Mark Felder,
Mentioned last year around April 17th, 2015 where Xymon support for TLS v1.1 and v1.2 may be lacking. Perhaps the issue is more my naiveté but does anyone know how I can get the sslcert and http tests to work correctly with Apache and Xymon.
[cid:image001.png at 01D1C020.10EBCB70] https://xymon1.domain.com/ - SSL error
The sslcert test goes purple.
Os: Red Hat Enterprise Linux Server release 7.2 (Maipo) Openssl: OpenSSL 1.0.1e-fips 11 Feb 2013 Xymon: 4.3.26
David W Gore
?I use httpsth://whatever.com
The 't' forces TLS1 and 'h' forces > 128bit ciphers. This is monitoring apache, websphere and squid (reverse proxy). Did you have a look at the host.cfg man page?
cheers, Phil
From: Gore, David W (David) <david.gore at verizon.com> Sent: Tuesday, 7 June 2016 7:50 AM To: xymon at xymon.com Subject: [Xymon] Support for TLS v1.1 and 1.2?
Mark Felder,
Mentioned last year around April 17th, 2015 where Xymon support for TLS v1.1 and v1.2 may be lacking. Perhaps the issue is more my naiveté but does anyone know how I can get the sslcert and http tests to work correctly with Apache and Xymon.
[red] https://xymon1.domain.com/ - SSL error
The sslcert test goes purple.
Os: Red Hat Enterprise Linux Server release 7.2 (Maipo) Openssl: OpenSSL 1.0.1e-fips 11 Feb 2013 Xymon: 4.3.26
David W Gore
Hi David,
Xymon uses the openssl library on the Xymon server to do SSL/TLS. So the most basic of tests would be to run "openssl s_client -connect xymon1.domain.com:443" to see if your OpenSSL library supports the necessary protocols.
Note that you may have multiple versions of OpenSSL installed, so to be 100% sure check the version of OpenSSL that Xymon uses: "xymonnet --version" will tell you which OpenSSL version it was compiled with, and "ldd ~xymon/server/bin/xymonnet" will show you (on Linux, at least) what the actual library is that is used by xymonnet.
Regards, Henrik
Den 07-06-2016 kl. 00:20 skrev Gore, David W (David):
Mark Felder,
Mentioned last year around April 17^th , 2015 where Xymon support for TLS v1.1 and v1.2 may be lacking. Perhaps the issue is more my naiveté but does anyone know how I can get the sslcert and http tests to work correctly with Apache and Xymon.
redhttps://xymon1.domain.com/ - SSL error
The sslcert test goes purple.
Os: Red Hat Enterprise Linux Server release 7.2 (Maipo)
Openssl: OpenSSL 1.0.1e-fips 11 Feb 2013
Xymon: 4.3.26
David W Gore
Hi Henrik,
It is. Specifically I use this:
openssl s_client -connect xymon:443 -tls1 2>/dev/null | grep Renegotiation Secure Renegotiation IS NOT supported
openssl s_client -connect xymon:443 -tls1_1 2>/dev/null | grep Renegotiation Secure Renegotiation IS NOT supported
openssl s_client -connect xymon:443 -tls1_2 2>/dev/null | grep Renegotiation Secure Renegotiation IS supported
This is what xymon logs in xymonnet.log which you can also see alerting for the xymonnet column on the web page:
2016-06-07 14:09:53.879678 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_1.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version 2016-06-07 14:14:41.970374 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version 2016-06-07 14:14:41.970753 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
This is Mark’s post:
http://lists.xymon.com/pipermail/xymon/2015-April/041568.html
My guess is, Xymon doesn’t properly support the minor versions of TLS?
From: Henrik Størner [mailto:henrik at hswn.dk] Sent: Tuesday, June 7, 2016 9:51 AM To: Gore, David W (David); xymon at xymon.com Subject: [E] Re: [Xymon] Support for TLS v1.1 and 1.2?
Hi David,
Xymon uses the openssl library on the Xymon server to do SSL/TLS. So the most basic of tests would be to run "openssl s_client -connect xymon1.domain.com:443" to see if your OpenSSL library supports the necessary protocols.
