<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Martin,<br>
<br>
There is an option for xymonnet to enable SNI - here's my
tasks.cfg snippet - see man xymonnet<br>
<br>
[xymonnet]<br>
ENVFILE /home/xymon/server/etc/xymonserver-net.cfg<br>
NEEDS xymond<br>
CMD xymonnet --report --ping --checkresponse
--bb-proxy-syntax --sni=on --timeout=20 --sslkeysize=2048<br>
LOGFILE $XYMONSERVERLOGS/xymonnet.log<br>
INTERVAL 5m<br>
<br>
</div>
<blockquote
cite="mid:OFE0582CE4.385CB57E-ONCA258060.0014E4A4-CA258060.0015BBFA@cenitex.vic.gov.au"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<font face="sans-serif" size="2">Hi Xymon community,</font>
<br>
<br>
<font face="sans-serif" size="2">I'm getting a bunch of SSL Error
alerts
on some websites.</font>
<br>
<br>
<font face="sans-serif" size="2">Here is one example:</font>
<br>
<br>
<a moz-do-not-send="true"
href="https://kct-uat.agriculture.vic.gov.au/"><font
face="sans-serif" size="2">https://kct-uat.agriculture.vic.gov.au/</font></a>
<br>
<br>
<font face="sans-serif" size="2">If I add this to xymon, I get:</font>
<br>
<br>
<font face="sans-serif" color="blue" size="2">Thu Nov 3 03:50:38
2016:
SSL error</font>
<br>
<font face="sans-serif" color="blue" size="2">red </font><a
moz-do-not-send="true"
href="https://kct-uat.agriculture.vic.gov.au/"><font
face="sans-serif" color="blue" size="2">https://kct-uat.agriculture.vic.gov.au/</font></a><font
face="sans-serif" color="blue" size="2">
- SSL error</font>
<br>
<br>
<font face="sans-serif" size="2">I did some digging through the
xymon
archives and openssl errors and found this:</font>
<br>
<br>
<a moz-do-not-send="true"
href="http://lists.xymon.com/archive/2013-January/036688.html"><font
face="sans-serif" size="2">http://lists.xymon.com/archive/2013-January/036688.html</font></a>
<br>
<br>
<font face="sans-serif" size="2">and this:</font>
<br>
<br>
<a moz-do-not-send="true"
href="http://stackoverflow.com/questions/24457408/openssl-command-to-check-if-a-server-is-presenting-a-certificate"><font
face="sans-serif" size="2">http://stackoverflow.com/questions/24457408/openssl-command-to-check-if-a-server-is-presenting-a-certificate</font></a>
<br>
<br>
<font face="sans-serif" size="2">so when I run this command from
my Xymon
server I get the 104 error:</font>
<br>
<br>
<font face="sans-serif" color="blue" size="2"># openssl s_client
-connect
kct-uat.agriculture.vic.gov.au:443</font>
<br>
<font face="sans-serif" color="blue" size="2">CONNECTED(00000003)</font>
<br>
<font face="sans-serif" color="blue" size="2">write:errno=104</font>
<br>
<font face="sans-serif" color="blue" size="2">---</font>
<br>
<font face="sans-serif" color="blue" size="2">no peer certificate
available</font>
<br>
<font face="sans-serif" color="blue" size="2">---</font>
<br>
<font face="sans-serif" color="blue" size="2">No client
certificate CA
names sent</font>
<br>
<font face="sans-serif" color="blue" size="2">---</font>
<br>
<font face="sans-serif" color="blue" size="2">SSL handshake has
read 0
bytes and written 247 bytes</font>
<br>
<font face="sans-serif" color="blue" size="2">---</font>
<br>
<font face="sans-serif" color="blue" size="2">New, (NONE), Cipher
is (NONE)</font>
<br>
<font face="sans-serif" color="blue" size="2">Secure Renegotiation
IS NOT
supported</font>
<br>
<font face="sans-serif" color="blue" size="2">Compression: NONE</font>
<br>
<font face="sans-serif" color="blue" size="2">Expansion: NONE</font>
<br>
<br>
<font face="sans-serif" size="2">But if I add the SNI, I get a
nice connection:</font>
<br>
<br>
<font face="sans-serif" color="blue" size="2"># openssl s_client
-connect
kct-uat.agriculture.vic.gov.au:443 -servername
kct-uat.agriculture.vic.gov.au</font>
<br>
<font face="sans-serif" color="blue" size="2">CONNECTED(00000003)</font>
<br>
<font face="sans-serif" color="blue" size="2">depth=2 C = US, O =
DigiCert
Inc, OU = </font><a moz-do-not-send="true"
href="www.digicert.com"><font face="sans-serif" color="blue"
size="2">www.digicert.com</font></a><font face="sans-serif"
color="blue" size="2">,
CN = DigiCert High Assurance EV Root CA</font>
<br>
<font face="sans-serif" color="blue" size="2">verify return:1</font>
<br>
<font face="sans-serif" color="blue" size="2">depth=1 C = US, O =
