[Xymon] Xymon 4.3.13: HTTPS check issues

[Mark Felder]

On Thu, Jan 9, 2014, at 8:37, Mark Felder wrote:
> I confirmed that building Xymon 4.3.13 against OpenSSL 1.0.1e 11 Feb
> 2013 fixes my previous issues. Those two servers are no longer showing
> any issues.
> 
> However, I have different issue now that seems to be on a group of
> similarly configured servers with self signed certificates:
> 
> Error output:
> Unspecified SSL error in SSL_connect to 58148/tcp on host 66.170.1.42:
> error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal
> error
> Unspecified SSL error in SSL_connect to 64288/tcp on host 66.170.1.43:
> error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal
> error
> Unspecified SSL error in SSL_connect to 64288/tcp on host 66.170.1.44:
> error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal
> error
> Unspecified SSL error in SSL_connect to 64288/tcp on host 66.170.1.46:
> error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal
> error

>From someone commenting on an Ubuntu bug report containing this error
message:

"The issue is actually with certain SSLv3 servers that don't understand  
the TLSv1.1 handshake and are closing the connection. This unfortunately
can't be fixed on the client without disabling TLSv1.1, or forcing an 
SSLv3 connection."

I may be able to fix the CipherSuites on all but one of the remaining
affected servers to work around this issue. However, this is not ideal;
these are basically "appliances" where I am unsure of the consequences
of changing away from the vendor defaults. (I definitely use modern
ciphers on my normal webservers) 

I'm not comfortable with pushing this update into the FreeBSD ports tree
at this time; there's too much potential for headaches. The SNI support
a great feature but it seems there are some very rough edges that have
not been discovered until now.