Note that you may have multiple versions of OpenSSL installed, so to be 100% sure check the version of OpenSSL that Xymon uses: "xymonnet --version" will tell you which OpenSSL version it was compiled with, and "ldd ~xymon/server/bin/xymonnet" will show you (on Linux, at least) what the actual library is that is used by xymonnet.
Regards, Henrik
Den 07-06-2016 kl. 00:20 skrev Gore, David W (David): Mark Felder,
Mentioned last year around April 17th, 2015 where Xymon support for TLS v1.1 and v1.2 may be lacking. Perhaps the issue is more my naiveté but does anyone know how I can get the sslcert and http tests to work correctly with Apache and Xymon.
[imap://henrik%40hswn%2Edk at mail.hswn.dk:143/fetch%3EUID%3E.Lister.Xymon%3E13013?part=1.2&filename=ForwardedMessage.eml&realtype=message/rfc822&header=quotebody&filename=image001.png]https://xymon1.domain.com/ - SSL error
The sslcert test goes purple.
Os: Red Hat Enterprise Linux Server release 7.2 (Maipo) Openssl: OpenSSL 1.0.1e-fips 11 Feb 2013 Xymon: 4.3.26
David W Gore
Hi,
Xymon asks OpenSSL to connect using any available SSL/TLS protocol and this should auto-negotiate to whatever protocol both sides support, which is what SSL/TLS clients (browsers etc) would normally do.
This is different from what you do with the command-line tests below; you explicitly request one of the TLS 1.x methods, so auto-negotiate is turned off. Could you running this command without the "-tls*" option?
Have you tried to configure Xymon to specifically use TLS 1? Put "httpst://www.example.com/" in hosts.cfg (the the 't' added to https). This will specifically request a TLSv1 connection. You are right that Xymon does not have similar ways to request TLSv1.1 and TLSv1.2 connections.
Regards, Henrik
Den 07-06-2016 kl. 16:26 skrev Gore, David W (David):
Hi Henrik,
It is. Specifically I use this:
openssl s_client -connect xymon:443 -tls1 2>/dev/null | grep Renegotiation
Secure Renegotiation IS NOT supported
openssl s_client -connect xymon:443 -tls1_1 2>/dev/null | grep Renegotiation
Secure Renegotiation IS NOT supported
openssl s_client -connect xymon:443 -tls1_2 2>/dev/null | grep Renegotiation
Secure Renegotiation IS supported
This is what xymon logs in xymonnet.log which you can also see alerting for the xymonnet column on the web page:
2016-06-07 14:09:53.879678 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_1.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
2016-06-07 14:14:41.970374 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
2016-06-07 14:14:41.970753 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
This is Mark’s post:
http://lists.xymon.com/pipermail/xymon/2015-April/041568.html
My guess is, Xymon doesn’t properly support the minor versions of TLS?
*From:*Henrik Størner [mailto:henrik at hswn.dk] *Sent:* Tuesday, June 7, 2016 9:51 AM https://xymon1.domain.com <https://xymon1.domain.com/>*To:* Gore, David W (David); xymon at xymon.com *Subject:* [E] Re: [Xymon] Support for TLS v1.1 and 1.2?
Hi David,
Xymon uses the openssl library on the Xymon server to do SSL/TLS. So the most basic of tests would be to run "openssl s_client -connect xymon1.domain.com:443" to see if your OpenSSL library supports the necessary protocols.
Note that you may have multiple versions of OpenSSL installed, so to be 100% sure check the version of OpenSSL that Xymon uses: "xymonnet --version" will tell you which OpenSSL version it was compiled with, and "ldd ~xymon/server/bin/xymonnet" will show you (on Linux, at least) what the actual library is that is used by xymonnet.
