[Xymon] cipher list in sslcert column
Jeremy Laidman
jlaidman at rebel-it.com.au
Mon Apr 30 05:44:09 CEST 2012
Ralph
I believe you are correct that this shows the Xymon server's list of
cyphers. I have different servers that I monitor, and they accept
connections using different sets of ciphers (tested with "openssl s_client
-cipher NAME-OF-CIPHER hostname") yet the lists of ciphers on each of the
Xymon ssltcert status pages are identical.
Also, the output of "openssl ciphers -v" on the Xymon server is
suspiciously identical, in content and order, to those listed on the
sslcert status page.
Cheers
Jeremy
On Thu, Apr 26, 2012 at 2:59 PM, Ralph Mitchell <ralphmitchell at gmail.com>wrote:
> I was looking at the list of available ciphers in the sslcert column,
> and I'm wondering exactly what that's showing? Even when the server
> is running mod_nss with FIPS-140 turned on, the ciphers list still
> includes 40-bit & 56-bit ciphers, which are definitely not supposed to
> be available.
>
> So, would I be right in thinking that "Available Ciphers" means
> "Ciphers available on the Xymon server", rather than "Ciphers that the
> remote system will accept"??
>
> I was hoping that it was showing the list of ciphers the remote server
> would accept, because that would tie-in with the "sslbits" option
> specifying a minimum encryption level. As it is, if I set sslbits=256
> for my FIPS-140 server, xymon alerts because it thinks the minimum
> available bits is 40.
>
> I'm going to try sslscan (http://sourceforge.net/projects/sslscan/)
> tomorrow and see what it says. From what I've read this evening, it
> may be necessary to hit the remote server with a request for every
> available encryption, and see what it will accept. That's how sslscan
> does it.
>
> So, does anybody know for sure if the cipher list is local to the
> xymon server, or is it somehow gathered from the remote server??
>
> Ralph Mitchell
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20120430/7ef18635/attachment.html>
More information about the Xymon
mailing list