<font size=2 face="sans-serif">Hi Xymon community,</font>
<br>
<br><font size=2 face="sans-serif">I'm getting a bunch of SSL Error alerts
on some websites.</font>
<br>
<br><font size=2 face="sans-serif">Here is one example:</font>
<br>
<br><a href="https://kct-uat.agriculture.vic.gov.au/"><font size=2 face="sans-serif">https://kct-uat.agriculture.vic.gov.au/</font></a>
<br>
<br><font size=2 face="sans-serif">If I add this to xymon, I get:</font>
<br>
<br><font size=2 color=blue face="sans-serif">Thu Nov 3 03:50:38 2016:
SSL error</font>
<br><font size=2 color=blue face="sans-serif">red </font><a href="https://kct-uat.agriculture.vic.gov.au/"><font size=2 color=blue face="sans-serif">https://kct-uat.agriculture.vic.gov.au/</font></a><font size=2 color=blue face="sans-serif">
- SSL error</font>
<br>
<br><font size=2 face="sans-serif">I did some digging through the xymon
archives and openssl errors and found this:</font>
<br>
<br><a href="http://lists.xymon.com/archive/2013-January/036688.html"><font size=2 face="sans-serif">http://lists.xymon.com/archive/2013-January/036688.html</font></a>
<br>
<br><font size=2 face="sans-serif">and this:</font>
<br>
<br><a href="http://stackoverflow.com/questions/24457408/openssl-command-to-check-if-a-server-is-presenting-a-certificate"><font size=2 face="sans-serif">http://stackoverflow.com/questions/24457408/openssl-command-to-check-if-a-server-is-presenting-a-certificate</font></a>
<br>
<br><font size=2 face="sans-serif">so when I run this command from my Xymon
server I get the 104 error:</font>
<br>
<br><font size=2 color=blue face="sans-serif"># openssl s_client -connect
kct-uat.agriculture.vic.gov.au:443</font>
<br><font size=2 color=blue face="sans-serif">CONNECTED(00000003)</font>
<br><font size=2 color=blue face="sans-serif">write:errno=104</font>
<br><font size=2 color=blue face="sans-serif">---</font>
<br><font size=2 color=blue face="sans-serif">no peer certificate available</font>
<br><font size=2 color=blue face="sans-serif">---</font>
<br><font size=2 color=blue face="sans-serif">No client certificate CA
names sent</font>
<br><font size=2 color=blue face="sans-serif">---</font>
<br><font size=2 color=blue face="sans-serif">SSL handshake has read 0
bytes and written 247 bytes</font>
<br><font size=2 color=blue face="sans-serif">---</font>
<br><font size=2 color=blue face="sans-serif">New, (NONE), Cipher is (NONE)</font>
<br><font size=2 color=blue face="sans-serif">Secure Renegotiation IS NOT
supported</font>
<br><font size=2 color=blue face="sans-serif">Compression: NONE</font>
<br><font size=2 color=blue face="sans-serif">Expansion: NONE</font>
<br>
<br><font size=2 face="sans-serif">But if I add the SNI, I get a nice connection:</font>
<br>
<br><font size=2 color=blue face="sans-serif"># openssl s_client -connect
kct-uat.agriculture.vic.gov.au:443 -servername kct-uat.agriculture.vic.gov.au</font>
<br><font size=2 color=blue face="sans-serif">CONNECTED(00000003)</font>
<br><font size=2 color=blue face="sans-serif">depth=2 C = US, O = DigiCert
Inc, OU = </font><a href=www.digicert.com><font size=2 color=blue face="sans-serif">www.digicert.com</font></a><font size=2 color=blue face="sans-serif">,
CN = DigiCert High Assurance EV Root CA</font>
<br><font size=2 color=blue face="sans-serif">verify return:1</font>
<br><font size=2 color=blue face="sans-serif">depth=1 C = US, O = DigiCert
Inc, OU = </font><a href=www.digicert.com><font size=2 color=blue face="sans-serif">www.digicert.com</font></a><font size=2 color=blue face="sans-serif">,
CN = DigiCert SHA2 High Assurance Server CA</font>
<br><font size=2 color=blue face="sans-serif">verify return:1</font>
<br><font size=2 color=blue face="sans-serif">depth=0 C = AU, ST = Victoria,
L = Melbourne, O = "Department of Economic Development, Jobs Transport
and Resources", CN = *.agriculture.vic.gov.au</font>
<br><font size=2 color=blue face="sans-serif">verify return:1</font>
<br>
<br><font size=2 color=blue face="sans-serif">New, TLSv1/SSLv3, Cipher
is ECDHE-RSA-AES256-SHA384</font>
<br><font size=2 color=blue face="sans-serif">Server public key is 2048
bit</font>
<br><font size=2 color=blue face="sans-serif">Secure Renegotiation IS supported</font>
<br><font size=2 color=blue face="sans-serif">Compression: NONE</font>
<br><font size=2 color=blue face="sans-serif">Expansion: NONE</font>
<br><font size=2 color=blue face="sans-serif">SSL-Session:</font>
<br><font size=2 color=blue face="sans-serif"> Protocol :
TLSv1.2</font>
<br><font size=2 color=blue face="sans-serif"> Cipher
: ECDHE-RSA-AES256-SHA384</font>
<br><font size=2 color=blue face="sans-serif"> Session-ID:
DC460000EC412D00D689C7E10DF575272E026FF475153A6367229629D79D15CF</font>
<br><font size=2 color=blue face="sans-serif"> Session-ID-ctx:</font>
<br><font size=2 color=blue face="sans-serif"> Master-Key:
0EE96C944F5746D3524A17580FD7907716FBA724C1B8909CA96430C2F7262EC469CD9CBD1D25A6ADDB791A6E45AAAB76</font>
<br><font size=2 color=blue face="sans-serif"> Key-Arg
: None</font>
<br><font size=2 color=blue face="sans-serif"> Krb5 Principal:
None</font>
<br><font size=2 color=blue face="sans-serif"> PSK identity:
None</font>
<br><font size=2 color=blue face="sans-serif"> PSK identity
hint: None</font>
<br><font size=2 color=blue face="sans-serif"> Start Time:
1478145325</font>
<br><font size=2 color=blue face="sans-serif"> Timeout
: 300 (sec)</font>
<br><font size=2 color=blue face="sans-serif"> Verify return
code: 0 (ok)</font>
<br>
<br><font size=2 face="sans-serif">But now I'm not sure what to do next...
Any ideas?</font>
<br>
<br><font size=2 face="sans-serif">Thanks,</font>
<br>
<br><font size=2 face="sans-serif">Martin.</font>
<br>
<br><font size=2 face="sans-serif">---</font>
<br>
<DIV>
********************************************************************************<BR>
Department of Economic Development, Jobs, Transport and Resources, Government of<BR>
Victoria, Victoria, Australia.<BR>
<BR>
This email, and any attachments, may contain privileged and confidential<BR>
information. If you are not the intended recipient, you may not distribute or<BR>
reproduce this e-mail or the attachments. If you have received this message in<BR>
error, please notify us by return email.<BR>
********************************************************************************<BR>
</DIV>