Regards, Henrik
Den 07-06-2016 kl. 00:20 skrev Gore, David W (David):
Mark Felder, Mentioned last year around April 17^th , 2015 where Xymon support for TLS v1.1 and v1.2 may be lacking. Perhaps the issue is more my naiveté but does anyone know how I can get the sslcert and http tests to work correctly with Apache and Xymon. redhttps://xymon1.domain.com/ - SSL error The sslcert test goes purple. Os: Red Hat Enterprise Linux Server release 7.2 (Maipo) Openssl: OpenSSL 1.0.1e-fips 11 Feb 2013 Xymon: 4.3.26 David W Gore
Hi Henrik,
httpst://www.example.com/, yes this is how our entries are set. I should have shared it before but the only change made to our environment was to update the Apache .conf file with this entry:
SSLProtocol -ALL +TLSv1.2
If I want xymon to not error I could change it back to:
SSLProtocol -ALL +TLSv1
But then I would be using TLSv1.0 and our servers will fail security scans
The xymon entry is httpst as we have been using TLS for some time.
From: Henrik Størner [mailto:henrik at hswn.dk] Sent: Wednesday, June 8, 2016 3:14 AM To: Gore, David W (David); xymon at xymon.com Subject: Re: [E] Re: [Xymon] Support for TLS v1.1 and 1.2?
Hi,
Xymon asks OpenSSL to connect using any available SSL/TLS protocol and this should auto-negotiate to whatever protocol both sides support, which is what SSL/TLS clients (browsers etc) would normally do.
This is different from what you do with the command-line tests below; you explicitly request one of the TLS 1.x methods, so auto-negotiate is turned off. Could you running this command without the "-tls*" option?
Have you tried to configure Xymon to specifically use TLS 1? Put "httpst://www.example.com/" in hosts.cfg (the the 't' added to https). This will specifically request a TLSv1 connection. You are right that Xymon does not have similar ways to request TLSv1.1 and TLSv1.2 connections.
Regards, Henrik
Den 07-06-2016 kl. 16:26 skrev Gore, David W (David): Hi Henrik,
It is. Specifically I use this:
openssl s_client -connect xymon:443 -tls1 2>/dev/null | grep Renegotiation Secure Renegotiation IS NOT supported
openssl s_client -connect xymon:443 -tls1_1 2>/dev/null | grep Renegotiation Secure Renegotiation IS NOT supported
openssl s_client -connect xymon:443 -tls1_2 2>/dev/null | grep Renegotiation Secure Renegotiation IS supported
This is what xymon logs in xymonnet.log which you can also see alerting for the xymonnet column on the web page:
2016-06-07 14:09:53.879678 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_1.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version 2016-06-07 14:14:41.970374 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version 2016-06-07 14:14:41.970753 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
This is Mark’s post:
http://lists.xymon.com/pipermail/xymon/2015-April/041568.html
My guess is, Xymon doesn’t properly support the minor versions of TLS?
From: Henrik Størner [mailto:henrik at hswn.dk] Sent: Tuesday, June 7, 2016 9:51 AM https://xymon1.domain.com<https://xymon1.domain.com/>To: Gore, David W (David); xymon at xymon.com<mailto:xymon at xymon.com> Subject: [E] Re: [Xymon] Support for TLS v1.1 and 1.2?
Hi David,
Xymon uses the openssl library on the Xymon server to do SSL/TLS. So the most basic of tests would be to run "openssl s_client -connect xymon1.domain.com:443" to see if your OpenSSL library supports the necessary protocols.
Note that you may have multiple versions of OpenSSL installed, so to be 100% sure check the version of OpenSSL that Xymon uses: "xymonnet --version" will tell you which OpenSSL version it was compiled with, and "ldd ~xymon/server/bin/xymonnet" will show you (on Linux, at least) what the actual library is that is used by xymonnet.
Regards, Henrik
Den 07-06-2016 kl. 00:20 skrev Gore, David W (David): Mark Felder,
Mentioned last year around April 17th, 2015 where Xymon support for TLS v1.1 and v1.2 may be lacking. Perhaps the issue is more my naiveté but does anyone know how I can get the sslcert and http tests to work correctly with Apache and Xymon.
