[Xymon] [E] Re: Support for TLS v1.1 and 1.2?

Henrik Størner henrik at hswn.dk
Wed Jun 8 18:43:36 CEST 2016 

Hi David,

could you try this patch and let me know if it works with this change? 
This simply changes "httpst://..." to use ONLY TLS 1.2, so if you have 
other httpst-defs that are not 1.2 then they will probably fail.

Regards,
Henrik


Den 08-06-2016 kl. 12:47 skrev Gore, David W (David):
>
> Hi Henrik,
>
> httpst://www.example.com/, yes this is how our entries are set.  I 
> should have shared it before but the only change made to our 
> environment was to update the Apache .conf file with this entry:
>
> SSLProtocol -ALL +TLSv1.2
>
> If I want xymon to not error I could change it back to:
>
> SSLProtocol -ALL +TLSv1
>
> But then I would be using TLSv1.0 and our servers will fail security scans
>
> The xymon entry is httpst as we have been using TLS for some time.
>
> *From:*Henrik Størner [mailto:henrik at hswn.dk]
> *Sent:* Wednesday, June 8, 2016 3:14 AM
> *To:* Gore, David W (David); xymon at xymon.com
> *Subject:* Re: [E] Re: [Xymon] Support for TLS v1.1 and 1.2?
>
> Hi,
>
> Xymon asks OpenSSL to connect using any available SSL/TLS protocol and 
> this should auto-negotiate to whatever protocol both sides support, 
> which is what SSL/TLS clients (browsers etc) would normally do.
>
> This is different from what you do with the command-line tests below; 
> you explicitly request one of the TLS 1.x methods, so auto-negotiate 
> is turned off. Could you running this command without the "-tls*" option?
>
> Have you tried to configure Xymon to specifically use TLS 1? Put 
> "httpst://www.example.com/" in hosts.cfg (the the 't' added to https). 
> This will specifically request a TLSv1 connection. You are right that 
> Xymon does not have similar ways to request TLSv1.1 and TLSv1.2 
> connections.
>
>
> Regards,
> Henrik
>
> Den 07-06-2016 kl. 16:26 skrev Gore, David W (David):
>
>     Hi Henrik,
>
>     It is. Specifically I use this:
>
>     openssl s_client -connect xymon:443 -tls1 2>/dev/null | grep
>     Renegotiation
>
>     Secure Renegotiation IS NOT supported
>
>     openssl s_client -connect xymon:443 -tls1_1 2>/dev/null | grep
>     Renegotiation
>
>     Secure Renegotiation IS NOT supported
>
>     openssl s_client -connect xymon:443 -tls1_2 2>/dev/null | grep
>     Renegotiation
>
>     Secure Renegotiation IS supported
>
>     This is what xymon logs in xymonnet.log which you can also see
>     alerting for the xymonnet column on the web page:
>
>     2016-06-07 14:09:53.879678 Unspecified SSL error in SSL_connect to
>     https (47873/tcp) on host my.ip_1.goes.here: error:1409442E:SSL
>     routines:SSL3_READ_BYTES:tlsv1 alert protocol version
>
>     2016-06-07 14:14:41.970374 Unspecified SSL error in SSL_connect to
>     https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL
>     routines:SSL3_READ_BYTES:tlsv1 alert protocol version
>
>     2016-06-07 14:14:41.970753 Unspecified SSL error in SSL_connect to
>     https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL
>     routines:SSL3_READ_BYTES:tlsv1 alert protocol version
>
>     This is Mark’s post:
>
>     http://lists.xymon.com/pipermail/xymon/2015-April/041568.html
>
>     My guess is, Xymon doesn’t properly support the minor versions of TLS?
>
>     *From:*Henrik Størner [mailto:henrik at hswn.dk]
>     *Sent:* Tuesday, June 7, 2016 9:51 AM
>     https://xymon1.domain.com <https://xymon1.domain.com/>*To:*Gore,
>     David W (David); xymon at xymon.com <mailto:xymon at xymon.com>
>     *Subject:* [E] Re: [Xymon] Support for TLS v1.1 and 1.2?
>
>     Hi David,
>
>     Xymon uses the openssl library on the Xymon server to do SSL/TLS.
>     So the most basic of tests would be to run "openssl s_client
>     -connect xymon1.domain.com:443" to see if your OpenSSL library
>     supports the necessary protocols.
>
>     Note that you may have multiple versions of OpenSSL installed, so
>     to be 100% sure check the version of OpenSSL that Xymon uses:
>     "xymonnet --version" will tell you which OpenSSL version it was
>     compiled with, and "ldd ~xymon/server/bin/xymonnet" will show you
>     (on Linux, at least) what the actual library is that is used by
>     xymonnet.
>
>
>     Regards,
>     Henrik
>
>
>     Den 07-06-2016 kl. 00:20 skrev Gore, David W (David):
>
>         Mark Felder,
>
>         Mentioned last year around April 17^th , 2015 where Xymon
>         support for TLS v1.1 and v1.2 may be lacking.  Perhaps the
>         issue is more my naiveté but does anyone know how I can get
>         the sslcert and http tests to work correctly with Apache and
>         Xymon.
>
>         redhttps://xymon1.domain.com/ - SSL error
>
>         The sslcert test goes purple.
>
>         Os: Red Hat Enterprise Linux Server release 7.2 (Maipo)
>
>         Openssl: OpenSSL 1.0.1e-fips 11 Feb 2013
>
>         Xymon:  4.3.26
>
>         David W Gore
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20160608/2ab84c24/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tls12-test.patch
Type: text/x-patch
Size: 479 bytes
Desc: not available
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20160608/2ab84c24/attachment.bin>

More information about the Xymon mailing list