[Xymon] SSL Error after upgrading to Fedora 18

Jason Chambers Jason.Chambers at geosoft.com
Fri Jan 25 18:16:53 CET 2013


Not a problem with that.

* Connected to webapp2013.geosoft.com (192.168.0.9) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: ./geosoft.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
*       subject: CN=webapp2013.geosoft.com,OU=IT,O=Geosoft Inc.,L=Toronto,ST=Ontario,C=CA
*       start date: Nov 12 17:31:09 2012 GMT
*       expire date: Nov 12 17:31:09 2014 GMT
*       common name: webapp2013.geosoft.com
*       issuer: CN=Geosoft Inc.,DC=geosoft,DC=com

Jason Chambers
Network Administrator | Geosoft
geosoft.com<http://www.geosoft.com/> | blog<http://blogs.geosoft.com/> | twitter<http://twitter.com/geosoft> | linkedIn<http://www.linkedin.com/company/geosoft-inc.> | facebook<http://www.facebook.com/GeosoftInc> | T +1 416.369.0111 #344 | M +1 416.508.1410

Trending topic on Earth Explorer: VOXI Earth Modelling<http://www.earthexplorer.com/2012/Introduction_of_VOXI_Earth_Modelling_technology.asp>

From: Ralph Mitchell [mailto:ralphmitchell at gmail.com]
Sent: January-25-13 11:11 AM
To: Jason Chambers
Cc: Henrik Størner; xymon at xymon.com
Subject: Re: [Xymon] SSL Error after upgrading to Fedora 18

Try handing curl the CA cert for your internal CA:

     curl -v --cacert path_to_your_CA_cert.pem https://server.domain.com

Ralph Mitchell

On Fri, Jan 25, 2013 at 10:27 AM, Jason Chambers <Jason.Chambers at geosoft.com<mailto:Jason.Chambers at geosoft.com>> wrote:
I think there might be a bug in OpenSSL in this build of Fedora 18 (which I have updated.) I ran the command you gave me and I'm getting this:

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 172 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Which is suggesting that there isn't an SSL certificate there. Yet when I curl the location:

curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.


Would this be everyone elses conclusion as well?


Jason Chambers
Network Administrator | Geosoft
geosoft.com<http://geosoft.com> | blog | twitter | linkedIn | facebook | T +1 416.369.0111 #344<tel:%2B1%20416.369.0111%20%23344> | M +1 416.508.1410<tel:%2B1%20416.508.1410>

Trending topic on Earth Explorer: VOXI Earth Modelling
-----Original Message-----
From: xymon-bounces at xymon.com<mailto:xymon-bounces at xymon.com> [mailto:xymon-bounces at xymon.com<mailto:xymon-bounces at xymon.com>] On Behalf Of Henrik Størner
Sent: January-25-13 1:38 AM
To: xymon at xymon.com<mailto:xymon at xymon.com>
Subject: Re: [Xymon] SSL Error after upgrading to Fedora 18

On 24-01-2013 21:43, Jason Chambers wrote:
> I just upgraded to Fedora 18, and now servers that have SSL signed by
> our internal CA is failing. The http test simply shows "SSL error"
> meanwhile our public (GoDaddy) certs aren't causing issues. Is there a
> log file I can peer into to find out why I'm getting these error
> messages all of a sudden?

No logfile, but try running "openssl s_client -connect IPADDRESS:PORT".
This performs a connect and SSL handshake, which is basically the same as what Xymon does.

I suppose the standard openssl.cnf is used by OpenSSL when Xymon uses the SSL libraries. Perhaps some defaults changed in relation to how openssl performs automatic certificate validation ? Would surprise me, though.


Regards,
Henrik

_______________________________________________
Xymon mailing list
Xymon at xymon.com<mailto:Xymon at xymon.com>
http://lists.xymon.com/mailman/listinfo/xymon
_______________________________________________
Xymon mailing list
Xymon at xymon.com<mailto:Xymon at xymon.com>
http://lists.xymon.com/mailman/listinfo/xymon

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20130125/40e2d82c/attachment.html>


More information about the Xymon mailing list