[Xymon] SSL Certs on servers with multiple virtualhosts

J.C. Cleaver cleaver at terabithia.org
Thu Mar 26 22:46:10 CET 2015 

On Thu, March 26, 2015 11:53 am, Troy Adams wrote:
>
> I know this is an old thread but I am still interested
> in this functionality. Does the latest Xymon support
> this?
>

>
> ----- Original Message -----
> From: "John D. Alexander" <JAlexander at feeneywireless.com>
> To: xymon at xymon.com
> Sent: Friday, August 9, 2013 3:03:55 PM GMT -07:00 US/Canada Mountain
> Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts
>
> Henrik,
>
> Have you been able to make any progress on the multiple ssl VirtualHost
> issue?
>
> If need be, I can let apply the patch on a system that is reachable from
> outside and give you access (https) if I can get your IP address.
>
> Thanks much
>
> John Alexander
>
>
> -----Original Message-----
> From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner
> Sent: Wednesday, August 07, 2013 2:23 PM
> To: xymon at xymon.com
> Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts
>
> On 07-08-2013 19:56, John D. Alexander wrote:
>
>> The website is private. I've already rolled back the code but I can
>> reapply the patch and take screen shots if need be.
>>
>> Judging from the fact that Xymon was saying that the certificates
>> expired about 42 years ago, a couple of the programmers here indicate
>> that it's not picking up data from the certificate properly and
>> interpreting that as the epoch and counting forward from there for
>> expiration date.
>
> Xymon uses the OpenSSL library routines to handle the SSL details, so I
> would be rather surprised if some kind of bogus certificate data got
> through all the way to the Xymon code - the openssl library is supposed to
> discard such invalid data and report an error.
>
> More likely it is some kind of integer overflow. 15500 days before now is
> suspiciously close to Jan 1st 1970 (start of Unix epoch).
>
> But it surprises me a bit, since I setup a test site here with two vhosts
> and different certificates, and the new code worked fine here - got the
> right certificate for each of the two hosts.
>
> What version of OpenSSL are you running on the server where Xymon is
> compiled ? You can check by running "xymonnet --version".
>
> I'll probably send you (directly, not via the list) a test-version of
> Xymon that logs some more debugging data for this - sometime later this
> week.
>
>


Troy,

SNI was added in in 4.3.13, but disabled (by default) in 4.3.14 and beyond
(since some servers didn't handle it too well).

It can be re-enabled by using the 'sni' tag in hosts.cfg or by passing
--sni as an option to xymonnet.

See https://www.xymon.com/help/manpages/man5/hosts.cfg.5.html#lbAM and
https://www.xymon.com/help/manpages/man1/xymonnet.1.html#lbAI


HTH,

-jc

More information about the Xymon mailing list