[Xymon] HTTPS tests fails when TLS 1.1 and 1.2 only is enabled

Mark Felder feld at feld.me
Tue Apr 14 16:11:20 CEST 2015 

On Tue, Apr 14, 2015 at 07:50:32AM -0500, Mark Felder wrote:
> 
> 
> On Tue, Apr 14, 2015, at 06:47, Dito wrote:
> > I saw a post back that someone suggested to use "httpst://url" but that
> > is
> > not working either.
> > I am running build .17 , not sure if upgrading to .18 or .19 will work,
> > I'll read the notes.
> > 
> > 
> > Is there another way to fix?
> > 
> 
> From hosts.cfg man page:
> 
> * "t",  e.g. httpst://www.sample.com/ : use only TLSv1
> 
> 
> Looks like we need to patch xymonnet to let us specify TLS 1.1 and 1.2
>

Please see the attached patch. I can successfully build on FreeBSD 8.4
and 9.3 which use OpenSSL versions that don't support TLS 1.1 and 1.2,
so I'm certain I have not broken that functionality.

Considering how simple this patch is, I expect it to work reliably.
Using this patch you should be able to specify httpst1_1:// and
httpst1_2:// to get TLS 1.1 and 1.2

The default for https:// connections is as follows:

	default:
	item->sslctx = SSL_CTX_new(SSLv23_client_method()); break;

And the OpenSSL docs[1] describe this method:

> SSLv23_method(void), SSLv23_server_method(void),
> SSLv23_client_method(void)
> 
> A TLS/SSL connection established with these methods may understand
> the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
> 
>     If extensions are required (for example server name) a client will
> send out TLSv1 client hello messages including extensions and will
> indicate that it also understands TLSv1.1, TLSv1.2 and permits a
> fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and
> TLSv1.2 protocols. This is the best choice when compatibility is a
> concern.
>

So I would expect Xymon to try to use TLSv1.2 if it's available... is it
possible your Xymon server's OpenSSL version is too old? This might
require more investigation...


Anyway, I haven't proven it beyond building yet -- I need to reconfigure my
webserver to print ciphers in the logs so I can ensure it's really
working. Please feel free to give it a try.

[1] https://www.openssl.org/docs/ssl/SSL_CTX_new.html
-------------- next part --------------
Index: common/hosts.cfg.5
===================================================================
--- common/hosts.cfg.5	(revision 7627)
+++ common/hosts.cfg.5	(working copy)
@@ -1004,6 +1004,10 @@
 .br
 * "t",  e.g. httpst://www.sample.com/ : use only TLSv1
 .br
+* "t1_1", e.g. httpst1_1://www.sample.com/ : use only TLSv1.1
+.br
+* "t1_2", e.g. httpst1_2://www.sample.com/ : use only TLSv1.2
+.br
 * "m",  e.g. httpsm://www.sample.com/ : use only 128-bit ciphers
 .br
 * "h",  e.g. httpsh://www.sample.com/ : use only >128-bit ciphers
Index: xymonnet/contest.c
===================================================================
--- xymonnet/contest.c	(revision 7627)
+++ xymonnet/contest.c	(working copy)
@@ -484,6 +484,13 @@
 			item->sslctx = SSL_CTX_new(SSLv3_client_method()); break;
 		  case SSLVERSION_TLS1:
 			item->sslctx = SSL_CTX_new(TLSv1_client_method()); break;
+/* TLS 1.1 and 1.2 require OpenSSL 1.0.1 */
+#if OPENSSL_VERSION_NUMBER >= 0x1000100fL
+		  case SSLVERSION_TLS1_1:
+			item->sslctx = SSL_CTX_new(TLSv1_1_client_method()); break;
+		  case SSLVERSION_TLS1_2:
+			item->sslctx = SSL_CTX_new(TLSv1_2_client_method()); break;
+#endif
 		  default:
 			item->sslctx = SSL_CTX_new(SSLv23_client_method()); break;
 		}
Index: xymonnet/contest.h
===================================================================
--- xymonnet/contest.h	(revision 7627)
+++ xymonnet/contest.h	(working copy)
@@ -60,6 +60,8 @@
 #define SSLVERSION_V2      1
 #define SSLVERSION_V3      2
 #define SSLVERSION_TLS1    3
+#define SSLVERSION_TLS1_1  4 
+#define SSLVERSION_TLS1_2  5
 
 typedef struct {
 	char *cipherlist;
Index: xymonnet/httptest.c
===================================================================
--- xymonnet/httptest.c	(revision 7627)
+++ xymonnet/httptest.c	(working copy)
@@ -487,6 +487,11 @@
 		if      (strstr(httptest->weburl.desturl->schemeopts, "3"))      sslopt_version = SSLVERSION_V3;
 		else if (strstr(httptest->weburl.desturl->schemeopts, "2"))      sslopt_version = SSLVERSION_V2;
 		else if (strstr(httptest->weburl.desturl->schemeopts, "t"))      sslopt_version = SSLVERSION_TLS1;
+/* TLS 1.1 and 1.2 require OpenSSL 1.0.1 */
+#if OPENSSL_VERSION_NUMBER >= 0x1000100fL
+		else if (strstr(httptest->weburl.desturl->schemeopts, "t1_1"))   sslopt_version = SSLVERSION_TLS1_1;
+		else if (strstr(httptest->weburl.desturl->schemeopts, "t1_2"))   sslopt_version = SSLVERSION_TLS1_2;
+#endif
 
 		if      (strstr(httptest->weburl.desturl->schemeopts, "h"))      sslopt_ciphers = ciphershigh;
 		else if (strstr(httptest->weburl.desturl->schemeopts, "m"))      sslopt_ciphers = ciphersmedium;

More information about the Xymon mailing list