[imap://henrik%40hswn%2Edk at mail.hswn.dk:143/fetch%3EUID%3E.Lister.Xymon%3E13013?part=1.2&filename=ForwardedMessage.eml&realtype=message/rfc822&header=quotebody&filename=image001.png]https://xymon1.domain.com/ - SSL error
The sslcert test goes purple.
Os: Red Hat Enterprise Linux Server release 7.2 (Maipo) Openssl: OpenSSL 1.0.1e-fips 11 Feb 2013 Xymon: 4.3.26
David W Gore
Hi David,
could you try this patch and let me know if it works with this change? This simply changes "httpst://..." to use ONLY TLS 1.2, so if you have other httpst-defs that are not 1.2 then they will probably fail.
Regards, Henrik
Den 08-06-2016 kl. 12:47 skrev Gore, David W (David):
Hi Henrik,
httpst://www.example.com/, yes this is how our entries are set. I should have shared it before but the only change made to our environment was to update the Apache .conf file with this entry:
SSLProtocol -ALL +TLSv1.2
If I want xymon to not error I could change it back to:
SSLProtocol -ALL +TLSv1
But then I would be using TLSv1.0 and our servers will fail security scans
The xymon entry is httpst as we have been using TLS for some time.
*From:*Henrik Størner [mailto:henrik at hswn.dk] *Sent:* Wednesday, June 8, 2016 3:14 AM *To:* Gore, David W (David); xymon at xymon.com *Subject:* Re: [E] Re: [Xymon] Support for TLS v1.1 and 1.2?
Hi,
Xymon asks OpenSSL to connect using any available SSL/TLS protocol and this should auto-negotiate to whatever protocol both sides support, which is what SSL/TLS clients (browsers etc) would normally do.
This is different from what you do with the command-line tests below; you explicitly request one of the TLS 1.x methods, so auto-negotiate is turned off. Could you running this command without the "-tls*" option?
Have you tried to configure Xymon to specifically use TLS 1? Put "httpst://www.example.com/" in hosts.cfg (the the 't' added to https). This will specifically request a TLSv1 connection. You are right that Xymon does not have similar ways to request TLSv1.1 and TLSv1.2 connections.
Regards, Henrik
Den 07-06-2016 kl. 16:26 skrev Gore, David W (David):
Hi Henrik, It is. Specifically I use this: openssl s_client -connect xymon:443 -tls1 2>/dev/null | grep Renegotiation Secure Renegotiation IS NOT supported openssl s_client -connect xymon:443 -tls1_1 2>/dev/null | grep Renegotiation Secure Renegotiation IS NOT supported openssl s_client -connect xymon:443 -tls1_2 2>/dev/null | grep Renegotiation Secure Renegotiation IS supported This is what xymon logs in xymonnet.log which you can also see alerting for the xymonnet column on the web page: 2016-06-07 14:09:53.879678 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_1.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version 2016-06-07 14:14:41.970374 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version 2016-06-07 14:14:41.970753 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version This is Mark’s post: http://lists.xymon.com/pipermail/xymon/2015-April/041568.html My guess is, Xymon doesn’t properly support the minor versions of TLS? *From:*Henrik Størner [mailto:henrik at hswn.dk] *Sent:* Tuesday, June 7, 2016 9:51 AM https://xymon1.domain.com <https://xymon1.domain.com/>*To:*Gore, David W (David); xymon at xymon.com <mailto:xymon at xymon.com> *Subject:* [E] Re: [Xymon] Support for TLS v1.1 and 1.2? Hi David, Xymon uses the openssl library on the Xymon server to do SSL/TLS. So the most basic of tests would be to run "openssl s_client -connect xymon1.domain.com:443" to see if your OpenSSL library supports the necessary protocols. Note that you may have multiple versions of OpenSSL installed, so to be 100% sure check the version of OpenSSL that Xymon uses: "xymonnet --version" will tell you which OpenSSL version it was compiled with, and "ldd ~xymon/server/bin/xymonnet" will show you (on Linux, at least) what the actual library is that is used by xymonnet. Regards, Henrik Den 07-06-2016 kl. 00:20 skrev Gore, David W (David): Mark Felder, Mentioned last year around April 17^th , 2015 where Xymon support for TLS v1.1 and v1.2 may be lacking. Perhaps the issue is more my naiveté but does anyone know how I can get the sslcert and http tests to work correctly with Apache and Xymon. redhttps://xymon1.domain.com/ - SSL error The sslcert test goes purple. Os: Red Hat Enterprise Linux Server release 7.2 (Maipo) Openssl: OpenSSL 1.0.1e-fips 11 Feb 2013 Xymon: 4.3.26 David W Gore
Hi Henrik,
Yes, it does fix the TLS 1.2 servers and breaks the TLS 1.0 servers ;).