DigiCert
Inc, OU = </font><a moz-do-not-send="true"
href="www.digicert.com"><font face="sans-serif" color="blue"
size="2">www.digicert.com</font></a><font face="sans-serif"
color="blue" size="2">,
CN = DigiCert SHA2 High Assurance Server CA</font>
<br>
<font face="sans-serif" color="blue" size="2">verify return:1</font>
<br>
<font face="sans-serif" color="blue" size="2">depth=0 C = AU, ST =
Victoria,
L = Melbourne, O = "Department of Economic Development, Jobs
Transport
and Resources", CN = *.agriculture.vic.gov.au</font>
<br>
<font face="sans-serif" color="blue" size="2">verify return:1</font>
<br>
<br>
<font face="sans-serif" color="blue" size="2">New, TLSv1/SSLv3,
Cipher
is ECDHE-RSA-AES256-SHA384</font>
<br>
<font face="sans-serif" color="blue" size="2">Server public key is
2048
bit</font>
<br>
<font face="sans-serif" color="blue" size="2">Secure Renegotiation
IS supported</font>
<br>
<font face="sans-serif" color="blue" size="2">Compression: NONE</font>
<br>
<font face="sans-serif" color="blue" size="2">Expansion: NONE</font>
<br>
<font face="sans-serif" color="blue" size="2">SSL-Session:</font>
<br>
<font face="sans-serif" color="blue" size="2"> Protocol :
TLSv1.2</font>
<br>
<font face="sans-serif" color="blue" size="2"> Cipher
: ECDHE-RSA-AES256-SHA384</font>
<br>
<font face="sans-serif" color="blue" size="2"> Session-ID:
DC460000EC412D00D689C7E10DF575272E026FF475153A6367229629D79D15CF</font>
<br>
<font face="sans-serif" color="blue" size="2"> Session-ID-ctx:</font>
<br>
<font face="sans-serif" color="blue" size="2"> Master-Key:
0EE96C944F5746D3524A17580FD7907716FBA724C1B8909CA96430C2F7262EC469CD9CBD1D25A6ADDB791A6E45AAAB76</font>
<br>
<font face="sans-serif" color="blue" size="2"> Key-Arg
: None</font>
<br>
<font face="sans-serif" color="blue" size="2"> Krb5 Principal:
None</font>
<br>
<font face="sans-serif" color="blue" size="2"> PSK identity:
None</font>
<br>
<font face="sans-serif" color="blue" size="2"> PSK identity
hint: None</font>
<br>
<font face="sans-serif" color="blue" size="2"> Start Time:
1478145325</font>
<br>
<font face="sans-serif" color="blue" size="2"> Timeout
: 300 (sec)</font>
<br>
<font face="sans-serif" color="blue" size="2"> Verify return
code: 0 (ok)</font>
<br>
<br>
<font face="sans-serif" size="2">But now I'm not sure what to do
next...
Any ideas?</font>
<br>
<br>
<font face="sans-serif" size="2">Thanks,</font>
<br>
<br>
<font face="sans-serif" size="2">Martin.</font>
<br>
<br>
<font face="sans-serif" size="2">---</font>
<br>
<div>
********************************************************************************<br>
Department of Economic Development, Jobs, Transport and
Resources, Government of<br>
Victoria, Victoria, Australia.<br>
<br>
This email, and any attachments, may contain privileged and
confidential<br>
information. If you are not the intended recipient, you may not
distribute or<br>
reproduce this e-mail or the attachments. If you have received
this message in<br>
error, please notify us by return email.<br>
********************************************************************************<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Xymon mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Xymon@xymon.com">Xymon@xymon.com</a>
<a class="moz-txt-link-freetext" href="http://lists.xymon.com/mailman/listinfo/xymon">http://lists.xymon.com/mailman/listinfo/xymon</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
David Baldwin - Senior Systems Administrator (Datacentres + Networks)
Digital Information Management and Technology
Australian Sports Commission <a class="moz-txt-link-freetext" href="http://ausport.gov.au">http://ausport.gov.au</a>
Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616
<a class="moz-txt-link-abbreviated" href="mailto:david.baldwin@ausport.gov.au">david.baldwin@ausport.gov.au</a> 1 Leverrier Street Bruce ACT 2617
Our Values: RESPECT + INTEGRITY + TEAMWORK + EXCELLENCE
</pre>
<br>
<hr>
Keep up to date with what's happening in Australian sport visit <a href="http://www.ausport.gov.au">www.ausport.gov.au</a>
<br><br>
<font size="-2" face="arial">This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.</font>
<hr>
</body>
</html>