[Xymon] SSL Errors

Tim McCloskey tm at freedom.com
Tue Dec 9 01:12:28 CET 2014 

Vernon, 

That is a bug in an early version of openssl, http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2240.
Guessing that you can't patch it, so like Scott mentioned you could try to force a version, one that you have.  The following is from the docs in 4.2.0, I did not check if these are still available in 4.3.17.

"
Forcing an HTTP or SSL version
    Some SSL sites will only allow you to connect, if you use specific "dialects" of HTTP or SSL. Normally this is auto-negotiated, but experience shows that this fails on some systems.

    bbtest-net can be told to use specific dialects, by adding one or more "dialect names" to the URL scheme, i.e. the "http" or "https" in the URL:

    * "2", e.g. https2://www.sample.com/ : use only SSLv2
    * "3", e.g. https3://www.sample.com/ : use only SSLv3
    * "m", e.g. httpsm://www.sample.com/ : use only 128-bit ciphers
    * "h", e.g. httpsh://www.sample.com/ : use only >128-bit ciphers
    * "10", e.g. http10://www.sample.com/ : use HTTP 1.0
    * "11", e.g. http11://www.sample.com/ : use HTTP 1.1

    These can be combined where it makes sense, e.g to force SSLv2 and HTTP 1.0 you would use "https210". 
"

You could try http10://urltocert and not auto-negotiate the handshake.


Regards, 

Tim







________________________________________
From: Xymon [xymon-bounces at xymon.com] on behalf of Vernon Everett [everett.vernon at gmail.com]
Sent: Monday, December 8, 2014 3:42 PM
To: Scott Pfister
Cc: Xymon mailinglist
Subject: Re: [Xymon] SSL Errors

Hi Scott

All I get is a new error message. :-(

https3
Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4<http://1.2.3.4>: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

httpt
Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4<http://1.2.3.4>: error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list

And the https status remains red.

Regards
Vernon



On 8 December 2014 at 20:50, Scott Pfister <icepickjazz at gmail.com<mailto:icepickjazz at gmail.com>> wrote:
Good morning,

What version of SSL is on the client with the cert? ? Was SSLv3 disabled due to poodle exploit? Can you try forcing it to connect using only TLS or SSLv3? In host.cfg set https3://... or  httpst://...

thanks



On Mon, Dec 8, 2014 at 4:33 AM, Vernon Everett <everett.vernon at gmail.com<mailto:everett.vernon at gmail.com>> wrote:
Hi all

Trying to get an https test working to monitor certificate expiry.
Test shows up red, with very descriptive "SSL Error".

The xymonnet error appears a little more useful, but I can't find a resolution to the problem.
Unspecified SSL error in SSL_connect to 47873/tcp on host  1.2.3.4: error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list

Additional info.
xymonnet version 4.3.17
SSL library : OpenSSL 1.0.1j 15 Oct 2014
LDAP library: OpenLDAP 20423

Any advice appreciated.

Regards
Vernon

--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton

_______________________________________________
Xymon mailing list
Xymon at xymon.com<mailto:Xymon at xymon.com>
http://lists.xymon.com/mailman/listinfo/xymon





--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton

More information about the Xymon mailing list