From: Henrik Størner [mailto:henrik at hswn.dk] Sent: Wednesday, June 8, 2016 12:44 PM To: Gore, David W (David); xymon at xymon.com Subject: Re: [E] Re: [Xymon] Support for TLS v1.1 and 1.2?
Hi David,
could you try this patch and let me know if it works with this change? This simply changes "httpst://..." to use ONLY TLS 1.2, so if you have other httpst-defs that are not 1.2 then they will probably fail.
Regards, Henrik
Den 08-06-2016 kl. 12:47 skrev Gore, David W (David): Hi Henrik,
httpst://www.example.com/, yes this is how our entries are set. I should have shared it before but the only change made to our environment was to update the Apache .conf file with this entry:
SSLProtocol -ALL +TLSv1.2
If I want xymon to not error I could change it back to:
SSLProtocol -ALL +TLSv1
But then I would be using TLSv1.0 and our servers will fail security scans
The xymon entry is httpst as we have been using TLS for some time.
From: Henrik Størner [mailto:henrik at hswn.dk] Sent: Wednesday, June 8, 2016 3:14 AM To: Gore, David W (David); xymon at xymon.com<mailto:xymon at xymon.com> Subject: Re: [E] Re: [Xymon] Support for TLS v1.1 and 1.2?
Hi,
Xymon asks OpenSSL to connect using any available SSL/TLS protocol and this should auto-negotiate to whatever protocol both sides support, which is what SSL/TLS clients (browsers etc) would normally do.
This is different from what you do with the command-line tests below; you explicitly request one of the TLS 1.x methods, so auto-negotiate is turned off. Could you running this command without the "-tls*" option?
Have you tried to configure Xymon to specifically use TLS 1? Put "httpst://www.example.com/" in hosts.cfg (the the 't' added to https). This will specifically request a TLSv1 connection. You are right that Xymon does not have similar ways to request TLSv1.1 and TLSv1.2 connections.
Regards, Henrik
Den 07-06-2016 kl. 16:26 skrev Gore, David W (David): Hi Henrik,
It is. Specifically I use this:
openssl s_client -connect xymon:443 -tls1 2>/dev/null | grep Renegotiation Secure Renegotiation IS NOT supported
openssl s_client -connect xymon:443 -tls1_1 2>/dev/null | grep Renegotiation Secure Renegotiation IS NOT supported
openssl s_client -connect xymon:443 -tls1_2 2>/dev/null | grep Renegotiation Secure Renegotiation IS supported
This is what xymon logs in xymonnet.log which you can also see alerting for the xymonnet column on the web page:
2016-06-07 14:09:53.879678 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_1.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version 2016-06-07 14:14:41.970374 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version 2016-06-07 14:14:41.970753 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
This is Mark’s post:
http://lists.xymon.com/pipermail/xymon/2015-April/041568.html
My guess is, Xymon doesn’t properly support the minor versions of TLS?
From: Henrik Størner [mailto:henrik at hswn.dk] Sent: Tuesday, June 7, 2016 9:51 AM https://xymon1.domain.comTo: Gore, David W (David); xymon at xymon.com<mailto:xymon at xymon.com> Subject: [E] Re: [Xymon] Support for TLS v1.1 and 1.2?
Hi David,
Xymon uses the openssl library on the Xymon server to do SSL/TLS. So the most basic of tests would be to run "openssl s_client -connect xymon1.domain.com:443" to see if your OpenSSL library supports the necessary protocols.
