Xymon Mailing List Archive search

XyMon 4.3.12 - what about HTTPS problems reported for 4.3.11 ?

list Andrey Chervonets
Wed, 23 Oct 2013 13:16:07 +0300
Message-Id: <user-33c466692396@xymon.invalid>

Problem is for some sites with valid certificates too.
I had checked to access page with wget or lynx - and it is working.
So I do not see reason why Xymon should get "Server Timeout"  for the same target.

Here is the debug of wget. Please, advice how to diagnose/debug Xymon to find the solution.
I am a bit confused why nobody reporting the same problem:
* nobody using new openssl libraries?
* nobody do https tests for some, may a bot non-standard SSL certificates or web-sites?

Anyway, my opinion - if this is working for all other tools like lynx, wget, browsers, this could also work in Xymon.

Test case: both URL get Server Timeout in Xymon, but working with wget:

URL1: https://epak.pmlp.gov.lv/   (here is redirect - I had found Xymon may have trouble with redirects over https)
URL2: https://epak.pmlp.gov.lv/NYX.Nyx002.WebSite/Default.aspx  (no redirects here, certificate valid, but XyMon can not access it)

========= URL1: ===========
[xymon at myhost~]$  wget --debug https://epak.pmlp.gov.lv/
DEBUG output created by Wget 1.12 on linux-gnu.

--2013-10-23 13:02:52--  https://epak.pmlp.gov.lv/
Resolving epak.pmlp.gov.lv... 195.234.144.230
Caching epak.pmlp.gov.lv => 195.234.144.230
Connecting to epak.pmlp.gov.lv|195.234.144.230|:443... connected.
Created socket 3.
Releasing 0x0000000001606440 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x0000000001607570
certificate:
  subject: /C=LV/ST=Riga/L=Riga/O=Office of Citizenship and Migration Affairs/OU=Department of Population Register/CN=*.pmlp.gov.lv
  issuer:  /C=US/O=Thawte, Inc./CN=Thawte SSL CA
X509 certificate successfully verified and matches host epak.pmlp.gov.lv

---request begin---
GET / HTTP/1.0
User-Agent: Wget/1.12 (linux-gnu)
Accept: */*
Host: epak.pmlp.gov.lv
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 301 Moved Permanently
Content-Length: 179
Content-Type: text/html
Location: https://epak.pmlp.gov.lv/NYX.Nyx001.WebSite/Default.aspx
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 23 Oct 2013 10:02:45 GMT
Connection: keep-alive

---response end---
301 Moved Permanently
Registered socket 3 for persistent reuse.
Location: https://epak.pmlp.gov.lv/NYX.Nyx001.WebSite/Default.aspx [following]
Skipping 179 bytes of body: [<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="
https://epak.pmlp.gov.lv/NYX.Nyx001.WebSite/Default.aspx">here</a></body>;] done.
--2013-10-23 13:02:52--  https://epak.pmlp.gov.lv/NYX.Nyx001.WebSite/Default.aspx
Reusing existing connection to epak.pmlp.gov.lv:443.
Reusing fd 3.

---request begin---
GET /NYX.Nyx001.WebSite/Default.aspx HTTP/1.0
User-Agent: Wget/1.12 (linux-gnu)
Accept: */*
Host: epak.pmlp.gov.lv
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Connection: keep-alive
Date: Wed, 23 Oct 2013 10:02:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=xpwkktquphtyv02va2ms1ejv; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 7365

---response end---
200 OK

Stored cookie epak.pmlp.gov.lv -1 (ANY) / <session> <insecure> [expiry none] ASP.NET_SessionId xpwkktquphtyv02va2ms1ejv
Length: 7365 (7.2K) [text/html]
Saving to: `Default.aspx.2'

100%[====================================================================================================================>] 7,365       --.-K/s   in 0s
2013-10-23 13:02:52 (832 MB/s) - `Default.aspx.2' saved [7365/7365]

========= URL2 =========================

[xymon at myhost~]$  wget --debug https://epak.pmlp.gov.lv/NYX.Nyx002.WebSite/Default.aspx
DEBUG output created by Wget 1.12 on linux-gnu.

