So, the question is, does the sslbits option look at the actual connection xymon just made to the remote server, or is it looking at the lowest number of bits in the cipher list? If the latter, that's pretty much worthless as a test...
xymonnet/contest.c, starting at line 653, loops through available ciphers and saves lowest number of bits in item->mincipherbits.
Right above that loop there are several calls to X509 functions to get the CN and the start/end times. If there's one that would get the number of bits for the actual connection, that could replace the loop and the sslbits test would be all good. I think. Maybe. Dunno enough about x509 programming, that's fer sure! :-)
Or maybe I'm overlooking something - wouldn't be the first time... :-)
Ralph Mitchell
On Sun, Apr 29, 2012 at 11:44 PM, Jeremy Laidman <jlaidman at rebel-it.com.au> wrote:
Ralph
I believe you are correct that this shows the Xymon server's list of cyphers. I have different servers that I monitor, and they accept connections using different sets of ciphers (tested with "openssl s_client -cipher NAME-OF-CIPHER hostname") yet the lists of ciphers on each of the Xymon ssltcert status pages are identical.
Also, the output of "openssl ciphers -v" on the Xymon server is suspiciously identical, in content and order, to those listed on the sslcert status page.
Cheers Jeremy
On Thu, Apr 26, 2012 at 2:59 PM, Ralph Mitchell <ralphmitchell at gmail.com> wrote:
I was looking at the list of available ciphers in the sslcert column, and I'm wondering exactly what that's showing? Even when the server is running mod_nss with FIPS-140 turned on, the ciphers list still includes 40-bit & 56-bit ciphers, which are definitely not supposed to be available.
So, would I be right in thinking that "Available Ciphers" means "Ciphers available on the Xymon server", rather than "Ciphers that the remote system will accept"??
I was hoping that it was showing the list of ciphers the remote server would accept, because that would tie-in with the "sslbits" option specifying a minimum encryption level. As it is, if I set sslbits=256 for my FIPS-140 server, xymon alerts because it thinks the minimum available bits is 40.
I'm going to try sslscan (http://sourceforge.net/projects/sslscan/) tomorrow and see what it says. From what I've read this evening, it may be necessary to hit the remote server with a request for every available encryption, and see what it will accept. That's how sslscan does it.
So, does anybody know for sure if the cipher list is local to the xymon server, or is it somehow gathered from the remote server??
Ralph Mitchell
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon