Xymon Mailing List Archive search

SSL Errors

list Vernon Everett
Tue, 9 Dec 2014 11:50:52 +0800
Message-Id: <user-6664ff055b10@xymon.invalid>

Hi all

Thanks for that.
httpsh works beautifully.

Regards
Vernon


On 9 December 2014 at 08:12, Tim McCloskey <user-440820cc07d6@xymon.invalid> wrote:

Vernon,

That is a bug in an early version of openssl,
http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2240.
Guessing that you can't patch it, so like Scott mentioned you could try to
force a version, one that you have.  The following is from the docs in
4.2.0, I did not check if these are still available in 4.3.17.

"
Forcing an HTTP or SSL version
    Some SSL sites will only allow you to connect, if you use specific
"dialects" of HTTP or SSL. Normally this is auto-negotiated, but experience
shows that this fails on some systems.

    bbtest-net can be told to use specific dialects, by adding one or more
"dialect names" to the URL scheme, i.e. the "http" or "https" in the URL:

    * "2", e.g. https2://www.sample.com/ : use only SSLv2
    * "3", e.g. https3://www.sample.com/ : use only SSLv3
    * "m", e.g. httpsm://www.sample.com/ : use only 128-bit ciphers
    * "h", e.g. httpsh://www.sample.com/ : use only >128-bit ciphers
    * "10", e.g. http10://www.sample.com/ : use HTTP 1.0
    * "11", e.g. http11://www.sample.com/ : use HTTP 1.1

    These can be combined where it makes sense, e.g to force SSLv2 and
HTTP 1.0 you would use "https210".
"

You could try http10://urltocert and not auto-negotiate the handshake.


Regards,

Tim


From: Xymon [xymon-bounces at xymon.com] on behalf of Vernon Everett [
user-b3f8dacb72c8@xymon.invalid]
Sent: Monday, December 8, 2014 3:42 PM
To: Scott Pfister
Cc: Xymon mailinglist
Subject: Re: [Xymon] SSL Errors

Hi Scott

All I get is a new error message. :-(

https3
Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4<
http://1.2.3.4>;: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number

httpt
Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4<
http://1.2.3.4>;: error:1411809D:SSL
routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list

And the https status remains red.

Regards
Vernon


On 8 December 2014 at 20:50, Scott Pfister <user-3f57de7c453d@xymon.invalid<mailto:
user-3f57de7c453d@xymon.invalid>> wrote:
Good morning,

What version of SSL is on the client with the cert? ? Was SSLv3 disabled
due to poodle exploit? Can you try forcing it to connect using only TLS or
SSLv3? In host.cfg set https3://... or  httpst://...

thanks


On Mon, Dec 8, 2014 at 4:33 AM, Vernon Everett <user-b3f8dacb72c8@xymon.invalid
<mailto:user-b3f8dacb72c8@xymon.invalid>> wrote:
Hi all

Trying to get an https test working to monitor certificate expiry.
Test shows up red, with very descriptive "SSL Error".

The xymonnet error appears a little more useful, but I can't find a
resolution to the problem.
Unspecified SSL error in SSL_connect to 47873/tcp on host  1.2.3.4:
error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid
ecpointformat list

Additional info.
xymonnet version 4.3.17
SSL library : OpenSSL 1.0.1j 15 Oct 2014
LDAP library: OpenLDAP 20423

Any advice appreciated.

Regards
Vernon

--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton


--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton

-- 
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton