[Xymon] cipher list in sslcert column

Ralph Mitchell ralphmitchell at gmail.com
Mon Apr 30 07:13:59 CEST 2012


So, the question is, does the sslbits option look at the actual
connection xymon just made to the remote server, or is it looking at
the lowest number of bits in the cipher list?  If the latter, that's
pretty much worthless as a test...

xymonnet/contest.c, starting at line 653, loops through available
ciphers and saves lowest number of bits in item->mincipherbits.

Right above that loop there are several calls to X509 functions to get
the CN and the start/end times.  If there's one that would get the
number of bits for the actual connection, that could replace the loop
and the sslbits test would be all good.  I think.  Maybe.  Dunno
enough about x509 programming, that's fer sure!  :-)

Or maybe I'm overlooking something - wouldn't be the first time...  :-)

Ralph Mitchell


On Sun, Apr 29, 2012 at 11:44 PM, Jeremy Laidman
<jlaidman at rebel-it.com.au> wrote:
> Ralph
>
> I believe you are correct that this shows the Xymon server's list of
> cyphers.  I have different servers that I monitor, and they accept
> connections using different sets of ciphers (tested with "openssl s_client
> -cipher NAME-OF-CIPHER hostname") yet the lists of ciphers on each of the
> Xymon ssltcert status pages are identical.
>
> Also, the output of "openssl ciphers -v" on the Xymon server is suspiciously
> identical, in content and order, to those listed on the sslcert status page.
>
> Cheers
> Jeremy
>
> On Thu, Apr 26, 2012 at 2:59 PM, Ralph Mitchell <ralphmitchell at gmail.com>
> wrote:
>>
>> I was looking at the list of available ciphers in the sslcert column,
>> and I'm wondering exactly what that's showing?  Even when the server
>> is running mod_nss with FIPS-140 turned on, the ciphers list still
>> includes 40-bit & 56-bit ciphers, which are definitely not supposed to
>> be available.
>>
>> So, would I be right in thinking that "Available Ciphers" means
>> "Ciphers available on the Xymon server", rather than "Ciphers that the
>> remote system will accept"??
>>
>> I was hoping that it was showing the list of ciphers the remote server
>> would accept, because that would tie-in with the "sslbits" option
>> specifying a minimum encryption level.  As it is, if I set sslbits=256
>> for my FIPS-140 server, xymon alerts because it thinks the minimum
>> available bits is 40.
>>
>> I'm going to try sslscan (http://sourceforge.net/projects/sslscan/)
>> tomorrow and see what it says.  From what I've read this evening, it
>> may be necessary to hit the remote server with a request for every
>> available encryption, and see what it will accept.  That's how sslscan
>> does it.
>>
>> So, does anybody know for sure if the cipher list is local to the
>> xymon server, or is it somehow gathered from the remote server??
>>
>> Ralph Mitchell
>> _______________________________________________
>> Xymon mailing list
>> Xymon at xymon.com
>> http://lists.xymon.com/mailman/listinfo/xymon
>
>



More information about the Xymon mailing list