[Xymon] [External] Re: How to get Windows Update info from client

Beck, Zak zak.beck at accenture.com
Thu Jun 7 10:12:29 CEST 2018


Hi

Yep, seems to be a fault in the underlying .NET libraries – it should really advertise the newer TLS protocols when making a connection but apparently only advertises 1.0 ☹

Can you try your recommended fix and let us know if it works – adding it here:

        [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
        $client.DownloadFile($downloadURL, $destinationFilePath)

If that doesn’t work, can you try:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12

Thanks

Zak

From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Jonathan Trott
Sent: Thursday, 7 June 2018 00:17
To: xymon at xymon.com
Subject: [External] Re: [Xymon] How to get Windows Update info from client

Hi Kris.

Nice work on the figuring!

Checking the code for xymonclient.ps1 finds this function:

function XymonDownloadFromURL([string]$downloadURL, [string]$destinationFilePath)
{
    $downloadURL = $downloadURL.Trim()
    WriteLog "XymonDownloadFromURL - Downloading $downloadURL to $destinationFilePath"
    $client = New-Object System.Net.WebClient
    try
    {
        # for self-signed certificates, turn off cert validation
        # TODO: make this a config option
        [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
        $client.DownloadFile($downloadURL, $destinationFilePath)
    }
    catch
    {
        WriteLog "Error downloading: $_"
        return $false
    }
    return $true
}

A bit of googling returns the collective knowledge that by default that command only uses TLS 1.0. Seems broken....
Apparently you can add the following line to enable more protocols:

[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"

So I'll copy in the xymon list so someone more knowledgeable can tell me that I am wrong.

Thanks,
JT

> I figured it out!  I set my server up to only use TLSv1.2 and apparently
> the Xymon PS download scripts can't work with v1.2, they need 1.0.  When
> I reduced the TLS level down to allow v1.0 on my server it downloaded
> the file as expected.
>
> Any idea how to allow the Xymon client scripts to work with TLSv1.2?
>
>
> Thank you.
> ------------------------------------------------
> Kris Springer

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20180607/7c5e0836/attachment.html>


More information about the Xymon mailing list