--2013-10-23 13:03:58--  https://epak.pmlp.gov.lv/NYX.Nyx002.WebSite/Default.aspx
Resolving epak.pmlp.gov.lv... 195.234.144.230
Caching epak.pmlp.gov.lv => 195.234.144.230
Connecting to epak.pmlp.gov.lv|195.234.144.230|:443... connected.
Created socket 3.
Releasing 0x00000000013ae4d0 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00000000013af620
certificate:
  subject: /C=LV/ST=Riga/L=Riga/O=Office of Citizenship and Migration Affairs/OU=Department of Population Register/CN=*.pmlp.gov.lv
  issuer:  /C=US/O=Thawte, Inc./CN=Thawte SSL CA
X509 certificate successfully verified and matches host epak.pmlp.gov.lv

---request begin---
GET /NYX.Nyx002.WebSite/Default.aspx HTTP/1.0
User-Agent: Wget/1.12 (linux-gnu)
Accept: */*
Host: epak.pmlp.gov.lv
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Connection: keep-alive
Date: Wed, 23 Oct 2013 10:03:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=pecngh45oqe2sk45vhthua55; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 8619

---response end---
200 OK

Stored cookie epak.pmlp.gov.lv -1 (ANY) / <session> <insecure> [expiry none] ASP.NET_SessionId pecngh45oqe2sk45vhthua55
Registered socket 3 for persistent reuse.
Length: 8619 (8.4K) [text/html]
Saving to: `Default.aspx.3'

100%[====================================================================================================================>] 8,619       --.-K/s   in 0s

2013-10-23 13:03:58 (1007 MB/s) - `Default.aspx.3' saved [8619/8619]
this is output from: User-Agent: Wget/1.12 (linux-gnu)
output from host with older ssl and wget is the same (except User-Agent: Wget/1.11.4 Red Hat modified)


From:   Andrey Chervonets/Cominder/LV
To:     user-ce4a2c883f75@xymon.invalid, Cc:     xymon at xymon.com
Date:   31.07.2013 18:15
Subject:        Re: XyMon 4.3.12 - what about HTTPS problems repoirted for 4.3.11  ?


Yes, there may be some specific or expired certificate, but workaround not working anyway,

Tested, using http3 does not help for CentOS and OpenSUSE 12.3

tested with URL:  https://epak.pmlp.gov.lv/NYX.Nyx002.WebSite/Default.aspx
and some others.


Best regards,

Andrey Chervonets
SIA CoMinder
http://www.cominder.eu/


From:   user-ce4a2c883f75@xymon.invalid
To:     Andrey Chervonets <user-e7fb5c02322c@xymon.invalid>, Cc:     <xymon at xymon.com>
Date:   25.07.2013 13:07
Subject:        Re: XyMon 4.3.12 - what about HTTPS problems repoirted for 4.3.11  ?


Hi,

all indications are that this is an OpenSSL library problem (present in OpenSSL 1.x, but not in the older 0.9.x versions).

Debian has this bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702635

SuSE has this:
http://lists.opensuse.org/opensuse-bugs/2013-05/msg01048.html

It appears that the problem only shows up when testing sites with specific SSL implementations; e.g. I've seen it when connecting to some IIS versions.

Apparently, a work-around is to force the use of SSLv3 instead of TLSv1; you can do that by changing the URL in hosts.cfg so it has "https3" instead of just "https".

Regards,
Henrik


Den 25.07.2013 07:54, Andrey Chervonets skrev:
Good day!

I still not received any reply for my previous messages about https
tests problems in 4.3.11 or due openssl-1.0.nnnn.
Does 4.3.12 have fixes for that?

Or what should be the steps to find root cause and fix?
Just tell me in which direction should I go, I am not going to tale
much of Your time.

P.S. Really, I am surprised nobody else reported similar problems. I
fill I have done something wrong. :(