[Xymon] Why does the cipher list in sslcert test show disabled ciphers?

Wed Aug 5 05:17:35 CEST 2015

The attached diff adds an "else" to the --nocipherlist option.  If you use
that option to turn off the cipher list, you get the cipher that was
actually used instead.

It also adds "signature algorithm" to the list of interesting things
printed about the certificate.  I needed that for a CGI script that
screen-scrapes the sslcert column to make up a report for SSL cert
compliance.

Ralph Mitchell



On Tue, Aug 4, 2015 at 6:32 PM, Ribeiro, Glauber <
glauber.ribeiro at experian.com> wrote:

> Yes. This tests every cipher: https://www.ssllabs.com/ssltest/
>
> It tests a bunch of other things too, and it takes forever, because it’s
> cautious not to overload the server with too many requests.
>
> I think a test of every cipher is too much to do every 5 minutes. But
> displaying the cipher actually used, is more useful than displaying the
> full list.
>
>
>
> g
>
>
>
>
>
> *From:* Ralph Mitchell [mailto:ralphmitchell at gmail.com]
> *Sent:* Tuesday, August 04, 2015 17:20
> *To:* Japheth Cleaver
> *Cc:* Ribeiro, Glauber; xymon at xymon.com
> *Subject:* Re: [Xymon] Why does the cipher list in sslcert test show
> disabled ciphers?
>
>
>
> The problem there is that you have to try each cipher in your local list.
> That's setting up and tearing down possibly 40 or more cipher connections
> per ssl test per server per test cycle.  That's the bit where I bailed out
> and went with just displaying the cipher actually used.
>
> Ralph Mitchell
>
> On Aug 4, 2015 6:14 PM, "J.C. Cleaver" <cleaver at terabithia.org> wrote:
>
>
> Hmm. This would seem like something we should probably look into changing.
>
> A list of ciphers the remote host is permiting would be much more valuable
> from a monitoring perspective (when enabled).
>
> -jc
>
>
>
>
> On Tue, August 4, 2015 1:42 pm, Ralph Mitchell wrote:
> > It's not giving you a list of the ciphers the remote host permits.  All
> it
> > does is cycle through the list of ciphers available on the Xymon server.
> I
> > think there's a flag (for xymonnet, maybe?) that turns off that list.  A
> > long time back I patched my copy of xymonnet to only return the cipher
> > actually used to talk to the remore server.
> >
> > There's a program called sslscan that actually tests the entire list of
> > ciphers against the remote host and tells you what works and what fails.
> > That could be incorporated into an external test, maybe.
> >
> > Ralph Mitchell
> > On Aug 4, 2015 12:41 PM, "Ribeiro, Glauber" <
> glauber.ribeiro at experian.com>
> > wrote:
> >
> >> Why does the list of ciphers in the "sslcert" xymon test show ciphers
> >> that
> >> are disabled on the server? For example, we have disabled RC4 ciphers on
> >> our servers, and confirmed using the "Qualys SSL Labs" server test, that
> >> they are turned off. However, xymon still shows them.
> >>
> >> g
> >> _______________________________________________
> >> Xymon mailing list
> >> Xymon at xymon.com
> >> http://lists.xymon.com/mailman/listinfo/xymon[lists.xymon.com]
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=BQMFaQ&c=BNNF-YNv0CLLslhP2Bcx5Q&r=SjsIRf81D06XmEsmKkV_wxtLjrsUQpuz8iegmn0NIEg&m=tf0R2E0QvkcqKbk36jgk0IupIwE_yo0sAeHe3uDTADA&s=IDfRmqRnBp3EmqyfrR8HdyEFK3ltbj-_5BNz0ixJwxI&e=>
> >>
> > _______________________________________________
> > Xymon mailing list
> > Xymon at xymon.com
> > http://lists.xymon.com/mailman/listinfo/xymon[lists.xymon.com]
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=BQMFaQ&c=BNNF-YNv0CLLslhP2Bcx5Q&r=SjsIRf81D06XmEsmKkV_wxtLjrsUQpuz8iegmn0NIEg&m=tf0R2E0QvkcqKbk36jgk0IupIwE_yo0sAeHe3uDTADA&s=IDfRmqRnBp3EmqyfrR8HdyEFK3ltbj-_5BNz0ixJwxI&e=>
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20150804/0de45264/attachment.html>
-------------- next part --------------

--- xymon-4.3.21/xymonnet/contest.c.orig	2015-08-04 20:53:44.044402191 -0400
+++ xymon-4.3.21/xymonnet/contest.c	2015-08-04 21:10:43.736541354 -0400
@@ -445,7 +445,7 @@
 	struct servent *sp;
 	char portinfo[100];
 	X509 *peercert;
-	char *certcn, *certstart, *certend, *certissuer;
+	char *certcn, *certstart, *certend, *certissuer, *certsigalg;
 	int err, keysz = 0;
 	strbuffer_t *sslinfo;
 	char msglin[2048];
@@ -644,6 +644,7 @@
 
 	certcn = X509_NAME_oneline(X509_get_subject_name(peercert), NULL, 0);
 	certissuer = X509_NAME_oneline(X509_get_issuer_name(peercert), NULL, 0);
+	certsigalg = OBJ_nid2ln(OBJ_obj2nid(peercert->sig_alg->algorithm));
 	certstart = strdup(xymon_ASN1_UTCTIME(X509_get_notBefore(peercert)));
 	certend = strdup(xymon_ASN1_UTCTIME(X509_get_notAfter(peercert)));
 	{
@@ -672,8 +673,8 @@
 	}
 
 	snprintf(msglin, sizeof(msglin),
-		"Server certificate:\n\tsubject:%s\n\tstart date: %s\n\texpire date:%s\n\tkey size:%d\n\tissuer:%s\n", 
-		certcn, certstart, certend, keysz, certissuer);
+		"Server certificate:\n\tsubject:%s\n\tstart date: %s\n\texpire date:%s\n\tkey size:%d\n\tissuer:%s\n\tsignature algorithm: %s\n", 
+		certcn, certstart, certend, keysz, certissuer, certsigalg);
 	addtobuffer(sslinfo, msglin);
 	item->certsubject = strdup(certcn);
 	item->certissuer = strdup(certissuer);
@@ -698,6 +699,13 @@
 
 			if ((item->mincipherbits == 0) || (b1 < item->mincipherbits)) item->mincipherbits = b1;
 		}
+	} else {
+		int b1, b2;
+		b1 = SSL_get_cipher_bits(item->ssldata, &b2);
+		certsigalg = OBJ_nid2ln(X509_get_signature_type(peercert));
+		snprintf(msglin, sizeof(msglin), "\nCipher: %s (%d bits)\n", SSL_get_cipher_name(item->ssldata), b1);
+		addtobuffer(sslinfo, msglin);
+		item->mincipherbits = b1; 
 	}
 
 	item->certinfo = grabstrbuffer(sslinfo);
