[Xymon] Xymon 4.3.13: HTTPS check issues

Henrik Størner henrik at hswn.dk
Thu Jan 9 22:20:28 CET 2014


Den 09-01-2014 15:46, Mark Felder skrev:

[snip problem report]

> I'm not comfortable with pushing this update into the FreeBSD ports tree
> at this time; there's too much potential for headaches. The SNI support
> a great feature but it seems there are some very rough edges that have
> not been discovered until now.

I am not quite sure what the best way forward is. As I understand your 
analysis (and I am very grateful that you've taken the time to 
investigate it!), then this really is a server-side problem that we need 
to provide a workaround for.

Making SNI configurable at compile-time is simple, but rather 
heavy-handed. I can certainly imagine situations where you want to do 
SNI on some servers, but have one or two where it breaks.

So it must be configurable at least per hosts.cfg-entry. Should we 
default SNI support to off (which it has been until now) and require 
everyone to explicitly enable it if they need it? Or should it default 
to ON and have people with the problem-servers turn it off themselves?

Defaulting to "off" would be the easiest for all users, since everything 
will work the way it did before 4.3.13. On the other hand, it doesn't 
seem right to have a perfectly valid protocol disabled, just because of 
some random crappiness.


I lean towards defaulting it to ON, and then asking admins to add a flag 
to explicitly disable SNI on those hosts that need it. As attached. Any 
comments?


Regards,
Henrik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: nosni.diff
Type: text/x-diff
Size: 3461 bytes
Desc: not available
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20140109/9dc61319/attachment.diff>


More information about the Xymon mailing list