[Xymon] XyMon 4.3.12 - what about HTTPS problems reported for 4.3.11 ?

Andrey Chervonets A.Chervonets at cominder.eu
Wed Oct 23 12:16:07 CEST 2013 

Problem is for some sites with valid certificates too.
I had checked to access page with wget or lynx - and it is working.
So I do not see reason why Xymon should get "Server Timeout"  for the same 
target.

Here is the debug of wget. Please, advice how to diagnose/debug Xymon to 
find the solution.
I am a bit confused why nobody reporting the same problem:
* nobody using new openssl libraries?
* nobody do https tests for some, may a bot non-standard SSL certificates 
or web-sites?

Anyway, my opinion - if this is working for all other tools like lynx, 
wget, browsers, this could also work in Xymon.

Test case: both URL get Server Timeout in Xymon, but working with wget:

URL1: https://epak.pmlp.gov.lv/   (here is redirect - I had found Xymon 
may have trouble with redirects over https)
URL2: https://epak.pmlp.gov.lv/NYX.Nyx002.WebSite/Default.aspx  (no 
redirects here, certificate valid, but XyMon can not access it)

========= URL1: ===========
[xymon at myhost~]$  wget --debug https://epak.pmlp.gov.lv/
DEBUG output created by Wget 1.12 on linux-gnu.

--2013-10-23 13:02:52--  https://epak.pmlp.gov.lv/
Resolving epak.pmlp.gov.lv... 195.234.144.230
Caching epak.pmlp.gov.lv => 195.234.144.230
Connecting to epak.pmlp.gov.lv|195.234.144.230|:443... connected.
Created socket 3.
Releasing 0x0000000001606440 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x0000000001607570
certificate:
  subject: /C=LV/ST=Riga/L=Riga/O=Office of Citizenship and Migration 
Affairs/OU=Department of Population Register/CN=*.pmlp.gov.lv
  issuer:  /C=US/O=Thawte, Inc./CN=Thawte SSL CA
X509 certificate successfully verified and matches host epak.pmlp.gov.lv

---request begin---
GET / HTTP/1.0
User-Agent: Wget/1.12 (linux-gnu)
Accept: */*
Host: epak.pmlp.gov.lv
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 301 Moved Permanently
Content-Length: 179
Content-Type: text/html
Location: https://epak.pmlp.gov.lv/NYX.Nyx001.WebSite/Default.aspx
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 23 Oct 2013 10:02:45 GMT
Connection: keep-alive

---response end---
301 Moved Permanently
Registered socket 3 for persistent reuse.
Location: https://epak.pmlp.gov.lv/NYX.Nyx001.WebSite/Default.aspx 
[following]
Skipping 179 bytes of body: [<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="
https://epak.pmlp.gov.lv/NYX.Nyx001.WebSite/Default.aspx">here</a></body>] 
done.
--2013-10-23 13:02:52--  
https://epak.pmlp.gov.lv/NYX.Nyx001.WebSite/Default.aspx
Reusing existing connection to epak.pmlp.gov.lv:443.
Reusing fd 3.

---request begin---
GET /NYX.Nyx001.WebSite/Default.aspx HTTP/1.0
User-Agent: Wget/1.12 (linux-gnu)
Accept: */*
Host: epak.pmlp.gov.lv
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Connection: keep-alive
Date: Wed, 23 Oct 2013 10:02:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=xpwkktquphtyv02va2ms1ejv; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 7365

---response end---
200 OK

Stored cookie epak.pmlp.gov.lv -1 (ANY) / <session> <insecure> [expiry 
none] ASP.NET_SessionId xpwkktquphtyv02va2ms1ejv
Length: 7365 (7.2K) [text/html]
Saving to: `Default.aspx.2'

100%[====================================================================================================================>] 
7,365       --.-K/s   in 0s
2013-10-23 13:02:52 (832 MB/s) - `Default.aspx.2' saved [7365/7365]

========= URL2 =========================

[xymon at myhost~]$  wget --debug 
https://epak.pmlp.gov.lv/NYX.Nyx002.WebSite/Default.aspx
DEBUG output created by Wget 1.12 on linux-gnu.

