Hi Henrik,
httpst://www.example.com/, yes this is how our entries are set. I
should have shared it before but the only change made to our
environment was to update the Apache .conf file with this entry:
SSLProtocol -ALL +TLSv1.2
If I want xymon to not error I could change it back to:
SSLProtocol -ALL +TLSv1
But then I would be using TLSv1.0 and our servers will fail security scans
The xymon entry is httpst as we have been using TLS for some time.
*From:*Henrik Størner [mailto:user-ce4a2c883f75@xymon.invalid]
*Sent:* Wednesday, June 8, 2016 3:14 AM
*To:* Gore, David W (David); xymon at xymon.com
*Subject:* Re: [E] Re: [Xymon] Support for TLS v1.1 and 1.2?
Hi,
Xymon asks OpenSSL to connect using any available SSL/TLS protocol and
this should auto-negotiate to whatever protocol both sides support,
which is what SSL/TLS clients (browsers etc) would normally do.
This is different from what you do with the command-line tests below;
you explicitly request one of the TLS 1.x methods, so auto-negotiate
is turned off. Could you running this command without the "-tls*" option?
Have you tried to configure Xymon to specifically use TLS 1? Put
"httpst://www.example.com/" in hosts.cfg (the the 't' added to https).
This will specifically request a TLSv1 connection. You are right that
Xymon does not have similar ways to request TLSv1.1 and TLSv1.2
connections.
Regards,
Henrik
Den 07-06-2016 kl. 16:26 skrev Gore, David W (David):
Hi Henrik,
It is. Specifically I use this:
openssl s_client -connect xymon:443 -tls1 2>/dev/null | grep
Renegotiation
Secure Renegotiation IS NOT supported
openssl s_client -connect xymon:443 -tls1_1 2>/dev/null | grep
Renegotiation
Secure Renegotiation IS NOT supported
openssl s_client -connect xymon:443 -tls1_2 2>/dev/null | grep
Renegotiation
Secure Renegotiation IS supported
This is what xymon logs in xymonnet.log which you can also see
alerting for the xymonnet column on the web page:
2016-06-07 14:09:53.879678 Unspecified SSL error in SSL_connect to
https (47873/tcp) on host my.ip_1.goes.here: error:1409442E:SSL
routines:SSL3_READ_BYTES:tlsv1 alert protocol version
2016-06-07 14:14:41.970374 Unspecified SSL error in SSL_connect to
https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL
routines:SSL3_READ_BYTES:tlsv1 alert protocol version
2016-06-07 14:14:41.970753 Unspecified SSL error in SSL_connect to
https (47873/tcp) on host my.ip_2.goes.here: error:1409442E:SSL
routines:SSL3_READ_BYTES:tlsv1 alert protocol version
This is Mark’s post:
http://lists.xymon.com/pipermail/xymon/2015-April/041568.html
My guess is, Xymon doesn’t properly support the minor versions of TLS?
*From:*Henrik Størner [mailto:user-ce4a2c883f75@xymon.invalid]
*Sent:* Tuesday, June 7, 2016 9:51 AM
https://xymon1.domain.com <https://xymon1.domain.com/>*To:*Gore,
David W (David); xymon at xymon.com <mailto:xymon at xymon.com>
*Subject:* [E] Re: [Xymon] Support for TLS v1.1 and 1.2?
Hi David,
Xymon uses the openssl library on the Xymon server to do SSL/TLS.
So the most basic of tests would be to run "openssl s_client
-connect xymon1.domain.com:443" to see if your OpenSSL library
supports the necessary protocols.
Note that you may have multiple versions of OpenSSL installed, so
to be 100% sure check the version of OpenSSL that Xymon uses:
"xymonnet --version" will tell you which OpenSSL version it was
compiled with, and "ldd ~xymon/server/bin/xymonnet" will show you
(on Linux, at least) what the actual library is that is used by
xymonnet.
Regards,
Henrik
Den 07-06-2016 kl. 00:20 skrev Gore, David W (David):
Mark Felder,
Mentioned last year around April 17^th , 2015 where Xymon
support for TLS v1.1 and v1.2 may be lacking. Perhaps the
issue is more my naiveté but does anyone know how I can get
the sslcert and http tests to work correctly with Apache and
Xymon.
red https://xymon1.domain.com/ - SSL error
The sslcert test goes purple.
Os: Red Hat Enterprise Linux Server release 7.2 (Maipo)
Openssl: OpenSSL 1.0.1e-fips 11 Feb 2013
Xymon: 4.3.26
David W Gore