Problem is for some sites with valid certificates too. I had checked to access page with wget or lynx - and it is working. So I do not see reason why Xymon should get "Server Timeout" for the same target.
Here is the debug of wget. Please, advice how to diagnose/debug Xymon to find the solution. I am a bit confused why nobody reporting the same problem:
- nobody using new openssl libraries?
- nobody do https tests for some, may a bot non-standard SSL certificates or web-sites?
Anyway, my opinion - if this is working for all other tools like lynx, wget, browsers, this could also work in Xymon.
Test case: both URL get Server Timeout in Xymon, but working with wget:
URL1: https://epak.pmlp.gov.lv/ (here is redirect - I had found Xymon may have trouble with redirects over https) URL2: https://epak.pmlp.gov.lv/NYX.Nyx002.WebSite/Default.aspx (no redirects here, certificate valid, but XyMon can not access it)
========= URL1: =========== [xymon at myhost~]$ wget --debug https://epak.pmlp.gov.lv/ DEBUG output created by Wget 1.12 on linux-gnu.
--2013-10-23 13:02:52-- https://epak.pmlp.gov.lv/ Resolving epak.pmlp.gov.lv... 195.234.144.230 Caching epak.pmlp.gov.lv => 195.234.144.230 Connecting to epak.pmlp.gov.lv|195.234.144.230|:443... connected. Created socket 3. Releasing 0x0000000001606440 (new refcount 1). Initiating SSL handshake. Handshake successful; connected socket 3 to SSL handle 0x0000000001607570 certificate: subject: /C=LV/ST=Riga/L=Riga/O=Office of Citizenship and Migration Affairs/OU=Department of Population Register/CN=*.pmlp.gov.lv issuer: /C=US/O=Thawte, Inc./CN=Thawte SSL CA X509 certificate successfully verified and matches host epak.pmlp.gov.lv
---request begin--- GET / HTTP/1.0 User-Agent: Wget/1.12 (linux-gnu) Accept: */* Host: epak.pmlp.gov.lv Connection: Keep-Alive
---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 301 Moved Permanently Content-Length: 179 Content-Type: text/html Location: https://epak.pmlp.gov.lv/NYX.Nyx001.WebSite/Default.aspx Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Wed, 23 Oct 2013 10:02:45 GMT Connection: keep-alive
---response end---
301 Moved Permanently
Registered socket 3 for persistent reuse.
Location: https://epak.pmlp.gov.lv/NYX.Nyx001.WebSite/Default.aspx
[following]
Skipping 179 bytes of body: [<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="
https://epak.pmlp.gov.lv/NYX.Nyx001.WebSite/Default.aspx">here</a></body>]
done.
--2013-10-23 13:02:52--
https://epak.pmlp.gov.lv/NYX.Nyx001.WebSite/Default.aspx
Reusing existing connection to epak.pmlp.gov.lv:443.
Reusing fd 3.
---request begin--- GET /NYX.Nyx001.WebSite/Default.aspx HTTP/1.0 User-Agent: Wget/1.12 (linux-gnu) Accept: */* Host: epak.pmlp.gov.lv Connection: Keep-Alive
---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 200 OK Connection: keep-alive Date: Wed, 23 Oct 2013 10:02:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=xpwkktquphtyv02va2ms1ejv; path=/; HttpOnly Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 7365
---response end--- 200 OK
Stored cookie epak.pmlp.gov.lv -1 (ANY) / <session> <insecure> [expiry none] ASP.NET_SessionId xpwkktquphtyv02va2ms1ejv Length: 7365 (7.2K) [text/html] Saving to: `Default.aspx.2'
100%[====================================================================================================================>] 7,365 --.-K/s in 0s 2013-10-23 13:02:52 (832 MB/s) - `Default.aspx.2' saved [7365/7365]
========= URL2 =========================
[xymon at myhost~]$ wget --debug https://epak.pmlp.gov.lv/NYX.Nyx002.WebSite/Default.aspx DEBUG output created by Wget 1.12 on linux-gnu.