--2013-10-23 13:03:58--  
https://epak.pmlp.gov.lv/NYX.Nyx002.WebSite/Default.aspx
Resolving epak.pmlp.gov.lv... 195.234.144.230
Caching epak.pmlp.gov.lv => 195.234.144.230
Connecting to epak.pmlp.gov.lv|195.234.144.230|:443... connected.
Created socket 3.
Releasing 0x00000000013ae4d0 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00000000013af620
certificate:
  subject: /C=LV/ST=Riga/L=Riga/O=Office of Citizenship and Migration 
Affairs/OU=Department of Population Register/CN=*.pmlp.gov.lv
  issuer:  /C=US/O=Thawte, Inc./CN=Thawte SSL CA
X509 certificate successfully verified and matches host epak.pmlp.gov.lv

---request begin---
GET /NYX.Nyx002.WebSite/Default.aspx HTTP/1.0
User-Agent: Wget/1.12 (linux-gnu)
Accept: */*
Host: epak.pmlp.gov.lv
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Connection: keep-alive
Date: Wed, 23 Oct 2013 10:03:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=pecngh45oqe2sk45vhthua55; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 8619

---response end---
200 OK

Stored cookie epak.pmlp.gov.lv -1 (ANY) / <session> <insecure> [expiry 
none] ASP.NET_SessionId pecngh45oqe2sk45vhthua55
Registered socket 3 for persistent reuse.
Length: 8619 (8.4K) [text/html]
Saving to: `Default.aspx.3'

100%[====================================================================================================================>] 
8,619       --.-K/s   in 0s

2013-10-23 13:03:58 (1007 MB/s) - `Default.aspx.3' saved [8619/8619]
-------------------
this is output from: User-Agent: Wget/1.12 (linux-gnu)
output from host with older ssl and wget is the same (except User-Agent: 
Wget/1.11.4 Red Hat modified)





From:   Andrey Chervonets/Cominder/LV
To:     henrik at hswn.dk, 
Cc:     xymon at xymon.com
Date:   31.07.2013 18:15
Subject:        Re: XyMon 4.3.12 - what about HTTPS problems repoirted for 
4.3.11  ?


Yes, there may be some specific or expired certificate, 
but workaround not working anyway,

Tested, using http3 does not help for CentOS and OpenSUSE 12.3

tested with URL:  https://epak.pmlp.gov.lv/NYX.Nyx002.WebSite/Default.aspx
and some others.


Best regards,

Andrey Chervonets
----------------------
SIA CoMinder
http://www.cominder.eu/






From:   henrik at hswn.dk
To:     Andrey Chervonets <a.chervonets at cominder.eu>, 
Cc:     <xymon at xymon.com>
Date:   25.07.2013 13:07
Subject:        Re: XyMon 4.3.12 - what about HTTPS problems repoirted for 
4.3.11  ?



Hi,

all indications are that this is an OpenSSL library problem (present in 
OpenSSL 1.x, but not in the older 0.9.x versions).

Debian has this bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702635

SuSE has this:
http://lists.opensuse.org/opensuse-bugs/2013-05/msg01048.html

It appears that the problem only shows up when testing sites with 
specific SSL implementations; e.g. I've seen it when connecting to some 
IIS versions.

Apparently, a work-around is to force the use of SSLv3 instead of 
TLSv1; you can do that by changing the URL in hosts.cfg so it has 
"https3" instead of just "https".

Regards,
Henrik


Den 25.07.2013 07:54, Andrey Chervonets skrev:
> Good day!
>
> I still not received any reply for my previous messages about https
> tests problems in 4.3.11 or due openssl-1.0.nnnn.
> Does 4.3.12 have fixes for that?
>
> Or what should be the steps to find root cause and fix?
> Just tell me in which direction should I go, I am not going to tale
> much of Your time.
>
> P.S. Really, I am surprised nobody else reported similar problems. I
> fill I have done something wrong. :(
>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20131023/9cc43d06/attachment.html>

More information about the Xymon mailing list