<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Ian,<br>
<br>
I feel your pain. SSL/TLS issues have become a major thorn in the
side in past few years, as well as updating recalcitrant services
that use out of date protocols and/or poor cipher choices. It's a
seriously fast moving target :(<br>
<br>
My thoughts are that the best option is to write a custom test
using testssl.sh - <a class="moz-txt-link-freetext" href="https://testssl.sh">https://testssl.sh</a><br>
<br>
This tool comes with its own statically linked version of openssl
with all known ciphers supported.<br>
Its tests are very comprehensive and can be used for almost any
server using SSL/TLS including many starttls protocols.<br>
It already does some colour coding - and the print functions that
do the colouring are neatly grouped - wouldn't be a big stretch to
add some logic to maintain an overall status and collect major
warnings to highlight at the top of the message, then wrap the
output as a status message to deliver to your xymon server.<br>
<br>
It's just waiting for a bash scripter to give it a bit of hacking.
A test you'd only need to run every hour at most, because it takes
a while to run and the target doesn't change quickly - more to
pick up on dodgy changes possibly made in error.<br>
<br>
I understand that it's still important to get the in-built https
tests working for checking site reachability, and that's as much
as issue with the openssl version installed, which in turn depends
on the underlying distro and version. I have a 4.3.19 server on
Centos 6 that works just fine for TLS1.2 and SNI, but my older
Centos 5 server would be too much of an issue to get working.
Easier to off-load the xymonnet processing to a satellite server
that is capable of running the tests and leave it there. There
were also some recent SSL patches relating to negotiating around
versions of openssl with SSLv2 removed, etc.<br>
<br>
David.<br>
</div>
<blockquote
cite="mid:CAOna1OCnANmHq7vtx1uPKo92R1GRM-x2OxFg3p2h3bXqo8W3fQ@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div dir="ltr">Hi All,
<div><br>
</div>
<div>I have an older Xymon server (4.3.9) that I am replacing /
upgrading to the current version (4.3.26). What I absolutely
require from my new build is HTTPS check compatibility with
websites that only accept modern security protocols like TLS,
i.e. not SSL2 or SSL3, that are no longer safe to use.</div>
<div><br>
</div>
<div>My existing Xymon server can't connect to some of our more
secure websites that only uses TLS 1.1+ or require SNI
support. I have been practising my new Xymon build in a
virtual environment on CentOS 7.2 but have not been able to
get it into a state that can connect to all our more secure
websites, usually getting 'SSL Error' on the HTTP check.
(error also replicated with wget)</div>
<div><br>
</div>
<div>I know this is related to the version of OpenSSL installed
on the system. I think I want the newest version available!</div>
<div><br>
</div>
<div>I have tried using both the <span style="color:rgb(0,0,0)">Terabithia</span> Xymon
package and compiling myself. I have also tried to install or
upgrade a newer version of OpenSSL either before or after
installing xymon. (Often when I update the version of OpenSSL
will revert to an older version when I do a 'yum update').<br>
</div>
<div><br>
</div>
<div>I have searched the mailing list and found others with
related issues, but rather than ask for specific
troubleshooting steps, I wonder if anyone could provide
general advice in terms of the order of installing components
when setting up a fresh Xymon server for it to hopefully use
the most recent version of OpenSSL available and be able to be
updated with yum in future?</div>
<div><br>
</div>
<div>Kind Regards,<br>
</div>
<div><br>
</div>
<div>Ian</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Xymon mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Xymon@xymon.com">Xymon@xymon.com</a>
<a class="moz-txt-link-freetext" href="http://lists.xymon.com/mailman/listinfo/xymon">http://lists.xymon.com/mailman/listinfo/xymon</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
David Baldwin - Senior Systems Administrator (Datacentres + Networks)
Digital Information Management and Technology
Australian Sports Commission <a class="moz-txt-link-freetext" href="http://ausport.gov.au">http://ausport.gov.au</a>
Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616
<a class="moz-txt-link-abbreviated" href="mailto:david.baldwin@ausport.gov.au">david.baldwin@ausport.gov.au</a> 1 Leverrier Street Bruce ACT 2617
Our Values: RESPECT + INTEGRITY + TEAMWORK + EXCELLENCE
</pre>
<br>
<hr>
Keep up to date with what's happening in Australian sport visit <a href="http://www.ausport.gov.au">www.ausport.gov.au</a>
<br><br>
<font size="-2" face="arial">This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.</font>
<hr>
</body>
</html>