[Xymon] monitoring websites behind cloudflare?

Matthew Goebel mgoebel at emich.edu
Tue Mar 3 22:52:52 CET 2020 

Nice.   I have figured out in the last hour or so  that adding sni to the
two entries in my hosts.cfg file seem to fix this issue, and I had never
noticed the
sni option before.  Did not have to change the ip?

Thanks,
Matt


On Tue, Mar 3, 2020 at 4:46 PM Bruce Ferrell <bferrell at baywinds.org> wrote:

>
> Matt,
>
> Just for giggles I did a manual test using openssl:
>
> openssl s_client -connect 104.18.5.68:443
>
> With the following results:
>
> CONNECTED(00000003)
> 140619981215560:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:769:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 247 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
>
> This means that the IP address isn't serving SSL
>
> One I know is serving SSL:
>
> openssl s_client -connect 50.196.187.248:443
>
>
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = baywinds.org
> verify return:1
> ---
> Certificate chain
>   0 s:/CN=baywinds.org
>     i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>   1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>     i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
>
> <cert info>
>
> -----END CERTIFICATE-----
> subject=/CN=baywinds.org
> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> ---
> No client certificate CA names sent
> Server Temp Key: ECDH, prime256v1, 256 bits
> ---
> SSL handshake has read 3233 bytes and written 373 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>      Protocol  : TLSv1.2
>      Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>      Session-ID:
> 338A6AA8E41A643BD51B57CB6BF55A9619110159A3390AD761C3E4AB1853437E
>      Session-ID-ctx:
>      Master-Key:
> 13BD58F4497A226F3B3713569D39CD38F2445C98E6D91D866BD8AB99CABBAF1D93599AB5CF5150FC2DE4CFDC6E99FADC
>      Key-Arg   : None
>      Krb5 Principal: None
>      PSK identity: None
>      PSK identity hint: None
>      TLS session ticket lifetime hint: 300 (seconds)
>      TLS session ticket:
>
> blah blah blah
>
> .......
>
> Bottom line, that IP address isn't serving HTTPS
>
>
>
>
>
> On 3/3/20 10:05 AM, Matthew Goebel wrote:
> > Hello,
> >
> >   We are running xymon 4.3.29 on sles 12 and trying to monitor a website
> that
> > is behind cloudflare but I cannot find a find a combo of https flags in
> hosts.cfg
> > that will connect to cloudflare.  Has anyone else had this issue and
> come up with
> > a solution?  I have literally tried every reasonable combo...
> >
> > "Unspecified SSL error in SSL_con"..., 153Unspecified SSL error in
> SSL_connect to https (47873/tcp) on host 104.18.5.68 <http://104.18.5.68>:
> error:14094410:SSL
> > routines:ssl3_read_bytes:sslv3 alert handshake failure
> >
> > Thanks,
> > Matt
> >
> > --
> > Matthew Goebel : goebel at emunix.emich.edu <mailto:goebel at emunix.emich.edu>
> : Unix Jockey @ EMU : Hail Eris
> > Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...
> >  "Always with the negative waves, Moriarty" - Oddball
> >  "Comfort the troubled, and trouble the comfortable." - Dietrich
> Bonhoeffer
> >
> >
> > _______________________________________________
> > Xymon mailing list
> > Xymon at xymon.com
> > http://lists.xymon.com/mailman/listinfo/xymon
>
>
>

-- 
Matthew Goebel : goebel at emunix.emich.edu : Unix Jockey @ EMU : Hail Eris
Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...
 "Always with the negative waves, Moriarty" - Oddball
 "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20200303/80129a4b/attachment.htm>

More information about the Xymon mailing list