[Xymon] Advice for installing Xymon server supporting TLS 1.2

David Baldwin david.baldwin at ausport.gov.au
Thu Mar 24 07:12:06 CET 2016


Ian,

I feel your pain. SSL/TLS issues have become a major thorn in the side
in past few years, as well as updating recalcitrant services that use
out of date protocols and/or poor cipher choices. It's a seriously fast
moving target :(

My thoughts are that the best option is to write a custom test using
testssl.sh - https://testssl.sh

This tool comes with its own statically linked version of openssl with
all known ciphers supported.
Its tests are very comprehensive and can be used for almost any server
using SSL/TLS including many starttls protocols.
It already does some colour coding - and the print functions that do the
colouring are neatly grouped - wouldn't be a big stretch to add some
logic to maintain an overall status and collect major warnings to
highlight at the top of the message, then wrap the output as a status
message to deliver to your xymon server.

It's just waiting for a bash scripter to give it a bit of hacking. A
test you'd only need to run every hour at most, because it takes a while
to run and the target doesn't change quickly - more to pick up on dodgy
changes possibly made in error.

I understand that it's still important to get the in-built https tests
working for checking site reachability, and that's as much as issue with
the openssl version installed, which in turn depends on the underlying
distro and version. I have a 4.3.19 server on Centos 6 that works just
fine for TLS1.2 and SNI, but my older Centos 5 server would be too much
of an issue to get working. Easier to off-load the xymonnet processing
to a satellite server that is capable of running the tests and leave it
there. There were also some recent SSL patches relating to negotiating
around versions of openssl with SSLv2 removed, etc.

David.
> Hi All,
>
> I have an older Xymon server (4.3.9) that I am replacing / upgrading
> to the current version (4.3.26).  What I absolutely require from my
> new build is HTTPS check compatibility with websites that only accept
> modern security protocols like TLS, i.e. not SSL2 or SSL3, that are no
> longer safe to use.
>
> My existing Xymon server can't connect to some of our more secure
> websites that only uses TLS 1.1+ or require SNI support.  I have been
> practising my new Xymon build in a virtual environment on CentOS 7.2
> but have not been able to get it into a state that can connect to all
> our more secure websites, usually getting 'SSL Error' on the HTTP
> check.  (error also replicated with wget)
>
> I know this is related to the version of OpenSSL installed on the
> system.  I think I want the newest version available!
>
> I have tried using both the Terabithia Xymon package and compiling
> myself.  I have also tried to install or upgrade a newer version of
> OpenSSL either before or after installing xymon.  (Often when I update
> the version of OpenSSL will revert to an older version when I do a
> 'yum update').
>
> I have searched the mailing list and found others with related issues,
> but rather than ask for specific troubleshooting steps, I wonder if
> anyone could provide general advice in terms of the order of
> installing components when setting up a fresh Xymon server for it to
> hopefully use the most recent version of OpenSSL available and be able
> to be updated with yum in future?
>
> Kind Regards,
>
> Ian
>
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon


-- 
David Baldwin - Senior Systems Administrator (Datacentres + Networks)
Digital Information Management and Technology
Australian Sports Commission          http://ausport.gov.au
Tel 02 62147830 Fax 02 62141830       PO Box 176 Belconnen ACT 2616
david.baldwin at ausport.gov.au          1 Leverrier Street Bruce ACT 2617
Our Values: RESPECT + INTEGRITY + TEAMWORK + EXCELLENCE


-------------------------------------------------------------------------------------
Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au

This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
-------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20160324/0029c4b3/attachment.html>


More information about the Xymon mailing list