[Xymon] cipher list in sslcert column

Ralph Mitchell ralphmitchell at gmail.com
Thu Apr 26 06:59:04 CEST 2012


I was looking at the list of available ciphers in the sslcert column,
and I'm wondering exactly what that's showing?  Even when the server
is running mod_nss with FIPS-140 turned on, the ciphers list still
includes 40-bit & 56-bit ciphers, which are definitely not supposed to
be available.

So, would I be right in thinking that "Available Ciphers" means
"Ciphers available on the Xymon server", rather than "Ciphers that the
remote system will accept"??

I was hoping that it was showing the list of ciphers the remote server
would accept, because that would tie-in with the "sslbits" option
specifying a minimum encryption level.  As it is, if I set sslbits=256
for my FIPS-140 server, xymon alerts because it thinks the minimum
available bits is 40.

I'm going to try sslscan (http://sourceforge.net/projects/sslscan/)
tomorrow and see what it says.  From what I've read this evening, it
may be necessary to hit the remote server with a request for every
available encryption, and see what it will accept.  That's how sslscan
does it.

So, does anybody know for sure if the cipher list is local to the
xymon server, or is it somehow gathered from the remote server??

Ralph Mitchell



More information about the Xymon mailing list