Note that you may have multiple versions of OpenSSL installed, so to be 100% sure check the version of OpenSSL that Xymon uses: "xymonnet --version" will tell you which OpenSSL version it was compiled with, and "ldd ~xymon/server/bin/xymonnet" will show you (on Linux, at least) what the actual library is that is used by xymonnet.
Regards, Henrik
Den 07-06-2016 kl. 00:20 skrev Gore, David W (David): Mark Felder,
Mentioned last year around April 17th, 2015 where Xymon support for TLS v1.1 and v1.2 may be lacking. Perhaps the issue is more my naiveté but does anyone know how I can get the sslcert and http tests to work correctly with Apache and Xymon.
[imap://henrik%40hswn%2Edk at mail.hswn.dk:143/fetch%3EUID%3E.Lister.Xymon%3E13013?part=1.2&filename=ForwardedMessage.eml&realtype=message/rfc822&header=quotebody&filename=image001.png]https://xymon1.domain.com/ - SSL error
The sslcert test goes purple.
Os: Red Hat Enterprise Linux Server release 7.2 (Maipo) Openssl: OpenSSL 1.0.1e-fips 11 Feb 2013 Xymon: 4.3.26
David W Gore
Hi,
this problem ties in with another issue reported recently with Xymon not compiling with the upcoming OpenSSL 1.1 release.
Could you try the attached patch? This extends the current https2/https3/httpst so you can now use: httpsa for TLS 1.0, httpsb for TLS 1.1 and httpsc for TLS 1.2.
Anyone else using the specific SSL/TLS protocols, please feel free to try this patch. It changes the way protocol selection is done (using some different API calls), so any breakage would be nice to have reported as soon as possible.
Also, the sslcert tests will no longer report the possible encryption protocols - only the one that is actually used.
Regards,
Henrik
Den 07-06-2016 kl. 16:26 skrev Gore, David W (David):
Hi Henrik,
It is. Specifically I use this:
openssl s_client -connect xymon:443 -tls1 2>/dev/null | grep Renegotiation
Secure Renegotiation IS NOT supported
openssl s_client -connect xymon:443 -tls1_1 2>/dev/null | grep Renegotiation
Secure Renegotiation IS NOT supported
openssl s_client -connect xymon:443 -tls1_2 2>/dev/null | grep Renegotiation
Secure Renegotiation IS supported
This is what xymon logs in xymonnet.log which you can also see alerting for the xymonnet column on the web page:
2016-06-07 14:09:53.879678 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_1.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
2016-06-07 14:14:41.970374 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
2016-06-07 14:14:41.970753 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
This is Mark’s post:
http://lists.xymon.com/pipermail/xymon/2015-April/041568.html
My guess is, Xymon doesn’t properly support the minor versions of TLS?
*From:*Henrik Størner [mailto:henrik at hswn.dk] *Sent:* Tuesday, June 7, 2016 9:51 AM *To:* Gore, David W (David); xymon at xymon.com *Subject:* [E] Re: [Xymon] Support for TLS v1.1 and 1.2?
Hi David,
Xymon uses the openssl library on the Xymon server to do SSL/TLS. So the most basic of tests would be to run "openssl s_client -connect xymon1.domain.com:443" to see if your OpenSSL library supports the necessary protocols.
Note that you may have multiple versions of OpenSSL installed, so to be 100% sure check the version of OpenSSL that Xymon uses: "xymonnet --version" will tell you which OpenSSL version it was compiled with, and "ldd ~xymon/server/bin/xymonnet" will show you (on Linux, at least) what the actual library is that is used by xymonnet.
