On Tue, Apr 14, 2015 at 07:50:32AM -0500, Mark Felder wrote:
On Tue, Apr 14, 2015, at 06:47, Dito wrote:
I saw a post back that someone suggested to use "httpst://url" but that
is
not working either.
I am running build .17 , not sure if upgrading to .18 or .19 will work,
I'll read the notes.
Is there another way to fix?
From hosts.cfg man page:
* "t", e.g. httpst://www.sample.com/ : use only TLSv1
Looks like we need to patch xymonnet to let us specify TLS 1.1 and 1.2
Please see the attached patch. I can successfully build on FreeBSD 8.4
and 9.3 which use OpenSSL versions that don't support TLS 1.1 and 1.2,
so I'm certain I have not broken that functionality.
Considering how simple this patch is, I expect it to work reliably.
Using this patch you should be able to specify httpst1_1:// and
httpst1_2:// to get TLS 1.1 and 1.2
The default for https:// connections is as follows:
default:
item->sslctx = SSL_CTX_new(SSLv23_client_method()); break;
And the OpenSSL docs[1] describe this method:
SSLv23_method(void), SSLv23_server_method(void),
SSLv23_client_method(void)
A TLS/SSL connection established with these methods may understand
the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
If extensions are required (for example server name) a client will
send out TLSv1 client hello messages including extensions and will
indicate that it also understands TLSv1.1, TLSv1.2 and permits a
fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and
TLSv1.2 protocols. This is the best choice when compatibility is a
concern.
So I would expect Xymon to try to use TLSv1.2 if it's available... is it
possible your Xymon server's OpenSSL version is too old? This might
require more investigation...
Anyway, I haven't proven it beyond building yet -- I need to reconfigure my
webserver to print ciphers in the logs so I can ensure it's really
working. Please feel free to give it a try.
[1] https://www.openssl.org/docs/ssl/SSL_CTX_new.html
-------------- next part --------------
Index: common/hosts.cfg.5
===================================================================
--- common/hosts.cfg.5 (revision 7627)
+++ common/hosts.cfg.5 (working copy)
@@ -1004,6 +1004,10 @@
.br
* "t", e.g. httpst://www.sample.com/ : use only TLSv1
.br
+* "t1_1", e.g. httpst1_1://www.sample.com/ : use only TLSv1.1
+.br
+* "t1_2", e.g. httpst1_2://www.sample.com/ : use only TLSv1.2
+.br
* "m", e.g. httpsm://www.sample.com/ : use only 128-bit ciphers
.br
* "h", e.g. httpsh://www.sample.com/ : use only >128-bit ciphers
Index: xymonnet/contest.c
===================================================================
--- xymonnet/contest.c (revision 7627)
+++ xymonnet/contest.c (working copy)
@@ -484,6 +484,13 @@
item->sslctx = SSL_CTX_new(SSLv3_client_method()); break;
case SSLVERSION_TLS1:
item->sslctx = SSL_CTX_new(TLSv1_client_method()); break;
+/* TLS 1.1 and 1.2 require OpenSSL 1.0.1 */
+#if OPENSSL_VERSION_NUMBER >= 0x1000100fL
+ case SSLVERSION_TLS1_1:
+ item->sslctx = SSL_CTX_new(TLSv1_1_client_method()); break;
+ case SSLVERSION_TLS1_2:
+ item->sslctx = SSL_CTX_new(TLSv1_2_client_method()); break;
+#endif
default:
item->sslctx = SSL_CTX_new(SSLv23_client_method()); break;
}
Index: xymonnet/contest.h
===================================================================
--- xymonnet/contest.h (revision 7627)
+++ xymonnet/contest.h (working copy)
@@ -60,6 +60,8 @@
#define SSLVERSION_V2 1
#define SSLVERSION_V3 2
#define SSLVERSION_TLS1 3
+#define SSLVERSION_TLS1_1 4
+#define SSLVERSION_TLS1_2 5
typedef struct {
char *cipherlist;
Index: xymonnet/httptest.c
===================================================================
--- xymonnet/httptest.c (revision 7627)
+++ xymonnet/httptest.c (working copy)
@@ -487,6 +487,11 @@
if (strstr(httptest->weburl.desturl->schemeopts, "3")) sslopt_version = SSLVERSION_V3;
else if (strstr(httptest->weburl.desturl->schemeopts, "2")) sslopt_version = SSLVERSION_V2;
else if (strstr(httptest->weburl.desturl->schemeopts, "t")) sslopt_version = SSLVERSION_TLS1;
+/* TLS 1.1 and 1.2 require OpenSSL 1.0.1 */
+#if OPENSSL_VERSION_NUMBER >= 0x1000100fL
+ else if (strstr(httptest->weburl.desturl->schemeopts, "t1_1")) sslopt_version = SSLVERSION_TLS1_1;
+ else if (strstr(httptest->weburl.desturl->schemeopts, "t1_2")) sslopt_version = SSLVERSION_TLS1_2;
+#endif
if (strstr(httptest->weburl.desturl->schemeopts, "h")) sslopt_ciphers = ciphershigh;
else if (strstr(httptest->weburl.desturl->schemeopts, "m")) sslopt_ciphers = ciphersmedium;