Monitoring websites using TLS1.3
I'm trying to monitor a website that is operated on part of Cloudflare's setup and I am failing to get a positive result. The website uses TLS1.3 and Xymonnet tells me that it was built USING OpenSSL v 1.1.0g (Xymon version 4.3.28) which only handles TLS variants 1.0, 1.1, and 1.2.
I'm monitoring the server using the hosts.cfg entry:
0.0.0.0 Website # noconn nosslcert https3://www.website.com/
I've tried other httpsX variants and no joy. The result I get from the website test is the rather sparse "- SSL error"
Digging into Xymonnet gives a more cryptic
Unspecified SSL error in SSL_connect to https (47873/tcp) on host xx.xx.xx.xx: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
I'm assuming the issue is around the version of OpenSSL, as the OpenSSL v1.1.1 beta version manages TLS1.3 whereas OpenSSL v1.1.0g does not.
I have three questions:
Is there a way of setting Xymon up to manage this monitoring?When is it planned to include OpenSSL v1.1.1 in a Xymon build?
HTTPS response I need and feed this to Xymon separately?In the meantime, is it worth writing a simple script to test the
Many thanks
Martin Davies
Try adding sni to your hosts.cfg line for that server.
Matt
On Wed, Mar 25, 2020 at 8:45 AM <martin at savcom.co.uk> wrote:
I?m trying to monitor a website that is operated on part of Cloudflare?s setup and I am failing to get a positive result. The website uses TLS1.3 and Xymonnet tells me that it was built USING OpenSSL v 1.1.0g (Xymon version 4.3.28) which only handles TLS variants 1.0, 1.1, and 1.2.
I?m monitoring the server using the hosts.cfg entry:
0.0.0.0 Website # noconn nosslcert https3://www.website.com/
I?ve tried other httpsX variants and no joy. The result I get from the website test is the rather sparse ?- SSL error?
Digging into Xymonnet gives a more cryptic
Unspecified SSL error in SSL_connect to https (47873/tcp) on host xx.xx.xx.xx: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
I?m assuming the issue is around the version of OpenSSL, as the OpenSSL v1.1.1 beta version manages TLS1.3 whereas OpenSSL v1.1.0g does not.
I have three questions:
Is there a way of setting Xymon up to manage this monitoring?When is it planned to include OpenSSL v1.1.1 in a Xymon build?In the meantime, is it worth writing a simple script to test the HTTPS response I need and feed this to Xymon separately?Many thanks
Martin Davies
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
-- Matthew Goebel : goebel at emunix.emich.edu : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating medher... "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
Thank you. The Sni has worked.
Martin
From: Matthew Goebel <mgoebel at emich.edu> Sent: 25 March 2020 13:16 To: martin at savcom.co.uk Cc: xymon at xymon.com Subject: Re: [Xymon] Monitoring websites using TLS1.3
Try adding sni to your hosts.cfg line for that server.
Matt
On Wed, Mar 25, 2020 at 8:45 AM <martin at savcom.co.uk <mailto:martin at savcom.co.uk> > wrote:
I?m trying to monitor a website that is operated on part of Cloudflare?s setup and I am failing to get a positive result. The website uses TLS1.3 and Xymonnet tells me that it was built USING OpenSSL v 1.1.0g (Xymon version 4.3.28) which only handles TLS variants 1.0, 1.1, and 1.2.
I?m monitoring the server using the hosts.cfg entry:
0.0.0.0 Website # noconn nosslcert https3://www.website.com/ <http://www.website.com/>
I?ve tried other httpsX variants and no joy. The result I get from the website test is the rather sparse ?- SSL error?
Digging into Xymonnet gives a more cryptic
Unspecified SSL error in SSL_connect to https (47873/tcp) on host xx.xx.xx.xx: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
I?m assuming the issue is around the version of OpenSSL, as the OpenSSL v1.1.1 beta version manages TLS1.3 whereas OpenSSL v1.1.0g does not.
I have three questions:
Is there a way of setting Xymon up to manage this monitoring?When is it planned to include OpenSSL v1.1.1 in a Xymon build?In the meantime, is it worth writing a simple script to test the HTTPS response I need and feed this to Xymon separately?
Many thanks
Martin Davies
Xymon mailing list Xymon at xymon.com <mailto:Xymon at xymon.com> http://lists.xymon.com/mailman/listinfo/xymon
--
Matthew Goebel : goebel at emunix.emich.edu <mailto:goebel at emunix.emich.edu> : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating medher... "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
participants (2)
-
martin@savcom.co.uk
-
mgoebel@emich.edu