[Xymon] HTTPS tests fails when TLS 1.1 and 1.2 only is enabled
Mark Felder
feld at feld.me
Tue Apr 14 17:27:45 CEST 2015
On Tue, Apr 14, 2015, at 09:11, Mark Felder wrote:
> On Tue, Apr 14, 2015 at 07:50:32AM -0500, Mark Felder wrote:
> >
> >
> > On Tue, Apr 14, 2015, at 06:47, Dito wrote:
> > > I saw a post back that someone suggested to use "httpst://url" but that
> > > is
> > > not working either.
> > > I am running build .17 , not sure if upgrading to .18 or .19 will work,
> > > I'll read the notes.
> > >
> > >
> > > Is there another way to fix?
> > >
> >
> > From hosts.cfg man page:
> >
> > * "t", e.g. httpst://www.sample.com/ : use only TLSv1
> >
> >
> > Looks like we need to patch xymonnet to let us specify TLS 1.1 and 1.2
> >
>
> Please see the attached patch. I can successfully build on FreeBSD 8.4
> and 9.3 which use OpenSSL versions that don't support TLS 1.1 and 1.2,
> so I'm certain I have not broken that functionality.
>
> Considering how simple this patch is, I expect it to work reliably.
> Using this patch you should be able to specify httpst1_1:// and
> httpst1_2:// to get TLS 1.1 and 1.2
>
It seems that to allow mixing of schemeopts they are intended to be
single characters. My new schemeopts of "t1_1" and "t1_2" are not
working correctly. If I simply change them to "x" and "y" they work
successfully.
I'm not sure what to do here; TLS 1.3 is on the horizon and we certainly
will have more protocols in the future. I could also enable DTLS as easy
as TLS 1.1 and TLS 1.2, but that's not in large demand...
I will wait for JC to chime in. With that simple modification my patch
will work if someone really needs to force a TLS version.
More information about the Xymon
mailing list