random errors with imaps/pop3s servers offering TLS 1.3
Hi,
I have found an issue when trying to monitor imaps and pop3s server offering TLS1.3 .
My xymon server configuration:
freebsd-version -u
12.0-RELEASE-p5
openssl version
OpenSSL 1.1.1a-freebsd 20 Nov 2018
standard freebsd xymon-server pkg :
pkg info xymon-server-4.3.28
xymon-server-4.3.28 Name : xymon-server Version : 4.3.28 Installed on : Fri Feb 22 14:19:11 2019 CET Origin : net-mgmt/xymon-server Architecture : FreeBSD:12:amd64 Prefix : /usr/local Categories : net-mgmt www Licenses : GPLv2 Maintainer : feld at FreeBSD.org WWW : http://xymon.sourceforge.net/ Comment : System for monitoring servers and networks Options : DEBUG : off LDAP : off NETSNMP : off Shared Libs required: libcares.so.2 libpng16.so.16 libpcre.so.1 librrd.so.8 Annotations : FreeBSD_version: 1200086 cpe : cpe:2.3:a:xymon:xymon:4.3.28:::::freebsd12:x64 repo_type : binary repository : FreeBSD Flat size : 26.5MiB ...
ldd /usr/local/www/xymon/server/bin/xymonnet
/usr/local/www/xymon/server/bin/xymonnet: libcares.so.2 => /usr/local/lib/libcares.so.2 (0x80027c000) libssl.so.111 => /usr/lib/libssl.so.111 (0x800297000) libcrypto.so.111 => /lib/libcrypto.so.111 (0x80032c000) libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x800619000) libc.so.7 => /lib/libc.so.7 (0x8006bd000) libthr.so.3 => /lib/libthr.so.3 (0x800ab0000)
When trying to monitor a pop3s or imaps server offering tls 1.3, I got random errors:
WARNING: Flapping status Service imaps on xxx is not OK : Unexpected service response
If I monitor the same services on an other server not offering tls 1.3, all is fine.
Both servers where running dovecot.
I wrote an extension in perl using IO::Socket::SSL (and the same local openssl) to monitor the server offerng tls 1.3 and all is fine with it.
For some strange reason, I can monitor a https web servers (running nginx or apache) offering TLS 1.3 without this issue but not imaps/pop3s.
It looks like the https test is different from other ssl/tls tests and does not have the TLS 1.3 issue
Regards,
Laurent Frigault | Free.org - BookMyName.com - ONLINE SAS - Registar ID 74
On Dienstag, 30. Juli 2019 15:40:42 CEST Laurent Frigault wrote:
Hi,
I have found an issue when trying to monitor imaps and pop3s server offering TLS1.3 . [...] For some strange reason, I can monitor a https web servers (running nginx or apache) offering TLS 1.3 without this issue but not imaps/pop3s.
It looks like the https test is different from other ssl/tls tests and does not have the TLS 1.3 issue
Hello List,
this issue is also discussed in
https://www.mail-archive.com/debian-bugs-dist at lists.debian.org/msg1804680.html
and
https://salsa.debian.org/debian/xymon/-/merge_requests/1
at least contains an attempt to patch this.
I can also confirm this TLS 1.3 issue for ubuntu (currently 18.4 LTS bionic). It affects all banner checks in combination with TLS 1.3.
Kind regards, Lars
-- Lars Kollstedt
Telefon: +49 6151 16-71027 E-Mail: lk at man-da.de
man-da.de GmbH Dolivostra?e 11 64293 Darmstadt
Sitz der Gesellschaft: Darmstadt Registergericht: Amtsgericht Darmstadt Handelsregisternummer: HRB 9484 Gesch?ftsf?hrer: Andreas Ebert
participants (2)
-
lk@man-da.de
-
lolo@troll.free.org