<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Times New Roman \, serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New","serif";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New","serif";}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Hi Henrik,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>As best I can tell it all works quite nicely. Thank you so much for your efforts!<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>~David<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> Henrik Størner [mailto:henrik@hswn.dk] <br><b>Sent:</b> Monday, June 27, 2016 10:55 AM<br><b>To:</b> Gore, David W (David); xymon@xymon.com<br><b>Subject:</b> Re: [E] Re: [Xymon] Support for TLS v1.1 and 1.2?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p>Hi,<o:p></o:p></p><p>this problem ties in with another issue reported recently with Xymon not compiling with the upcoming OpenSSL 1.1 release.<o:p></o:p></p><p>Could you try the attached patch? This extends the current https2/https3/httpst so you can now use: httpsa for TLS 1.0, httpsb for TLS 1.1 and httpsc for TLS 1.2.<o:p></o:p></p><p>Anyone else using the specific SSL/TLS protocols, please feel free to try this patch. It changes the way protocol selection is done (using some different API calls), so any breakage would be nice to have reported as soon as possible.<o:p></o:p></p><p>Also, the sslcert tests will no longer report the possible encryption protocols - only the one that is actually used.<o:p></o:p></p><p><o:p> </o:p></p><p>Regards,<o:p></o:p></p><p>Henrik<o:p></o:p></p><p><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Den 07-06-2016 kl. 16:26 skrev Gore, David W (David):<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='color:#1F497D'>Hi Henrik,</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>It is. Specifically I use this:</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>openssl s_client -connect xymon:443 -tls1 2>/dev/null | grep Renegotiation</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Secure Renegotiation IS NOT supported</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>openssl s_client -connect xymon:443 -tls1_1 2>/dev/null | grep Renegotiation</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Secure Renegotiation IS NOT supported</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>openssl s_client -connect xymon:443 -tls1_2 2>/dev/null | grep Renegotiation</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Secure Renegotiation IS supported</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>This is what xymon logs in xymonnet.log which you can also see alerting for the xymonnet column on the web page:</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>2016-06-07 14:09:53.879678 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_1.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>2016-06-07 14:14:41.970374 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>2016-06-07 14:14:41.970753 Unspecified SSL error in SSL_connect to https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>This is Mark’s post:</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'><a href="http://lists.xymon.com/pipermail/xymon/2015-April/041568.html">http://lists.xymon.com/pipermail/xymon/2015-April/041568.html</a></span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>My guess is, Xymon doesn’t properly support the minor versions of TLS?</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> Henrik Størner [<a href="mailto:henrik@hswn.dk">mailto:henrik@hswn.dk</a>] <br><b>Sent:</b> Tuesday, June 7, 2016 9:51 AM<br><b>To:</b> Gore, David W (David); <a href="mailto:xymon@xymon.com">xymon@xymon.com</a><br><b>Subject:</b> [E] Re: [Xymon] Support for TLS v1.1 and 1.2?</span><o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'>Hi David,<br><br>Xymon uses the openssl library on the Xymon server to do SSL/TLS. So the most basic of tests would be to run "openssl s_client -connect xymon1.domain.com:443" to see if your OpenSSL library supports the necessary protocols.<br><br>Note that you may have multiple versions of OpenSSL installed, so to be 100% sure check the version of OpenSSL that Xymon uses: "xymonnet --version" will tell you which OpenSSL version it was compiled with, and "ldd ~xymon/server/bin/xymonnet" will show you (on Linux, at least) what the actual library is that is used by xymonnet.<br><br><br>Regards,<br>Henrik<br><br><br><o:p></o:p></p><div><p class=MsoNormal>Den 07-06-2016 kl. 00:20 skrev Gore, David W (David):<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>Mark Felder,<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Mentioned last year around April 17<sup>th</sup>, 2015 where Xymon support for TLS v1.1 and v1.2 may be lacking. Perhaps the issue is more my naiveté but does anyone know how I can get the sslcert and http tests to work correctly with Apache and Xymon.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><img border=0 width=16 height=16 id="_x0000_i1025" src="imap://henrik%40hswn%2Edk@mail.hswn.dk:143/fetch%3EUID%3E.Drafts%3E2387?part=&filename=ForwardedMessage.eml&realtype=message/rfc822&header=quotebody&filename=image001.png" alt=red><span style='font-size:10.0pt;font-family:"Courier New","serif"'><a href="https://xymon1.domain.com/">https://xymon1.domain.com/</a> - SSL error</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New","serif"'> </span><o:p></o:p></p><p class=MsoNormal>The sslcert test goes purple.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Os: Red Hat Enterprise Linux Server release 7.2 (Maipo)<o:p></o:p></p><p class=MsoNormal>Openssl: OpenSSL 1.0.1e-fips 11 Feb 2013<o:p></o:p></p><p class=MsoNormal>Xymon: 4.3.26<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>David W Gore</span><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p></blockquote><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman , serif","serif"'> </span><o:p></o:p></p></blockquote><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p> </o:p></span></p></div></body></html>