monitoring websites behind cloudflare?
Hello,
We are running xymon 4.3.29 on sles 12 and trying to monitor a website that is behind cloudflare but I cannot find a find a combo of https flags in hosts.cfg that will connect to cloudflare. Has anyone else had this issue and come up with a solution? I have literally tried every reasonable combo...
"Unspecified SSL error in SSL_con"..., 153Unspecified SSL error in SSL_connect to https (47873/tcp) on host 104.18.5.68: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
Thanks, Matt
-- Matthew Goebel : goebel at emunix.emich.edu : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating medher... "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
Matt,
Just for giggles I did a manual test using openssl:
openssl s_client -connect 104.18.5.68:443
With the following results:
CONNECTED(00000003) 140619981215560:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 247 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
This means that the IP address isn't serving SSL
One I know is serving SSL:
openssl s_client -connect 50.196.187.248:443
CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = baywinds.org verify return:1
Certificate chain ?0 s:/CN=baywinds.org ?? i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 ?1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 ?? i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate -----BEGIN CERTIFICATE-----
<cert info>
-----END CERTIFICATE----- subject=/CN=baywinds.org issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits
SSL handshake has read 3233 bytes and written 373 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: ??? Protocol? : TLSv1.2 ??? Cipher??? : ECDHE-RSA-AES256-GCM-SHA384 ??? Session-ID: 338A6AA8E41A643BD51B57CB6BF55A9619110159A3390AD761C3E4AB1853437E ??? Session-ID-ctx: ??? Master-Key: 13BD58F4497A226F3B3713569D39CD38F2445C98E6D91D866BD8AB99CABBAF1D93599AB5CF5150FC2DE4CFDC6E99FADC ??? Key-Arg?? : None ??? Krb5 Principal: None ??? PSK identity: None ??? PSK identity hint: None ??? TLS session ticket lifetime hint: 300 (seconds) ??? TLS session ticket:
blah blah blah
.......
Bottom line, that IP address isn't serving HTTPS
On 3/3/20 10:05 AM, Matthew Goebel wrote:
Hello,
? We are running xymon 4.3.29 on sles 12 and trying to monitor a website that is behind cloudflare but I cannot find a find a combo of https flags in hosts.cfg that will connect to cloudflare.? Has anyone else had this issue and come up with a solution?? I have literally tried every reasonable combo...
"Unspecified SSL error in SSL_con"..., 153Unspecified SSL error in SSL_connect to https (47873/tcp) on host 104.18.5.68 <http://104.18.5.68>: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
Thanks, Matt
-- Matthew Goebel : goebel at emunix.emich.edu <mailto:goebel at emunix.emich.edu> : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating medher... ?"Always with the negative waves, Moriarty" - Oddball ?"Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Nice. I have figured out in the last hour or so that adding sni to the two entries in my hosts.cfg file seem to fix this issue, and I had never noticed the sni option before. Did not have to change the ip?
Thanks, Matt
On Tue, Mar 3, 2020 at 4:46 PM Bruce Ferrell <bferrell at baywinds.org> wrote:
Matt,
Just for giggles I did a manual test using openssl:
openssl s_client -connect 104.18.5.68:443
With the following results:
CONNECTED(00000003) 140619981215560:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 247 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
This means that the IP address isn't serving SSL
One I know is serving SSL:
openssl s_client -connect 50.196.187.248:443
CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = baywinds.org verify return:1
Certificate chain 0 s:/CN=baywinds.org i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate -----BEGIN CERTIFICATE-----
<cert info>
-----END CERTIFICATE----- subject=/CN=baywinds.org issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits
SSL handshake has read 3233 bytes and written 373 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 338A6AA8E41A643BD51B57CB6BF55A9619110159A3390AD761C3E4AB1853437E Session-ID-ctx: Master-Key: 13BD58F4497A226F3B3713569D39CD38F2445C98E6D91D866BD8AB99CABBAF1D93599AB5CF5150FC2DE4CFDC6E99FADC Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket:
blah blah blah
.......
Bottom line, that IP address isn't serving HTTPS
On 3/3/20 10:05 AM, Matthew Goebel wrote:
Hello,
We are running xymon 4.3.29 on sles 12 and trying to monitor a website that is behind cloudflare but I cannot find a find a combo of https flags in hosts.cfg that will connect to cloudflare. Has anyone else had this issue and come up with a solution? I have literally tried every reasonable combo...
"Unspecified SSL error in SSL_con"..., 153Unspecified SSL error in SSL_connect to https (47873/tcp) on host 104.18.5.68 <http://104.18.5.68>: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
Thanks, Matt
-- Matthew Goebel : goebel at emunix.emich.edu <mailto:goebel at emunix.emich.edu> : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating medher... "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
-- Matthew Goebel : goebel at emunix.emich.edu : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating medher... "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
participants (2)
-
bferrell@baywinds.org
-
mgoebel@emich.edu