<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><div class="gmail_default">You did not specify what OS and client this pertains to. On the assumption it is Windows using the powershell client, the second issue was fixed after about version 2.28 by a client-local keyword of PORTS:listenonly which limits the ports information to only the listening ports; all of the 'established' info is discarded. This cuts the size of the data file down a lot.</div><div class="gmail_default"><br></div><div class="gmail_default">We are also dealing with the first issue of invalid SSL connections on the HTTP tests for some servers. My observation of the underlying ciphers on the affected servers is that they were recently security-tightened to only include "forward-secrecy" ciphers, and I think that the Xymon server can't handshake using only those. Successful handshakes are using ECDHE-RSA-AES256-GCM-SHA384, while failing have ECDHE_RSA_WITH_AES_256_CBC_SHA384 (only the CBC variant).</div><div class="gmail_default"><br></div><div class="gmail_default">Tim Williams</div><div class="gmail_default">VCU Computing Center</div><div class="gmail_default"><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jul 31, 2019 at 11:22 AM Adam Thorn <<a href="mailto:alt36@cam.ac.uk">alt36@cam.ac.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 31/07/2019 13:00, David Hickenbottom wrote:<br>
> Hi,<br>
> <br>
> First of all Thank You! This is a fantastic product. I have two <br>
> problems. The first is with regards to SSL monitoring. I have a group <br>
> of 20 or so webservers. Half monitor the SSL certificate correctly, the <br>
> others act like they do not see one.<br>
> <br>
> It looks good from every way I can look at it, but Xymon is not happy! <br>
> Is there a way for me to see what is going on?<br>
Bit of a guess here: do you need to use SNI <br>
(<a href="https://en.wikipedia.org/wiki/Server_Name_Indication" rel="noreferrer" target="_blank">https://en.wikipedia.org/wiki/Server_Name_Indication</a>) for the hosts <br>
where the test fails? Assuming this is the built in sslcert test <br>
performed by xymonnet, you can run it yourself with e.g.<br>
<br>
/usr/lib/xymon/server/bin/xymonnet <a href="http://pr26.imbills.com" rel="noreferrer" target="_blank">pr26.imbills.com</a> --noping --no-update<br>
<br>
where --no-update will print the test output to stdout rather than <br>
reporting to your xymon server. (NB that'll run all the xymonnet tests, <br>
not just sslcert) If you need SNI, you can add --sni=on to that command <br>
as a test, and/or add "sni" to the relevant line in hosts.cfg.<br>
<br>
You can also add --debug to the above xymonnet command, which might or <br>
might not give you information about the failure.<br>
<br>
Adam<br>
_______________________________________________<br>
Xymon mailing list<br>
<a href="mailto:Xymon@xymon.com" target="_blank">Xymon@xymon.com</a><br>
<a href="http://lists.xymon.com/mailman/listinfo/xymon" rel="noreferrer" target="_blank">http://lists.xymon.com/mailman/listinfo/xymon</a><br>
</blockquote></div>