Just out of interest, I noticed this a while back, that the apache
servers are showing the entire cipher list in the sslcert test. However
we also use IBM's HTTP Server (an apache server with modifications)
which uses a different SSL module, mod_ibm_ssl.so. When xymon tests
these servers it returns the ciphers actually in use. So I thought the
apache mod_ssl was involved in the output as well.
cheers, Phil
On 30/04/2012 at 2:43 PM, in message
<user-b39b9dca4d72@xymon.invalid>,
Ralph
Mitchell <user-00a5e44c48c0@xymon.invalid> wrote:
So, the question is, does the sslbits option look at the actual
connection xymon just made to the remote server, or is it looking at
the lowest number of bits in the cipher list? If the latter, that's
pretty much worthless as a test...
xymonnet/contest.c, starting at line 653, loops through available
ciphers and saves lowest number of bits in item->mincipherbits.
Right above that loop there are several calls to X509 functions to
get
the CN and the start/end times. If there's one that would get the
number of bits for the actual connection, that could replace the
loop
and the sslbits test would be all good. I think. Maybe. Dunno
enough about x509 programming, that's fer sure! :-)
Or maybe I'm overlooking something - wouldn't be the first time...
:-)
Ralph Mitchell
On Sun, Apr 29, 2012 at 11:44 PM, Jeremy Laidman
<user-71895fb2e44c@xymon.invalid> wrote:
Ralph
I believe you are correct that this shows the Xymon server's list
of
cyphers. I have different servers that I monitor, and they accept
connections using different sets of ciphers (tested with "openssl
s_client
-cipher NAME-OF-CIPHER hostname") yet the lists of ciphers on each
of the
Xymon ssltcert status pages are identical.
Also, the output of "openssl ciphers -v" on the Xymon server is
suspiciously
identical, in content and order, to those listed on the sslcert
status page.
Cheers
Jeremy
On Thu, Apr 26, 2012 at 2:59 PM, Ralph Mitchell
<user-00a5e44c48c0@xymon.invalid>
wrote:
I was looking at the list of available ciphers in the sslcert
column,
and I'm wondering exactly what that's showing? Even when the
server
is running mod_nss with FIPS-140 turned on, the ciphers list still
includes 40-bit & 56-bit ciphers, which are definitely not supposed
to
be available.
So, would I be right in thinking that "Available Ciphers" means
"Ciphers available on the Xymon server", rather than "Ciphers that
the
remote system will accept"??
I was hoping that it was showing the list of ciphers the remote
server
would accept, because that would tie-in with the "sslbits" option
specifying a minimum encryption level. As it is, if I set
sslbits=256
for my FIPS-140 server, xymon alerts because it thinks the minimum
available bits is 40.
I'm going to try sslscan
(http://sourceforge.net/projects/sslscan/)
tomorrow and see what it says. From what I've read this evening,
it
may be necessary to hit the remote server with a request for every
available encryption, and see what it will accept. That's how
sslscan
does it.
So, does anybody know for sure if the cipher list is local to the
xymon server, or is it somehow gathered from the remote server??
Ralph Mitchell