[E] Re: [Xymon] Support for TLS v1.1 and 1.2?

Gore, David W (David) david.gore at verizon.com
Tue Jun 7 16:26:10 CEST 2016 

Hi Henrik,

It is.  Specifically I use this:

openssl s_client -connect xymon:443 -tls1 2>/dev/null | grep Renegotiation
Secure Renegotiation IS NOT supported

openssl s_client -connect xymon:443 -tls1_1 2>/dev/null | grep Renegotiation
Secure Renegotiation IS NOT supported

openssl s_client -connect xymon:443 -tls1_2 2>/dev/null | grep Renegotiation
Secure Renegotiation IS supported

This is what xymon logs in xymonnet.log which you can also see alerting for the xymonnet column on the web page:

2016-06-07 14:09:53.879678 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_1.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
2016-06-07 14:14:41.970374 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
2016-06-07 14:14:41.970753 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version

This is Mark’s post:

http://lists.xymon.com/pipermail/xymon/2015-April/041568.html

My guess is, Xymon doesn’t properly support the minor versions of TLS?


From: Henrik Størner [mailto:henrik at hswn.dk]
Sent: Tuesday, June 7, 2016 9:51 AM
To: Gore, David W (David); xymon at xymon.com
Subject: [E] Re: [Xymon] Support for TLS v1.1 and 1.2?

Hi David,

Xymon uses the openssl library on the Xymon server to do SSL/TLS. So the most basic of tests would be to run "openssl s_client -connect xymon1.domain.com:443" to see if your OpenSSL library supports the necessary protocols.

Note that you may have multiple versions of OpenSSL installed, so to be 100% sure check the version of OpenSSL that Xymon uses: "xymonnet --version" will tell you which OpenSSL version it was compiled with, and "ldd ~xymon/server/bin/xymonnet" will show you (on Linux, at least) what the actual library is that is used by xymonnet.


Regards,
Henrik

Den 07-06-2016 kl. 00:20 skrev Gore, David W (David):
Mark Felder,

Mentioned last year around April 17th, 2015 where Xymon support for TLS v1.1 and v1.2 may be lacking.  Perhaps the issue is more my naiveté but does anyone know how I can get the sslcert and http tests to work correctly with Apache and Xymon.

[imap://henrik%40hswn%2Edk@mail.hswn.dk:143/fetch%3EUID%3E.Lister.Xymon%3E13013?part=1.2&filename=ForwardedMessage.eml&realtype=message/rfc822&header=quotebody&filename=image001.png]https://xymon1.domain.com/ - SSL error

The sslcert test goes purple.

Os: Red Hat Enterprise Linux Server release 7.2 (Maipo)
Openssl: OpenSSL 1.0.1e-fips 11 Feb 2013
Xymon:  4.3.26


David W Gore


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20160607/ae4e27a8/attachment.html>

More information about the Xymon mailing list