On Thu, Jan 9, 2014, at 8:37, Mark Felder wrote:
I confirmed that building Xymon 4.3.13 against OpenSSL 1.0.1e 11 Feb 2013 fixes my previous issues. Those two servers are no longer showing any issues.
However, I have different issue now that seems to be on a group of similarly configured servers with self signed certificates:
Error output: Unspecified SSL error in SSL_connect to 58148/tcp on host 66.170.1.42: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error Unspecified SSL error in SSL_connect to 64288/tcp on host 66.170.1.43: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error Unspecified SSL error in SSL_connect to 64288/tcp on host 66.170.1.44: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error Unspecified SSL error in SSL_connect to 64288/tcp on host 66.170.1.46: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
From someone commenting on an Ubuntu bug report containing this error message:
"The issue is actually with certain SSLv3 servers that don't understand
the TLSv1.1 handshake and are closing the connection. This unfortunately
can't be fixed on the client without disabling TLSv1.1, or forcing an
SSLv3 connection."
I may be able to fix the CipherSuites on all but one of the remaining affected servers to work around this issue. However, this is not ideal; these are basically "appliances" where I am unsure of the consequences of changing away from the vendor defaults. (I definitely use modern ciphers on my normal webservers)
I'm not comfortable with pushing this update into the FreeBSD ports tree at this time; there's too much potential for headaches. The SNI support a great feature but it seems there are some very rough edges that have not been discovered until now.