[Xymon] XyMon 4.3.12 - what about HTTPS problems reported for 4.3.11 ?

Andrey Chervonets A.Chervonets at cominder.eu
Fri Oct 25 10:52:42 CEST 2013


It looks like xymonnet does not use ssl


 ldd `which wget` | egrep "ssl|crypto" ; echo $?
        libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f5a5b183000)
        libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f5a5ade9000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f5a59ad7000)
0

ldd product/xymon/server/bin/xymonnet | egrep "ssl|crypto" ; echo $?
1

ldd product/xymon/server/bin/xymonnet
        linux-vdso.so.1 =>  (0x00007fff67ffe000)
        librt.so.1 => /lib64/librt.so.1 (0x00007f7a15b07000)
        libpcre.so.0 => /lib64/libpcre.so.0 (0x00007f7a158db000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f7a15547000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f7a1532a000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f7a15d18000)


ldd `which openssl` | egrep "ssl|crypto"
        libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f8fa7ce4000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f8fa7389000)
        libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f8fa6fee000)


As I had wrote some time ago - I am sure I had repied Yes to use SSL 
during xymon installation.
And I had reinstalled again on other machine to double check, but with the 
same result.

So, it looks like problem is with installation process. 
Here is "ssl" grepped from make log. May be this will help:

