<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
mso-fareast-language:EN-GB;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri Light",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-family:"Calibri Light",sans-serif;mso-fareast-language:EN-US'>Thank you. The Sni has worked.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri Light",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri Light",sans-serif;mso-fareast-language:EN-US'>Martin<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri Light",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> Matthew Goebel <mgoebel@emich.edu> <br><b>Sent:</b> 25 March 2020 13:16<br><b>To:</b> martin@savcom.co.uk<br><b>Cc:</b> xymon@xymon.com<br><b>Subject:</b> Re: [Xymon] Monitoring websites using TLS1.3<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Try adding sni to your hosts.cfg line for that server.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Matt<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Wed, Mar 25, 2020 at 8:45 AM <<a href="mailto:martin@savcom.co.uk">martin@savcom.co.uk</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri Light",sans-serif'>I’m trying to monitor a website that is operated on part of Cloudflare’s setup and I am failing to get a positive result. The website uses TLS1.3 and Xymonnet tells me that it was built USING OpenSSL v 1.1.0g (Xymon version 4.3.28) which only handles TLS variants 1.0, 1.1, and 1.2.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri Light",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri Light",sans-serif'>I’m monitoring the server using the hosts.cfg entry:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'>0.0.0.0 Website # noconn nosslcert https3://<a href="http://www.website.com/" target="_blank">www.website.com/</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri Light",sans-serif'>I’ve tried other httpsX variants and no joy. The result I get from the website test is the rather sparse “- SSL error”</span><o:p></o:p></p><pre><span style='font-size:11.0pt'> </span><o:p></o:p></pre><pre><span style='font-size:11.0pt;font-family:"Calibri Light",sans-serif'>Digging into Xymonnet gives a more cryptic </span><o:p></o:p></pre><pre><span style='font-size:11.0pt'> </span><o:p></o:p></pre><pre><span style='font-size:11.0pt'>Unspecified SSL error in SSL_connect to https (47873/tcp) on host xx.xx.xx.xx: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure</span><o:p></o:p></pre><pre><span style='font-size:11.0pt;font-family:"Calibri Light",sans-serif'> </span><o:p></o:p></pre><pre><span style='font-size:11.0pt;font-family:"Calibri Light",sans-serif'>I’m assuming the issue is around the version of OpenSSL, as the OpenSSL v1.1.1 beta version manages TLS1.3 whereas OpenSSL v1.1.0g does not.</span><o:p></o:p></pre><pre><span style='font-size:11.0pt;font-family:"Calibri Light",sans-serif'> </span><o:p></o:p></pre><pre><span style='font-size:11.0pt;font-family:"Calibri Light",sans-serif'>I have three questions:</span><o:p></o:p></pre><pre style='margin-left:36.0pt'><span style='font-size:11.0pt;font-family:"Calibri Light",sans-serif'>-</span><span style='font-size:7.0pt;font-family:"Times New Roman",serif'> </span><span style='font-size:11.0pt;font-family:"Calibri Light",sans-serif'>Is there a way of setting Xymon up to manage this monitoring?</span><o:p></o:p></pre><pre style='margin-left:36.0pt'><span style='font-size:11.0pt;font-family:"Calibri Light",sans-serif'>-</span><span style='font-size:7.0pt;font-family:"Times New Roman",serif'> </span><span style='font-size:11.0pt;font-family:"Calibri Light",sans-serif'>When is it planned to include OpenSSL v1.1.1 in a Xymon build?</span><o:p></o:p></pre><pre style='margin-left:36.0pt'><span style='font-size:11.0pt;font-family:"Calibri Light",sans-serif'>-</span><span style='font-size:7.0pt;font-family:"Times New Roman",serif'> </span><span style='font-size:11.0pt;font-family:"Calibri Light",sans-serif'>In the meantime, is it worth writing a simple script to test the HTTPS response I need and feed this to Xymon separately?</span><o:p></o:p></pre><pre><span style='font-size:11.0pt;font-family:"Calibri Light",sans-serif'> </span><o:p></o:p></pre><pre><span style='font-size:11.0pt;font-family:"Calibri Light",sans-serif'>Many thanks</span><o:p></o:p></pre><pre><span style='font-size:11.0pt;font-family:"Calibri Light",sans-serif'> </span><o:p></o:p></pre><pre><span style='font-size:11.0pt;font-family:"Calibri Light",sans-serif'>Martin Davies</span><o:p></o:p></pre><pre><span style='font-size:11.0pt;font-family:"Calibri Light",sans-serif'> </span><o:p></o:p></pre></div></div><p class=MsoNormal>_______________________________________________<br>Xymon mailing list<br><a href="mailto:Xymon@xymon.com" target="_blank">Xymon@xymon.com</a><br><a href="http://lists.xymon.com/mailman/listinfo/xymon" target="_blank">http://lists.xymon.com/mailman/listinfo/xymon</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <o:p></o:p></p><div><div><p class=MsoNormal style='margin-bottom:12.0pt'>Matthew Goebel : <a href="mailto:goebel@emunix.emich.edu" target="_blank">goebel@emunix.emich.edu</a> : Unix Jockey @ EMU : Hail Eris<br>Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...<br> "Always with the negative waves, Moriarty" - Oddball<br> "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer<o:p></o:p></p></div></div></div></body></html>