<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi,</p>
<p>this problem ties in with another issue reported recently with
Xymon not compiling with the upcoming OpenSSL 1.1 release.</p>
<p>Could you try the attached patch? This extends the current
https2/https3/httpst so you can now use: httpsa for TLS 1.0,
httpsb for TLS 1.1 and httpsc for TLS 1.2.</p>
<p>Anyone else using the specific SSL/TLS protocols, please feel
free to try this patch. It changes the way protocol selection is
done (using some different API calls), so any breakage would be
nice to have reported as soon as possible.</p>
<p>Also, the sslcert tests will no longer report the possible
encryption protocols - only the one that is actually used.</p>
<p><br>
</p>
<p>Regards,</p>
<p>Henrik<br>
</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">Den 07-06-2016 kl. 16:26 skrev Gore,
David W (David):<br>
</div>
<blockquote
cite="mid:9E95D92A6FE6D644AD42428C72C4B7C001C344F03E@FHDP1LUMXC7V42.us.one.verizon.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi Henrik,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">It is.
Specifically I use this:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">openssl
s_client -connect xymon:443 -tls1 2>/dev/null | grep
Renegotiation<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Secure
Renegotiation IS NOT supported<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">openssl
s_client -connect xymon:443 -tls1_1 2>/dev/null | grep
Renegotiation<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Secure
Renegotiation IS NOT supported<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">openssl
s_client -connect xymon:443 -tls1_2 2>/dev/null | grep
Renegotiation<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Secure
Renegotiation IS supported<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">This is what
xymon logs in xymonnet.log which you can also see alerting
for the xymonnet column on the web page:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-06-07
14:09:53.879678 Unspecified SSL error in SSL_connect to
https (47873/tcp) on host my.ip_1.goes.here:
error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert
protocol version<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-06-07
14:14:41.970374 Unspecified SSL error in SSL_connect to
https (47873/tcp) on host my.ip_2.goes.here:
error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert
protocol version<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-06-07
14:14:41.970753 Unspecified SSL error in SSL_connect to
https (47873/tcp) on host my.ip_2.goes.here:
error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert
protocol version<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">This is Mark’s
post:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><a
moz-do-not-send="true"
href="http://lists.xymon.com/pipermail/xymon/2015-April/041568.html"><a class="moz-txt-link-freetext" href="http://lists.xymon.com/pipermail/xymon/2015-April/041568.html">http://lists.xymon.com/pipermail/xymon/2015-April/041568.html</a></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">My guess is,
Xymon doesn’t properly support the minor versions of TLS?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Henrik Størner [<a class="moz-txt-link-freetext" href="mailto:henrik@hswn.dk">mailto:henrik@hswn.dk</a>] <br>
<b>Sent:</b> Tuesday, June 7, 2016 9:51 AM<br>
<b>To:</b> Gore, David W (David); <a class="moz-txt-link-abbreviated" href="mailto:xymon@xymon.com">xymon@xymon.com</a><br>
<b>Subject:</b> [E] Re: [Xymon] Support for TLS v1.1 and
1.2?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi David,<br>
<br>
Xymon uses the openssl library on the Xymon server to do
SSL/TLS. So the most basic of tests would be to run "openssl
s_client -connect xymon1.domain.com:443" to see if your
OpenSSL library supports the necessary protocols.<br>
<br>
Note that you may have multiple versions of OpenSSL installed,
so to be 100% sure check the version of OpenSSL that Xymon
uses: "xymonnet --version" will tell you which OpenSSL version
it was compiled with, and "ldd ~xymon/server/bin/xymonnet"
will show you (on Linux, at least) what the actual library is
that is used by xymonnet.<br>
<br>
<br>
Regards,<br>
Henrik<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">Den 07-06-2016 kl. 00:20 skrev Gore,
David W (David):<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Mark Felder,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Mentioned last year around April 17<sup>th</sup>,
2015 where Xymon support for TLS v1.1 and v1.2 may be
lacking. Perhaps the issue is more my naiveté but does
anyone know how I can get the sslcert and http tests to work
correctly with Apache and Xymon.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><img moz-do-not-send="true"
id="_x0000_i1025"
src="imap://henrik%40hswn%2Edk@mail.hswn.dk:143/fetch%3EUID%3E.Drafts%3E2387?part=&filename=ForwardedMessage.eml&realtype=message/rfc822&header=quotebody&filename=image001.png"
alt="red" width="16" border="0" height="16"><span
style="font-size:10.0pt;font-family:"Courier
New""><a moz-do-not-send="true"
href="https://xymon1.domain.com/">https://xymon1.domain.com/</a>
- SSL error</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier
New""> </span><o:p></o:p></p>
<p class="MsoNormal">The sslcert test goes purple.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Os: Red Hat Enterprise Linux Server
release 7.2 (Maipo)<o:p></o:p></p>
<p class="MsoNormal">Openssl: OpenSSL 1.0.1e-fips 11 Feb 2013<o:p></o:p></p>
<p class="MsoNormal">Xymon: 4.3.26<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">David W Gore</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>