[xymon at miminob xymon-4.3.11]$ grep -i ssl xymon_make.log
CC="gcc" CFLAGS="-g -O2 -Wall -Wno-unused -Wno-pointer-sign -D_REENTRANT 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLINUX -I`pwd`/include " 
LDFLAGS="" OSDEF="-DLINUX" RPATHOPT="-Wl,--rpath," PCREINCDIR="" 
ZLIBINCDIR="" SSLFLAGS="" SSLINCDIR="" SSLLIBS="" NETLIBS="" 
LIBRTDEF="-lrt" XYMONTOPDIR="/u01/app/xymon/product/xymon4.3.11" 
XYMONLOGDIR="/u01/app/xymon/logs/xymon4.3.11" 
XYMONHOSTNAME="miminob.cominder.eu" 
XYMONHOSTIP="==XYMON_HOST_IP_REPLACED==" XYMONHOSTOS="linux" make -C lib 
all
CC="gcc" CFLAGS="-g -O2 -Wall -Wno-unused -Wno-pointer-sign -D_REENTRANT 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLINUX -I`pwd`/include " 
LDFLAGS="" RPATHOPT="-Wl,--rpath," SSLFLAGS="" SSLINCDIR="" SSLLIBS="" 
NETLIBS=""  ZLIBLIBS="" LIBRTDEF="-lrt" 
XYMONHOME="/u01/app/xymon/product/xymon4.3.11/server" make -C common all
CC="gcc" CFLAGS="-g -O2 -Wall -Wno-unused -Wno-pointer-sign -D_REENTRANT 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLINUX -I`pwd`/include " 
LDFLAGS="" RPATHOPT="-Wl,--rpath," SSLFLAGS="" SSLINCDIR="" SSLLIBS="" 
NETLIBS="" LIBRTDEF="-lrt" 
XYMONHOME="/u01/app/xymon/product/xymon4.3.11/server" 
XYMONVAR="/u01/app/xymon/product/xymon4.3.11/data" HISTGRAPHDEF="" 
RUNTIMEDEFS="" PCREINCDIR="" PCRELIBS="-lpcre" ZLIBINCDIR="" ZLIBLIBS="" 
make -C xymongen all
CC="gcc" CFLAGS="-g -O2 -Wall -Wno-unused -Wno-pointer-sign -D_REENTRANT 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLINUX -I`pwd`/include " 
LDFLAGS="" RPATHOPT="-Wl,--rpath," SSLFLAGS="" SSLINCDIR="" SSLLIBS="" 
DOLDAP="" LDAPFLAGS="" LDAPINCDIR="" LDAPLIBS="" DOSNMP="no" NETLIBS="" 
XYMONHOME="/u01/app/xymon/product/xymon4.3.11/server" ARESVER="1.7.3" 
FPINGVER="3.0" RUNTIMEDEFS="" PCREINCDIR="" PCRELIBS="-lpcre" 
SQLITELIBS="" ZLIBINCDIR="" ZLIBLIBS="" LIBRTDEF="-lrt" make -C xymonnet 
all
CC="gcc" CFLAGS="-g -O2 -Wall -Wno-unused -Wno-pointer-sign -D_REENTRANT 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLINUX -I`pwd`/include " 
LDFLAGS="" RPATHOPT="-Wl,--rpath," SSLLIBS="" NETLIBS="" LIBRTDEF="-lrt" 
XYMONHOME="/u01/app/xymon/product/xymon4.3.11/server" make -C xymonproxy 
all
CC="gcc" CFLAGS="-g -O2 -Wall -Wno-unused -Wno-pointer-sign -D_REENTRANT 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLINUX -I`pwd`/include " 
LDFLAGS="" RPATHOPT="-Wl,--rpath," SSLLIBS="" NETLIBS="" LIBRTDEF="-lrt" 
XYMONHOME="/u01/app/xymon/product/xymon4.3.11/server" make -C build all
CC="gcc" CFLAGS="-g -O2 -Wall -Wno-unused -Wno-pointer-sign -D_REENTRANT 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLINUX -I`pwd`/include " 
LDFLAGS="" RPATHOPT="-Wl,--rpath," DORRD="yes" RRDDEF="-DRRDTOOL12" 
RRDINCDIR="" PCREINCDIR="" SSLFLAGS="" SSLLIBS="" NETLIBS="" 
RRDLIBS="-lrrd " PCRELIBS="-lpcre" SQLITELIBS="" ZLIBINCDIR="" ZLIBLIBS="" 
LIBRTDEF="-lrt" XYMONTOPDIR="/u01/app/xymon/product/xymon4.3.11" 
XYMONHOME="/u01/app/xymon/product/xymon4.3.11/server" 
XYMONVAR="/u01/app/xymon/product/xymon4.3.11/data" 
XYMONLOGDIR="/u01/app/xymon/logs/xymon4.3.11" 
XYMONHOSTNAME="miminob.cominder.eu" 
XYMONHOSTIP="==XYMON_HOST_IP_REPLACED==" XYMONHOSTOS="linux" 
XYMONUSER="xymon" CGIDIR="/u01/app/xymon/product/xymon4.3.11/cgi-bin" 
SECURECGIDIR="/u01/app/xymon/product/xymon4.3.11/cgi-secure" 
XYMONHOSTURL="/xymon" XYMONCGIURL="/xymon-cgi" 
SECUREXYMONCGIURL="/xymon-seccgi" MAILPROGRAM=""mail"" RUNTIMEDEFS="" 
INSTALLWWWDIR="/u01/app/xymon/product/xymon4.3.11/server/www" 
INSTALLETCDIR="/u01/app/xymon/product/xymon4.3.11/server/etc" 
FPING="xymonping" make -C xymond all
CC="gcc" CFLAGS="-g -O2 -Wall -Wno-unused -Wno-pointer-sign -D_REENTRANT 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLINUX -I`pwd`/include " 
LDFLAGS="" RPATHOPT="-Wl,--rpath," DORRD="yes" RRDDEF="-DRRDTOOL12" 
RRDINCDIR="" PCREINCDIR="" ZLIBINCDIR="" ZLIBLIBS="" SSLLIBS="" NETLIBS="" 
RRDLIBS="-lrrd " PCRELIBS="-lpcre" LIBRTDEF="-lrt" 
XYMONTOPDIR="/u01/app/xymon/product/xymon4.3.11" 
XYMONHOME="/u01/app/xymon/product/xymon4.3.11/server" 
XYMONVAR="/u01/app/xymon/product/xymon4.3.11/data" 
XYMONLOGDIR="/u01/app/xymon/logs/xymon4.3.11" 
XYMONHOSTNAME="miminob.cominder.eu" 
XYMONHOSTIP="==XYMON_HOST_IP_REPLACED==" XYMONHOSTOS="linux" 
XYMONUSER="xymon" CGIDIR="/u01/app/xymon/product/xymon4.3.11/cgi-bin" 
SECURECGIDIR="/u01/app/xymon/product/xymon4.3.11/cgi-secure" 
XYMONHOSTURL="/xymon" XYMONCGIURL="/xymon-cgi" 
SECUREXYMONCGIURL="/xymon-seccgi" MAILPROGRAM=""mail"" RUNTIMEDEFS="" 
INSTALLWWWDIR="/u01/app/xymon/product/xymon4.3.11/server/www" 
INSTALLETCDIR="/u01/app/xymon/product/xymon4.3.11/server/etc" make -C web 
all
CC="gcc" CFLAGS="-g -O2 -Wall -Wno-unused -Wno-pointer-sign -D_REENTRANT 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLINUX -I`pwd`/include " 
LDFLAGS="" OSDEF="-DLINUX" RPATHOPT="-Wl,--rpath," PCREINCDIR="" 
ZLIBINCDIR="" SSLFLAGS="" SSLINCDIR="" SSLLIBS="" NETLIBS="" 
LIBRTDEF="-lrt" XYMONTOPDIR="/u01/app/xymon/product/xymon4.3.11" 
XYMONLOGDIR="/u01/app/xymon/logs/xymon4.3.11" 
XYMONHOSTNAME="miminob.cominder.eu" 
XYMONHOSTIP="==XYMON_HOST_IP_REPLACED==" XYMONHOSTOS="linux" 
LOCALCLIENT="" make -C lib client
CC="gcc" CFLAGS="-g -O2 -Wall -Wno-unused -Wno-pointer-sign -D_REENTRANT 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLINUX -I`pwd`/include " 
LDFLAGS="" RPATHOPT="-Wl,--rpath," SSLFLAGS="" SSLINCDIR="" SSLLIBS="" 
NETLIBS=""  ZLIBLIBS="" LIBRTDEF="-lrt" 
XYMONHOME="/u01/app/xymon/product/xymon4.3.11/server" make -C common 
client
CC="gcc" CFLAGS="-g -O2 -Wall -Wno-unused -Wno-pointer-sign -D_REENTRANT 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLINUX -I`pwd`/include " 
XYMONHOME="/u01/app/xymon/product/xymon4.3.11/client" 
XYMONHOSTIP="==XYMON_HOST_IP_REPLACED==" LOCALCLIENT="" SSLLIBS="" 
NETLIBS="" LIBRTDEF="-lrt" make -C client all

