SSL Error [SEC=UNCLASSIFIED]
Hi Xymon community,
I'm getting a bunch of SSL Error alerts on some websites.
Here is one example:
https://kct-uat.agriculture.vic.gov.au/
If I add this to xymon, I get:
Thu Nov 3 03:50:38 2016: SSL error red https://kct-uat.agriculture.vic.gov.au/ - SSL error
I did some digging through the xymon archives and openssl errors and found this:
http://lists.xymon.com/archive/2013-January/036688.html
and this:
http://stackoverflow.com/questions/24457408/openssl-command-to-check-if-a-se...
so when I run this command from my Xymon server I get the 104 error:
openssl s_client -connect kct-uat.agriculture.vic.gov.au:443
CONNECTED(00000003) write:errno=104
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 247 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
But if I add the SNI, I get a nice connection:
openssl s_client -connect kct-uat.agriculture.vic.gov.au:443 -servername
kct-uat.agriculture.vic.gov.au CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify return:1 depth=0 C = AU, ST = Victoria, L = Melbourne, O = "Department of Economic Development, Jobs Transport and Resources", CN = *.agriculture.vic.gov.au verify return:1
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: DC460000EC412D00D689C7E10DF575272E026FF475153A6367229629D79D15CF Session-ID-ctx: Master-Key: 0EE96C944F5746D3524A17580FD7907716FBA724C1B8909CA96430C2F7262EC469CD9CBD1D25A6ADDB791A6E45AAAB76 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1478145325 Timeout : 300 (sec) Verify return code: 0 (ok)
But now I'm not sure what to do next... Any ideas?
Thanks,
Martin.
Department of Economic Development, Jobs, Transport and Resources, Government of Victoria, Victoria, Australia.
This email, and any attachments, may contain privileged and confidential information. If you are not the intended recipient, you may not distribute or reproduce this e-mail or the attachments. If you have received this message in error, please notify us by return email.
Martin,
There is an option for xymonnet to enable SNI - here's my tasks.cfg snippet - see man xymonnet
[xymonnet] ENVFILE /home/xymon/server/etc/xymonserver-net.cfg NEEDS xymond CMD xymonnet --report --ping --checkresponse --bb-proxy-syntax --sni=on --timeout=20 --sslkeysize=2048 LOGFILE $XYMONSERVERLOGS/xymonnet.log INTERVAL 5m
Hi Xymon community,
I'm getting a bunch of SSL Error alerts on some websites.
Here is one example:
https://kct-uat.agriculture.vic.gov.au/
If I add this to xymon, I get:
Thu Nov 3 03:50:38 2016: SSL error red https://kct-uat.agriculture.vic.gov.au/- SSL error
I did some digging through the xymon archives and openssl errors and found this:
http://lists.xymon.com/archive/2013-January/036688.html
and this:
http://stackoverflow.com/questions/24457408/openssl-command-to-check-if-a-se...
so when I run this command from my Xymon server I get the 104 error:
openssl s_client -connect kct-uat.agriculture.vic.gov.au:443
CONNECTED(00000003) write:errno=104
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 247 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
But if I add the SNI, I get a nice connection:
openssl s_client -connect kct-uat.agriculture.vic.gov.au:443
-servername kct-uat.agriculture.vic.gov.au CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify return:1 depth=0 C = AU, ST = Victoria, L = Melbourne, O = "Department of Economic Development, Jobs Transport and Resources", CN = *.agriculture.vic.gov.au verify return:1
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: DC460000EC412D00D689C7E10DF575272E026FF475153A6367229629D79D15CF Session-ID-ctx: Master-Key: 0EE96C944F5746D3524A17580FD7907716FBA724C1B8909CA96430C2F7262EC469CD9CBD1D25A6ADDB791A6E45AAAB76
Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1478145325 Timeout : 300 (sec) Verify return code: 0 (ok)But now I'm not sure what to do next... Any ideas?
Thanks,
Martin.
Department of Economic Development, Jobs, Transport and Resources, Government of Victoria, Victoria, Australia.
This email, and any attachments, may contain privileged and confidential information. If you are not the intended recipient, you may not distribute or reproduce this e-mail or the attachments. If you have received this message in error, please notify us by return email.
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
-- David Baldwin - Senior Systems Administrator (Datacentres + Networks) Digital Information Management and Technology Australian Sports Commission http://ausport.gov.au Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616 david.baldwin at ausport.gov.au 1 Leverrier Street Bruce ACT 2617 Our Values: RESPECT + INTEGRITY + TEAMWORK + EXCELLENCE
Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au
This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
On 11/2/2016 8:22 PM, David Baldwin wrote:
Martin,
There is an option for xymonnet to enable SNI - here's my tasks.cfg snippet - see man xymonnet
[xymonnet] ENVFILE /home/xymon/server/etc/xymonserver-net.cfg NEEDS xymond CMD xymonnet --report --ping --checkresponse --bb-proxy-syntax --sni=on --timeout=20 --sslkeysize=2048 LOGFILE $XYMONSERVERLOGS/xymonnet.log INTERVAL 5m
SNI can also be enabled per-host. See the man page for hosts.cfg:
sni nosni Enables or disables use of SNI (Server Name Indication) for SSL tests. Some SSL implementations cannot handle SSL handshakes with SNI data, so Xymon by default does not use SNI. This default can be changed with the "--sni" option for xymonnet(1) but can also be managed per host with these tags. SNI support was added in Xymon 4.3.13, where the default was to use SNI. This was changed in 4.3.14 so SNI support is disabled by default, and the "sni" and "nosni" tags were introduced together with the "--sni" option for xymonnet.
-- Do things because you should, not just because you can.
John Thurston 907-465-8591 John.Thurston at alaska.gov Enterprise Technology Services Department of Administration State of Alaska
participants (3)
-
david.baldwin@ausport.gov.au
-
john.thurston@alaska.gov
-
martin.wojak@ecodev.vic.gov.au