Xymon Mailing List Archive search

monitoring websites behind cloudflare?

list Matthew Goebel
Tue, 3 Mar 2020 16:52:52 -0500
Message-Id: <CAM3+a+nXfeHyUk_ZJ4AN-DNbVGZZUoQ=user-282df2f47f4d@xymon.invalid>

Nice.   I have figured out in the last hour or so  that adding sni to the
two entries in my hosts.cfg file seem to fix this issue, and I had never
noticed the
sni option before.  Did not have to change the ip?

Thanks,
Matt


On Tue, Mar 3, 2020 at 4:46 PM Bruce Ferrell <user-24fbf1912cfe@xymon.invalid> wrote:

Matt,

Just for giggles I did a manual test using openssl:

openssl s_client -connect 104.18.5.68:443

With the following results:

CONNECTED(00000003)
140619981215560:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

This means that the IP address isn't serving SSL

One I know is serving SSL:

openssl s_client -connect 50.196.187.248:443


CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = baywinds.org
verify return:1
---
Certificate chain
  0 s:/CN=baywinds.org
    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
  1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----

<cert info>

-----END CERTIFICATE-----
subject=/CN=baywinds.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3233 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
     Session-ID:
338A6AA8E41A643BD51B57CB6BF55A9619110159A3390AD761C3E4AB1853437E
     Session-ID-ctx:
     Master-Key:
13BD58F4497A226F3B3713569D39CD38F2445C98E6D91D866BD8AB99CABBAF1D93599AB5CF5150FC2DE4CFDC6E99FADC
     Key-Arg   : None
     Krb5 Principal: None
     PSK identity: None
     PSK identity hint: None
     TLS session ticket lifetime hint: 300 (seconds)
     TLS session ticket:

blah blah blah

.......

Bottom line, that IP address isn't serving HTTPS


On 3/3/20 10:05 AM, Matthew Goebel wrote:
Hello,

  We are running xymon 4.3.29 on sles 12 and trying to monitor a website
that
is behind cloudflare but I cannot find a find a combo of https flags in
hosts.cfg
that will connect to cloudflare.  Has anyone else had this issue and
come up with
a solution?  I have literally tried every reasonable combo...

"Unspecified SSL error in SSL_con"..., 153Unspecified SSL error in
SSL_connect to https (47873/tcp) on host 104.18.5.68 <http://104.18.5.68>;:
error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure

Thanks,
Matt

--
Matthew Goebel : user-74d13dabeb26@xymon.invalid <mailto:user-74d13dabeb26@xymon.invalid>
: Unix Jockey @ EMU : Hail Eris
Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...
 "Always with the negative waves, Moriarty" - Oddball
 "Comfort the troubled, and trouble the comfortable." - Dietrich
Bonhoeffer
-- 
Matthew Goebel : user-74d13dabeb26@xymon.invalid : Unix Jockey @ EMU : Hail Eris
Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...
 "Always with the negative waves, Moriarty" - Oddball
 "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer