to try to use TLSv1.2 if it's available... is it possible your Xymon server's OpenSSL version is too old? This might require more investigation...
Anyway, I haven't proven it beyond building yet -- I need to reconfigure my webserver to print ciphers in the logs so I can ensure it's really working. Please feel free to give it a try.