SSL Certs on servers with multiple virtualhosts
I know this is an old thread but I am still interested in this functionality. Does the latest Xymon support this?
cheers,
Troy
----- Original Message ----- From: "John D. Alexander" <JAlexander at feeneywireless.com> To: xymon at xymon.com Sent: Friday, August 9, 2013 3:03:55 PM GMT -07:00 US/Canada Mountain Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts
Henrik,
Have you been able to make any progress on the multiple ssl VirtualHost issue?
If need be, I can let apply the patch on a system that is reachable from outside and give you access (https) if I can get your IP address.
Thanks much
John Alexander
-----Original Message----- From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner Sent: Wednesday, August 07, 2013 2:23 PM To: xymon at xymon.com Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts
On 07-08-2013 19:56, John D. Alexander wrote:
The website is private. I've already rolled back the code but I can reapply the patch and take screen shots if need be.
Judging from the fact that Xymon was saying that the certificates expired about 42 years ago, a couple of the programmers here indicate that it's not picking up data from the certificate properly and interpreting that as the epoch and counting forward from there for expiration date.
Xymon uses the OpenSSL library routines to handle the SSL details, so I would be rather surprised if some kind of bogus certificate data got through all the way to the Xymon code - the openssl library is supposed to discard such invalid data and report an error.
More likely it is some kind of integer overflow. 15500 days before now is suspiciously close to Jan 1st 1970 (start of Unix epoch).
But it surprises me a bit, since I setup a test site here with two vhosts and different certificates, and the new code worked fine here - got the right certificate for each of the two hosts.
What version of OpenSSL are you running on the server where Xymon is compiled ? You can check by running "xymonnet --version".
I'll probably send you (directly, not via the list) a test-version of Xymon that logs some more debugging data for this - sometime later this week.
Regards, Henrik
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
--
This communication is intended for the use of the recipient to whom it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communications received in error, or
subsequent reply, should be deleted or destroyed.On Thu, March 26, 2015 11:53 am, Troy Adams wrote:
I know this is an old thread but I am still interested in this functionality. Does the latest Xymon support this?
----- Original Message ----- From: "John D. Alexander" <JAlexander at feeneywireless.com> To: xymon at xymon.com Sent: Friday, August 9, 2013 3:03:55 PM GMT -07:00 US/Canada Mountain Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts
Henrik,
Have you been able to make any progress on the multiple ssl VirtualHost issue?
If need be, I can let apply the patch on a system that is reachable from outside and give you access (https) if I can get your IP address.
Thanks much
John Alexander
-----Original Message----- From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner Sent: Wednesday, August 07, 2013 2:23 PM To: xymon at xymon.com Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts
On 07-08-2013 19:56, John D. Alexander wrote:
The website is private. I've already rolled back the code but I can reapply the patch and take screen shots if need be.
Judging from the fact that Xymon was saying that the certificates expired about 42 years ago, a couple of the programmers here indicate that it's not picking up data from the certificate properly and interpreting that as the epoch and counting forward from there for expiration date.
Xymon uses the OpenSSL library routines to handle the SSL details, so I would be rather surprised if some kind of bogus certificate data got through all the way to the Xymon code - the openssl library is supposed to discard such invalid data and report an error.
More likely it is some kind of integer overflow. 15500 days before now is suspiciously close to Jan 1st 1970 (start of Unix epoch).
But it surprises me a bit, since I setup a test site here with two vhosts and different certificates, and the new code worked fine here - got the right certificate for each of the two hosts.
What version of OpenSSL are you running on the server where Xymon is compiled ? You can check by running "xymonnet --version".
I'll probably send you (directly, not via the list) a test-version of Xymon that logs some more debugging data for this - sometime later this week.
Troy,
SNI was added in in 4.3.13, but disabled (by default) in 4.3.14 and beyond (since some servers didn't handle it too well).
It can be re-enabled by using the 'sni' tag in hosts.cfg or by passing --sni as an option to xymonnet.
See https://www.xymon.com/help/manpages/man5/hosts.cfg.5.html#lbAM and https://www.xymon.com/help/manpages/man1/xymonnet.1.html#lbAI
HTH,
-jc
participants (2)
-
cleaver@terabithia.org
-
troy@athabascau.ca