[Xymon] monitoring websites behind cloudflare?

Bruce Ferrell bferrell at baywinds.org
Tue Mar 3 22:46:33 CET 2020


Matt,

Just for giggles I did a manual test using openssl:

openssl s_client -connect 104.18.5.68:443

With the following results:

CONNECTED(00000003)
140619981215560:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

This means that the IP address isn't serving SSL

One I know is serving SSL:

openssl s_client -connect 50.196.187.248:443


CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = baywinds.org
verify return:1
---
Certificate chain
  0 s:/CN=baywinds.org
    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
  1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----

<cert info>

-----END CERTIFICATE-----
subject=/CN=baywinds.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3233 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
     Session-ID: 338A6AA8E41A643BD51B57CB6BF55A9619110159A3390AD761C3E4AB1853437E
     Session-ID-ctx:
     Master-Key: 13BD58F4497A226F3B3713569D39CD38F2445C98E6D91D866BD8AB99CABBAF1D93599AB5CF5150FC2DE4CFDC6E99FADC
     Key-Arg   : None
     Krb5 Principal: None
     PSK identity: None
     PSK identity hint: None
     TLS session ticket lifetime hint: 300 (seconds)
     TLS session ticket:

blah blah blah

.......

Bottom line, that IP address isn't serving HTTPS





On 3/3/20 10:05 AM, Matthew Goebel wrote:
> Hello,
>
>   We are running xymon 4.3.29 on sles 12 and trying to monitor a website that
> is behind cloudflare but I cannot find a find a combo of https flags in hosts.cfg
> that will connect to cloudflare.  Has anyone else had this issue and come up with
> a solution?  I have literally tried every reasonable combo...
>
> "Unspecified SSL error in SSL_con"..., 153Unspecified SSL error in SSL_connect to https (47873/tcp) on host 104.18.5.68 <http://104.18.5.68>: error:14094410:SSL 
> routines:ssl3_read_bytes:sslv3 alert handshake failure
>
> Thanks,
> Matt
>
> -- 
> Matthew Goebel : goebel at emunix.emich.edu <mailto:goebel at emunix.emich.edu> : Unix Jockey @ EMU : Hail Eris
> Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...
>  "Always with the negative waves, Moriarty" - Oddball
>  "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
>
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon




More information about the Xymon mailing list