--2013-10-23 13:03:58--
https://epak.pmlp.gov.lv/NYX.Nyx002.WebSite/Default.aspx
Resolving epak.pmlp.gov.lv... 195.234.144.230
Caching epak.pmlp.gov.lv => 195.234.144.230
Connecting to epak.pmlp.gov.lv|195.234.144.230|:443... connected.
Created socket 3.
Releasing 0x00000000013ae4d0 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00000000013af620
certificate:
subject: /C=LV/ST=Riga/L=Riga/O=Office of Citizenship and Migration
Affairs/OU=Department of Population Register/CN=*.pmlp.gov.lv
issuer: /C=US/O=Thawte, Inc./CN=Thawte SSL CA
X509 certificate successfully verified and matches host epak.pmlp.gov.lv
---request begin--- GET /NYX.Nyx002.WebSite/Default.aspx HTTP/1.0 User-Agent: Wget/1.12 (linux-gnu) Accept: */* Host: epak.pmlp.gov.lv Connection: Keep-Alive
---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 200 OK Connection: keep-alive Date: Wed, 23 Oct 2013 10:03:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=pecngh45oqe2sk45vhthua55; path=/; HttpOnly Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 8619
---response end--- 200 OK
Stored cookie epak.pmlp.gov.lv -1 (ANY) / <session> <insecure> [expiry none] ASP.NET_SessionId pecngh45oqe2sk45vhthua55 Registered socket 3 for persistent reuse. Length: 8619 (8.4K) [text/html] Saving to: `Default.aspx.3'
100%[====================================================================================================================>] 8,619 --.-K/s in 0s
2013-10-23 13:03:58 (1007 MB/s) - `Default.aspx.3' saved [8619/8619]
this is output from: User-Agent: Wget/1.12 (linux-gnu) output from host with older ssl and wget is the same (except User-Agent: Wget/1.11.4 Red Hat modified)
From: Andrey Chervonets/Cominder/LV To: henrik at hswn.dk, Cc: xymon at xymon.com Date: 31.07.2013 18:15 Subject: Re: XyMon 4.3.12 - what about HTTPS problems repoirted for 4.3.11 ?
Yes, there may be some specific or expired certificate, but workaround not working anyway,
Tested, using http3 does not help for CentOS and OpenSUSE 12.3
tested with URL: https://epak.pmlp.gov.lv/NYX.Nyx002.WebSite/Default.aspx and some others.
Best regards,
Andrey Chervonets
SIA CoMinder http://www.cominder.eu/
From: henrik at hswn.dk To: Andrey Chervonets <a.chervonets at cominder.eu>, Cc: <xymon at xymon.com> Date: 25.07.2013 13:07 Subject: Re: XyMon 4.3.12 - what about HTTPS problems repoirted for 4.3.11 ?
Hi,
all indications are that this is an OpenSSL library problem (present in OpenSSL 1.x, but not in the older 0.9.x versions).
Debian has this bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702635
SuSE has this: http://lists.opensuse.org/opensuse-bugs/2013-05/msg01048.html
It appears that the problem only shows up when testing sites with specific SSL implementations; e.g. I've seen it when connecting to some IIS versions.
Apparently, a work-around is to force the use of SSLv3 instead of TLSv1; you can do that by changing the URL in hosts.cfg so it has "https3" instead of just "https".
Regards, Henrik
Den 25.07.2013 07:54, Andrey Chervonets skrev:
Good day!
I still not received any reply for my previous messages about https tests problems in 4.3.11 or due openssl-1.0.nnnn. Does 4.3.12 have fixes for that?
Or what should be the steps to find root cause and fix? Just tell me in which direction should I go, I am not going to tale much of Your time.
P.S. Really, I am surprised nobody else reported similar problems. I fill I have done something wrong. :(