[Xymon] [E] Re: Support for TLS v1.1 and 1.2?

Mon Jun 27 16:54:48 CEST 2016

Hi,

this problem ties in with another issue reported recently with Xymon not 
compiling with the upcoming OpenSSL 1.1 release.

Could you try the attached patch? This extends the current 
https2/https3/httpst so you can now use: httpsa for TLS 1.0, httpsb for 
TLS 1.1 and httpsc for TLS 1.2.

Anyone else using the specific SSL/TLS protocols, please feel free to 
try this patch. It changes the way protocol selection is done (using 
some different API calls), so any breakage would be nice to have 
reported as soon as possible.

Also, the sslcert tests will no longer report the possible encryption 
protocols - only the one that is actually used.

Regards,

Henrik

Den 07-06-2016 kl. 16:26 skrev Gore, David W (David):
>
> Hi Henrik,
>
> It is. Specifically I use this:
>
> openssl s_client -connect xymon:443 -tls1 2>/dev/null | grep Renegotiation
>
> Secure Renegotiation IS NOT supported
>
> openssl s_client -connect xymon:443 -tls1_1 2>/dev/null | grep 
> Renegotiation
>
> Secure Renegotiation IS NOT supported
>
> openssl s_client -connect xymon:443 -tls1_2 2>/dev/null | grep 
> Renegotiation
>
> Secure Renegotiation IS supported
>
> This is what xymon logs in xymonnet.log which you can also see 
> alerting for the xymonnet column on the web page:
>
> 2016-06-07 14:09:53.879678 Unspecified SSL error in SSL_connect to 
> https (47873/tcp) on host my.ip_1.goes.here: error:1409442E:SSL 
> routines:SSL3_READ_BYTES:tlsv1 alert protocol version
>
> 2016-06-07 14:14:41.970374 Unspecified SSL error in SSL_connect to 
> https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL 
> routines:SSL3_READ_BYTES:tlsv1 alert protocol version
>
> 2016-06-07 14:14:41.970753 Unspecified SSL error in SSL_connect to 
> https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL 
> routines:SSL3_READ_BYTES:tlsv1 alert protocol version
>
> This is Mark’s post:
>
> http://lists.xymon.com/pipermail/xymon/2015-April/041568.html
>
> My guess is, Xymon doesn’t properly support the minor versions of TLS?
>
> *From:*Henrik Størner [mailto:henrik at hswn.dk]
> *Sent:* Tuesday, June 7, 2016 9:51 AM
> *To:* Gore, David W (David); xymon at xymon.com
> *Subject:* [E] Re: [Xymon] Support for TLS v1.1 and 1.2?
>
> Hi David,
>
> Xymon uses the openssl library on the Xymon server to do SSL/TLS. So 
> the most basic of tests would be to run "openssl s_client -connect 
> xymon1.domain.com:443" to see if your OpenSSL library supports the 
> necessary protocols.
>
> Note that you may have multiple versions of OpenSSL installed, so to 
> be 100% sure check the version of OpenSSL that Xymon uses: "xymonnet 
> --version" will tell you which OpenSSL version it was compiled with, 
> and "ldd ~xymon/server/bin/xymonnet" will show you (on Linux, at 
> least) what the actual library is that is used by xymonnet.
>
>
> Regards,
> Henrik
>
> Den 07-06-2016 kl. 00:20 skrev Gore, David W (David):
>
>     Mark Felder,
>
>     Mentioned last year around April 17^th , 2015 where Xymon support
>     for TLS v1.1 and v1.2 may be lacking.  Perhaps the issue is more
>     my naiveté but does anyone know how I can get the sslcert and http
>     tests to work correctly with Apache and Xymon.
>
>     redhttps://xymon1.domain.com/ - SSL error
>
>     The sslcert test goes purple.
>
>     Os: Red Hat Enterprise Linux Server release 7.2 (Maipo)
>
>     Openssl: OpenSSL 1.0.1e-fips 11 Feb 2013
>
>     Xymon:  4.3.26
>
>     David W Gore
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20160627/2d2b6bf8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xymon-openssl-1.1.diff
Type: text/x-patch
Size: 7601 bytes
Desc: not available
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20160627/2d2b6bf8/attachment.bin>