[Xymon] cipher list in sslcert column

Phil Crooker Phil.Crooker at orix.com.au
Tue May 1 03:32:51 CEST 2012


Just out of interest, I noticed this a while back, that the apache
servers are showing the entire cipher list in the sslcert test. However
we also use IBM's HTTP Server (an apache server with modifications)
which uses a different SSL module, mod_ibm_ssl.so. When xymon tests
these servers it returns the ciphers actually in use. So I thought the
apache mod_ssl was involved in the output as well.

cheers, Phil


>>> On 30/04/2012 at 2:43 PM, in message
<CAAEjoCUAFBSN3euO6vNvgr1JBQYpe6Euwhft7ZyuGeYTQsUJmA at mail.gmail.com>,
Ralph
Mitchell <ralphmitchell at gmail.com> wrote:
> So, the question is, does the sslbits option look at the actual
> connection xymon just made to the remote server, or is it looking at
> the lowest number of bits in the cipher list?  If the latter, that's
> pretty much worthless as a test...
> 
> xymonnet/contest.c, starting at line 653, loops through available
> ciphers and saves lowest number of bits in item->mincipherbits.
> 
> Right above that loop there are several calls to X509 functions to
get
> the CN and the start/end times.  If there's one that would get the
> number of bits for the actual connection, that could replace the
loop
> and the sslbits test would be all good.  I think.  Maybe.  Dunno
> enough about x509 programming, that's fer sure!  :-)
> 
> Or maybe I'm overlooking something - wouldn't be the first time... 
:-)
> 
> Ralph Mitchell
> 
> 
> On Sun, Apr 29, 2012 at 11:44 PM, Jeremy Laidman
> <jlaidman at rebel-it.com.au> wrote:
>> Ralph
>>
>> I believe you are correct that this shows the Xymon server's list
of
>> cyphers.  I have different servers that I monitor, and they accept
>> connections using different sets of ciphers (tested with "openssl
s_client
>> -cipher NAME-OF-CIPHER hostname") yet the lists of ciphers on each
of the
>> Xymon ssltcert status pages are identical.
>>
>> Also, the output of "openssl ciphers -v" on the Xymon server is
suspiciously
>> identical, in content and order, to those listed on the sslcert
status page.
>>
>> Cheers
>> Jeremy
>>
>> On Thu, Apr 26, 2012 at 2:59 PM, Ralph Mitchell
<ralphmitchell at gmail.com>
>> wrote:
>>>
>>> I was looking at the list of available ciphers in the sslcert
column,
>>> and I'm wondering exactly what that's showing?  Even when the
server
>>> is running mod_nss with FIPS-140 turned on, the ciphers list still
>>> includes 40-bit & 56-bit ciphers, which are definitely not supposed
to
>>> be available.
>>>
>>> So, would I be right in thinking that "Available Ciphers" means
>>> "Ciphers available on the Xymon server", rather than "Ciphers that
the
>>> remote system will accept"??
>>>
>>> I was hoping that it was showing the list of ciphers the remote
server
>>> would accept, because that would tie-in with the "sslbits" option
>>> specifying a minimum encryption level.  As it is, if I set
sslbits=256
>>> for my FIPS-140 server, xymon alerts because it thinks the minimum
>>> available bits is 40.
>>>
>>> I'm going to try sslscan
(http://sourceforge.net/projects/sslscan/)
>>> tomorrow and see what it says.  From what I've read this evening,
it
>>> may be necessary to hit the remote server with a request for every
>>> available encryption, and see what it will accept.  That's how
sslscan
>>> does it.
>>>
>>> So, does anybody know for sure if the cipher list is local to the
>>> xymon server, or is it somehow gathered from the remote server??
>>>
>>> Ralph Mitchell
>>> _______________________________________________
>>> Xymon mailing list
>>> Xymon at xymon.com 
>>> http://lists.xymon.com/mailman/listinfo/xymon 
>>
>>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com 
> http://lists.xymon.com/mailman/listinfo/xymon




More information about the Xymon mailing list