Regards, Henrik
Den 07-06-2016 kl. 00:20 skrev Gore, David W (David):
Mark Felder, Mentioned last year around April 17^th , 2015 where Xymon support for TLS v1.1 and v1.2 may be lacking. Perhaps the issue is more my naiveté but does anyone know how I can get the sslcert and http tests to work correctly with Apache and Xymon. redhttps://xymon1.domain.com/ - SSL error The sslcert test goes purple. Os: Red Hat Enterprise Linux Server release 7.2 (Maipo) Openssl: OpenSSL 1.0.1e-fips 11 Feb 2013 Xymon: 4.3.26 David W Gore
Hi Henrik,
As best I can tell it all works quite nicely. Thank you so much for your efforts!
~David
From: Henrik Størner [mailto:henrik at hswn.dk] Sent: Monday, June 27, 2016 10:55 AM To: Gore, David W (David); xymon at xymon.com Subject: Re: [E] Re: [Xymon] Support for TLS v1.1 and 1.2?
Hi,
this problem ties in with another issue reported recently with Xymon not compiling with the upcoming OpenSSL 1.1 release.
Could you try the attached patch? This extends the current https2/https3/httpst so you can now use: httpsa for TLS 1.0, httpsb for TLS 1.1 and httpsc for TLS 1.2.
Anyone else using the specific SSL/TLS protocols, please feel free to try this patch. It changes the way protocol selection is done (using some different API calls), so any breakage would be nice to have reported as soon as possible.
Also, the sslcert tests will no longer report the possible encryption protocols - only the one that is actually used.
Regards,
Henrik
Den 07-06-2016 kl. 16:26 skrev Gore, David W (David): Hi Henrik,
It is. Specifically I use this:
openssl s_client -connect xymon:443 -tls1 2>/dev/null | grep Renegotiation Secure Renegotiation IS NOT supported
openssl s_client -connect xymon:443 -tls1_1 2>/dev/null | grep Renegotiation Secure Renegotiation IS NOT supported
openssl s_client -connect xymon:443 -tls1_2 2>/dev/null | grep Renegotiation Secure Renegotiation IS supported
This is what xymon logs in xymonnet.log which you can also see alerting for the xymonnet column on the web page:
2016-06-07 14:09:53.879678 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_1.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version 2016-06-07 14:14:41.970374 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version 2016-06-07 14:14:41.970753 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
This is Mark’s post:
http://lists.xymon.com/pipermail/xymon/2015-April/041568.html
My guess is, Xymon doesn’t properly support the minor versions of TLS?
From: Henrik Størner [mailto:henrik at hswn.dk] Sent: Tuesday, June 7, 2016 9:51 AM To: Gore, David W (David); xymon at xymon.com<mailto:xymon at xymon.com> Subject: [E] Re: [Xymon] Support for TLS v1.1 and 1.2?
Hi David,
Xymon uses the openssl library on the Xymon server to do SSL/TLS. So the most basic of tests would be to run "openssl s_client -connect xymon1.domain.com:443" to see if your OpenSSL library supports the necessary protocols.
Note that you may have multiple versions of OpenSSL installed, so to be 100% sure check the version of OpenSSL that Xymon uses: "xymonnet --version" will tell you which OpenSSL version it was compiled with, and "ldd ~xymon/server/bin/xymonnet" will show you (on Linux, at least) what the actual library is that is used by xymonnet.
Regards, Henrik
Den 07-06-2016 kl. 00:20 skrev Gore, David W (David): Mark Felder,
Mentioned last year around April 17th, 2015 where Xymon support for TLS v1.1 and v1.2 may be lacking. Perhaps the issue is more my naiveté but does anyone know how I can get the sslcert and http tests to work correctly with Apache and Xymon.
[imap://henrik%40hswn%2Edk at mail.hswn.dk:143/fetch%3EUID%3E.Drafts%3E2387?part=&filename=ForwardedMessage.eml&realtype=message/rfc822&header=quotebody&filename=image001.png]https://xymon1.domain.com/ - SSL error
The sslcert test goes purple.
Os: Red Hat Enterprise Linux Server release 7.2 (Maipo) Openssl: OpenSSL 1.0.1e-fips 11 Feb 2013 Xymon: 4.3.26
David W Gore
participants (3)
-
david.gore@verizon.com
-
henrik@hswn.dk
-
Phil.Crooker@orix.com.au