[Xymon] random errors with imaps/pop3s servers offering TLS 1.3

Laurent Frigault lolo at troll.free.org
Tue Jul 30 15:40:42 CEST 2019 

Hi,

I have found an issue when trying to monitor imaps and pop3s server
offering TLS1.3 .

My xymon server configuration:

# freebsd-version -u
12.0-RELEASE-p5

# openssl version
OpenSSL 1.1.1a-freebsd  20 Nov 2018

standard freebsd xymon-server pkg :

# pkg info xymon-server-4.3.28 
xymon-server-4.3.28
Name           : xymon-server
Version        : 4.3.28
Installed on   : Fri Feb 22 14:19:11 2019 CET
Origin         : net-mgmt/xymon-server
Architecture   : FreeBSD:12:amd64
Prefix         : /usr/local
Categories     : net-mgmt www
Licenses       : GPLv2
Maintainer     : feld at FreeBSD.org
WWW            : http://xymon.sourceforge.net/
Comment        : System for monitoring servers and networks
Options        :
        DEBUG          : off
        LDAP           : off
        NETSNMP        : off
Shared Libs required:
        libcares.so.2
        libpng16.so.16
        libpcre.so.1
        librrd.so.8
Annotations    :
        FreeBSD_version: 1200086
        cpe            : cpe:2.3:a:xymon:xymon:4.3.28:::::freebsd12:x64
        repo_type      : binary
        repository     : FreeBSD
Flat size      : 26.5MiB
...

# ldd /usr/local/www/xymon/server/bin/xymonnet 
/usr/local/www/xymon/server/bin/xymonnet:
        libcares.so.2 => /usr/local/lib/libcares.so.2 (0x80027c000)
        libssl.so.111 => /usr/lib/libssl.so.111 (0x800297000)
        libcrypto.so.111 => /lib/libcrypto.so.111 (0x80032c000)
        libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x800619000)
        libc.so.7 => /lib/libc.so.7 (0x8006bd000)
        libthr.so.3 => /lib/libthr.so.3 (0x800ab0000)


When trying to monitor a pop3s or imaps server offering tls 1.3, I got
random errors:

WARNING: Flapping status
Service imaps on xxx is not OK : Unexpected service response

If I monitor the same services on an other server not offering tls 1.3,
all is fine.

Both servers where running dovecot.

I wrote an extension in perl using IO::Socket::SSL (and the same local
openssl) to monitor the server offerng tls 1.3 and all is fine with it.

For some strange reason, I can monitor a https web servers (running
nginx or apache) offering TLS 1.3 without this issue but not
imaps/pop3s.

It looks like the https test is different from other ssl/tls tests and
does not have the TLS 1.3 issue

Regards,
-- 
Laurent Frigault | Free.org - BookMyName.com - ONLINE SAS - Registar ID 74

More information about the Xymon mailing list