[Xymon] SSL Error

Jonathan Trott jtrott at dancrai.com
Fri Jan 5 01:14:48 CET 2018


Have you tried adding the keyword "sni" to the end of the host line in the 
hosts.cfg?

Thanks,
JT



From:   Scott Post <sjpostsr at gmail.com>
To:     xymon at xymon.com
Date:   05/01/18 04:03
Subject:        [Xymon] SSL Error
Sent by:        "Xymon" <xymon-bounces at xymon.com>



One of the websites that I am trying to monitor moved to a new site from 
http to https.

Upon changing in Xymon, I am now getting SSL error

Server Info:
Ubuntu 16.04
Xymon 4.3.25-1
Openssl Version:
OpenSSL 1.0.2g  1 Mar 2016
Xymonnet
xymonnet version 4.3.25
SSL library : OpenSSL 1.0.2f  28 Jan 2016
LDAP library: OpenLDAP 20442


Error output:
Unspecified SSL error in SSL_connect to https (47873/tcp) on host x.x.x.x: 
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
failure
I have tried using different combinations in the hosts.cfg
httpsc://
httpst://
--sni
--no-ssl
>From the Xymon server, if I run the command:
openssl s_client -connect weburl:443, I get the errors:
CONNECTED(00000003)
140008606660248:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 
alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1515083787
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

trying: openssl s_client -connect weburl:443 -servername weburl
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 
Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN 
= Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU 
= http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate 
Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = weburl
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=weburl
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=
http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate 
Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=
http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate 
Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root 
Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root 
Certificate Authority - G2
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification 
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=weburl
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=
http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate 
Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4411 bytes and written 458 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 
31590AD5C7EC70D6738AE51265DE3B3351503E280EDC0F147616E93CEA374BE3
    Session-ID-ctx:
    Master-Key: 
FE4C481FDFEDC7933F5732859AEA6E6840848A8633E04BA4AA454ED256942E401846033109F1E9AA73534EA2B3261531
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 10800 (seconds)
    TLS session ticket:
    0000 - bc 67 70 3b a5 1f 62 23-2a 74 e8 04 33 5a e4 8b 
.gp;..b#*t..3Z..
    0010 - 4d d0 77 a5 6f 5a 88 06-26 9e 19 78 da 59 ce 49 
M.w.oZ..&..x.Y.I
    0020 - e1 29 8a ec c7 7e 46 07-8c 5a f1 a4 b1 4a 3d c7 
.)...~F..Z...J=.
    0030 - 83 56 f7 d1 78 b4 0f 12-e6 ca 42 cd 30 b2 63 ac 
.V..x.....B.0.c.
    0040 - e1 a3 0d fe d3 cf 37 4d-73 05 ae 99 cc 7e f1 7d 
......7Ms....~.}
    0050 - 92 fb 7f 87 95 f0 8e 12-17 bf 68 11 44 a1 83 45 
..........h.D..E
    0060 - 2a bb 4c 9a 3e 63 ab ab-0a 3d a8 2f 5d e6 c5 f0 
*.L.>c...=./]...
    0070 - e1 37 5a 9d 3d ae 15 c3-2f ab 2a 0f 07 a5 f8 ee 
.7Z.=.../.*.....
    0080 - 2b df 77 03 6b 40 d2 4a-19 d8 01 c6 18 ab 58 f1 
+.w.k at .J......X.
    0090 - 26 85 ff b2 b8 20 da 8f-8b c6 83 6d 94 5d 28 d4   &.... 
.....m.](.
    00a0 - 6f d3 f0 0f 9e f8 70 ef-df 85 39 d9 1c cc 12 60 
o.....p...9....`

    Start Time: 1515083843
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


_______________________________________________
Xymon mailing list
Xymon at xymon.com
http://lists.xymon.com/mailman/listinfo/xymon


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20180105/6532754e/attachment.html>


More information about the Xymon mailing list