SSL Error [SEC=UNCLASSIFIED]

Martin,

There is an option for xymonnet to enable SNI - here's my tasks.cfg
snippet - see man xymonnet

[xymonnet]
        ENVFILE /home/xymon/server/etc/xymonserver-net.cfg
        NEEDS xymond
        CMD xymonnet --report --ping --checkresponse --bb-proxy-syntax
--sni=on --timeout=20 --sslkeysize=2048
        LOGFILE $XYMONSERVERLOGS/xymonnet.log
        INTERVAL 5m

Hi Xymon community,

I'm getting a bunch of SSL Error alerts on some websites.

Here is one example:

https://kct-uat.agriculture.vic.gov.au/

If I add this to xymon, I get:

Thu Nov 3 03:50:38 2016: SSL error
red https://kct-uat.agriculture.vic.gov.au/- SSL error

I did some digging through the xymon archives and openssl errors and
found this:

http://lists.xymon.com/archive/2013-January/036688.html

and this:

http://stackoverflow.com/questions/24457408/openssl-command-to-check-if-a-server-is-presenting-a-certificate


so when I run this command from my Xymon server I get the 104 error:

# openssl s_client -connect kct-uat.agriculture.vic.gov.au:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

But if I add the SNI, I get a nice connection:

# openssl s_client -connect kct-uat.agriculture.vic.gov.au:443
-servername kct-uat.agriculture.vic.gov.au
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
SHA2 High Assurance Server CA
verify return:1
depth=0 C = AU, ST = Victoria, L = Melbourne, O = "Department of
Economic Development, Jobs Transport and Resources", CN =
*.agriculture.vic.gov.au
verify return:1

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID:
DC460000EC412D00D689C7E10DF575272E026FF475153A6367229629D79D15CF
    Session-ID-ctx:
    Master-Key:
0EE96C944F5746D3524A17580FD7907716FBA724C1B8909CA96430C2F7262EC469CD9CBD1D25A6ADDB791A6E45AAAB76

    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1478145325
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

But now I'm not sure what to do next...  Any ideas?

Thanks,

Martin.

---
********************************************************************************
Department of Economic Development, Jobs, Transport and Resources,
Government of
Victoria, Victoria, Australia.

This email, and any attachments, may contain privileged and confidential
information. If you are not the intended recipient, you may not
distribute or
reproduce this e-mail or the attachments. If you have received this
message in
error, please notify us by return email.
********************************************************************************

-- 
David Baldwin - Senior Systems Administrator (Datacentres + Networks)
Digital Information Management and Technology
Australian Sports Commission          http://ausport.gov.au
Tel 02 62147830 Fax 02 62141830       PO Box 176 Belconnen ACT 2616
user-cbbf693f2c89@xymon.invalid          1 Leverrier Street Bruce ACT 2617
Our Values: RESPECT + INTEGRITY + TEAMWORK + EXCELLENCE


Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au

This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.