Missing support for HTTP/2 ?
Hi,
On Wed, Nov 01, 2023 at 02:21:04PM +0100, Ingeborg Hellemo via Xymon wrote:
I have a webserver which works ok when you visit it in a browser or when you use curl, but Xymon http test shows "SSL error". Tests with "openssl s_client" from the command line works as expected.
Could the culprit be that xymonnet does not support HTTP/2 ?
I don't think so. It's probably more an issue of incompatible ciphers or so. Or is that an HTTP/2-only server? So far I'm also not aware of any HTTP/2 only (production) web server. Maybe this will come in the future.
But yeah, as far as I know, xymonnet does not support HTTP/2 ? nor HTTP/3. Then again, it might be possible to implement a minimal client via protocols.cfg hex syntax like with e.g. ajp13 or rdp. But if the handshake needs anything outside the standard TLS handshake (and I'm not that versed in HTTP/2), it will not work.
And indeed, builtin xymonnet support for HTTP/2 and HTTP/3 would be nice, especially if you could monitor the availability of protocol versions separately (like for HTTPS and HTTP). But I suspect this would need an 3rd party library like curl or nghttp2 to be used.
Kind regards, Axel-- PGP: 2FF9CD59612616B5 /~\ Plain Text Ribbon Campaign, http://arc.pasp.de/ Mail: abe at deuxchevaux.org \ / Say No to HTML in E-Mail and Usenet Mail+Jabber: abe at noone.org X https://axel.beckert.ch/ / \ I love long mails: https://email.is-not-s.ms/
It could be the SSL cert. Or it could be the intermediate certificates.
Try running openssl verify -CAfile <location_of_intermediate_cert> /etc/apache2/<server.crt> (or whatever you named it)
On Wed, Nov 1, 2023 at 10:53?AM Axel Beckert <abe at deuxchevaux.org> wrote:
Hi,
On Wed, Nov 01, 2023 at 02:21:04PM +0100, Ingeborg Hellemo via Xymon wrote:
I have a webserver which works ok when you visit it in a browser or when you use curl, but Xymon http test shows "SSL error". Tests with "openssl s_client" from the command line works as expected.
Could the culprit be that xymonnet does not support HTTP/2 ?
I don't think so. It's probably more an issue of incompatible ciphers or so. Or is that an HTTP/2-only server? So far I'm also not aware of any HTTP/2 only (production) web server. Maybe this will come in the future.
But yeah, as far as I know, xymonnet does not support HTTP/2 ? nor HTTP/3. Then again, it might be possible to implement a minimal client via protocols.cfg hex syntax like with e.g. ajp13 or rdp. But if the handshake needs anything outside the standard TLS handshake (and I'm not that versed in HTTP/2), it will not work.
And indeed, builtin xymonnet support for HTTP/2 and HTTP/3 would be nice, especially if you could monitor the availability of protocol versions separately (like for HTTPS and HTTP). But I suspect this would need an 3rd party library like curl or nghttp2 to be used.
Kind regards, Axel-- PGP: 2FF9CD59612616B5 /~\ Plain Text Ribbon Campaign, http://arc.pasp.de/ Mail: abe at deuxchevaux.org \ / Say No to HTML in E-Mail and Usenet Mail+Jabber: abe at noone.org X https://axel.beckert.ch/ / \ I love long mails: https://email.is-not-s.ms/
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Hi Rod,
On Wed, Nov 01, 2023 at 11:47:37AM -0400, Rod wrote:
On Wed, Nov 01, 2023 at 02:21:04PM +0100, Ingeborg Hellemo via Xymon wrote:
I have a webserver which works ok when you visit it in a browser or when you use curl, but Xymon http test shows "SSL error". Tests with "openssl s_client" from the command line works as expected.
Could the culprit be that xymonnet does not support HTTP/2 ?
It could be the SSL cert. Or it could be the intermediate certificates.
No. Xymon's SSL checks only check functionality over SSL and expiry dates. They do not verify the certificate chain.
Kind regards, Axel-- PGP: 2FF9CD59612616B5 /~\ Plain Text Ribbon Campaign, http://arc.pasp.de/ Mail: abe at deuxchevaux.org \ / Say No to HTML in E-Mail and Usenet Mail+Jabber: abe at noone.org X https://axel.beckert.ch/ / \ I love long mails: https://email.is-not-s.ms/
On Wed, November 1, 2023 07:53, Axel Beckert wrote:
Hi,
On Wed, Nov 01, 2023 at 02:21:04PM +0100, Ingeborg Hellemo via Xymon wrote:
I have a webserver which works ok when you visit it in a browser or when you use curl, but Xymon http test shows "SSL error". Tests with "openssl s_client" from the command line works as expected.
Could the culprit be that xymonnet does not support HTTP/2 ?
I don't think so. It's probably more an issue of incompatible ciphers or so. Or is that an HTTP/2-only server? So far I'm also not aware of any HTTP/2 only (production) web server. Maybe this will come in the future.
But yeah, as far as I know, xymonnet does not support HTTP/2 ??? nor HTTP/3. Then again, it might be possible to implement a minimal client via protocols.cfg hex syntax like with e.g. ajp13 or rdp. But if the handshake needs anything outside the standard TLS handshake (and I'm not that versed in HTTP/2), it will not work.
And indeed, builtin xymonnet support for HTTP/2 and HTTP/3 would be nice, especially if you could monitor the availability of protocol versions separately (like for HTTPS and HTTP). But I suspect this would need an 3rd party library like curl or nghttp2 to be used.
A basic http/2 check really would be useful, but agreed I wouldn't want to add in another library unless, like with openldap, it's just too complex to do otherwise. I haven't looked into the binary header packing involved too much. This was another backburnered item on the list, but if there's demand for /2 testing specifically then it should be bumped up.
-jc
participants (3)
-
abe@deuxchevaux.org
-
cleaver@terabithia.org
-
rodbass63@gmail.com