Note: I had replaced in e-mail real server IP with 
==XYMON_HOST_IP_REPLACED==.



Best regards,

Andrey Chervonets
----------------------
SIA CoMinder
http://www.cominder.eu/
mobile: +371 26517848



From:   Jeremy Laidman <jlaidman at rebel-it.com.au>
To:     Andrey Chervonets <A.Chervonets at cominder.eu>, 
Cc:     Henrik Størner <henrik at hswn.dk>, "xymon at xymon.com" 
<xymon at xymon.com>
Date:   25.10.2013 02:45
Subject:        Re: [Xymon] XyMon 4.3.12 - what about HTTPS problems 
reported for 4.3.11 ?



On 23 October 2013 21:16, Andrey Chervonets <A.Chervonets at cominder.eu> 
wrote:
Problem is for some sites with valid certificates too. 
I had checked to access page with wget or lynx - and it is working. 
So I do not see reason why Xymon should get "Server Timeout"  for the same 
target. 

Here is the debug of wget. Please, advice how to diagnose/debug Xymon to 
find the solution. 
I am a bit confused why nobody reporting the same problem: 
* nobody using new openssl libraries? 
* nobody do https tests for some, may a bot non-standard SSL certificates 
or web-sites? 

You might just be unlucky.  If half of all websites have implementations 
that trigger the problem, and if half of all Xymon installations have the 
buggy openssl library, then only 25% of people will get the problem. 
 Given that not all Xymon users test https websites, and of those, not all 
of them are subscribed to The List, the odds drop off very quickly.  Oh, 
and my first guesses of half websites and half of openssl installs used 
for Xymon is almost certainly very high. The proportions might be closer 
to 10%.  So the odds are against you finding someone else on The List with 
the same symptoms.

Try the following:

ldd `which wget` | egrep "ssl|crypto"
ldd ~xymon/server/bin/xymonnet | egrep "ssl|crypto"
ldd `which openssl` | egrep "ssl|crypto"

If the libraries used by the two tools are different, then you should not 
be surprised to get different behaviour.

Try configuring a known good website on the Internet in your https 
monitoring.  I'm guessing that https://www.xymon.org/ would be OK.

Try to connect to the websites using openssl:

openssl s_client -connect epak.pmlp.gov.lv:443

If that times out, it might show a message to indicate why.

J

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20131025/4d432309/attachment.html>


More information about the Xymon mailing list