TLSv1 support for https?
list David W David Gore
Any chance for a patch to get TLSv1 support for https? I have exactly one URL which is a load balancer that will only return a good status if you specify TLSv1. I use this command to test: openssl s_client -tls1 -connect my.ip.addr:443 I tried ssl3 and ssl2 but the results echo what I see on Xymon which is a failure: 139728778356552:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: Any workarounds? [xymon at xymon1 etc]$ xymonnet --version xymonnet version 4.3.12 SSL library : OpenSSL 1.0.1e 11 Feb 2013 LDAP library: OpenLDAP 20423 ~David
list Japheth Cleaver
▸
On Sat, December 7, 2013 7:27 am, Gore, David W (David) wrote:
Any chance for a patch to get TLSv1 support for https? I have exactly one URL which is a load balancer that will only return a good status if you specify TLSv1. I use this command to test: openssl s_client -tls1 -connect my.ip.addr:443 I tried ssl3 and ssl2 but the results echo what I see on Xymon which is a failure: 139728778356552:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: Any workarounds? [xymon at xymon1 etc]$ xymonnet --version xymonnet version 4.3.12 SSL library : OpenSSL 1.0.1e 11 Feb 2013 LDAP library: OpenLDAP 20423
This came up for us with the move the RHEL/CentOS 6.5, which rebased the openssl version to 1.0.1e. Given that xymonnet is using openssl to handle this, I'm not sure how easy it would be to do much more... Our solution was to fix forward. If your site's publicly accessible, https://www.ssllabs.com/ssltest/ is a nice site for checking against SSL mis-configs like this. Even this will call out openssl-1.0.1e compatibility. HTH, -jc
list David W David Gore
JC, are you implying the server is misconfigured and ssllabs would tell me why? Regardless, it's on the intranet and not publicly accessible not that it is a server in my realm of control anyway. We too just upgraded to RedHat 6.5 and I was thinking I could roll-back the SSL libraries to a previous release although that is less than appealing. ~David
▸
-----Original Message-----
From: Japheth Cleaver [mailto:user-87556346d4af@xymon.invalid]
Sent: Saturday, December 07, 2013 2:14 PM
To: Gore, David W (David)
Cc: xymon at xymon.com
Subject: Re: [Xymon] [xymon] TLSv1 support for https?
On Sat, December 7, 2013 7:27 am, Gore, David W (David) wrote:Any chance for a patch to get TLSv1 support for https? I have exactly one URL which is a load balancer that will only return a good status if you specify TLSv1. I use this command to test: openssl s_client -tls1 -connect my.ip.addr:443 I tried ssl3 and ssl2 but the results echo what I see on Xymon which is a failure: 139728778356552:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: Any workarounds? [xymon at xymon1 etc]$ xymonnet --version xymonnet version 4.3.12 SSL library : OpenSSL 1.0.1e 11 Feb 2013 LDAP library: OpenLDAP 20423
This came up for us with the move the RHEL/CentOS 6.5, which rebased the openssl version to 1.0.1e. Given that xymonnet is using openssl to handle this, I'm not sure how easy it would be to do much more... Our solution was to fix forward. If your site's publicly accessible, https://www.ssllabs.com/ssltest/ is a nice site for checking against SSL mis-configs like this. Even this will call out openssl-1.0.1e compatibility. HTH, -jc
list Henrik Størner
On 07-12-2013 16:27, Gore, David W (David) wrote:
Any chance for a patch to get TLSv1 support for https?I have exactly one
▸
URL which is a load balancer that will only return a good status if you
specify TLSv1.Could you try this against 4.3.12 ? Apply patch and recompile xymonnet, then change your URL in hosts.cfg to begin with "httpst://..." (i.e. a "t" after the "https"). Regards, Henrik
Attachments (1)
list David W David Gore
Works great! Thanks Henrik! ~David
▸
-----Original Message-----
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner
Sent: Sunday, December 08, 2013 10:01 AM
To: xymon at xymon.com
Subject: Re: [Xymon] [xymon] TLSv1 support for https?
On 07-12-2013 16:27, Gore, David W (David) wrote:Any chance for a patch to get TLSv1 support for https?I have exactly one URL which is a load balancer that will only return a good status if you specify TLSv1.
Could you try this against 4.3.12 ? Apply patch and recompile xymonnet, then change your URL in hosts.cfg to begin with "httpst://..." (i.e. a "t" after the "https"). Regards, Henrik
list Japheth Cleaver
▸
On Sun, December 8, 2013 6:36 am, Gore, David W (David) wrote:
JC, are you implying the server is misconfigured and ssllabs would tell me why? Regardless, it's on the intranet and not publicly accessible not that it is a server in my realm of control anyway. We too just upgraded to RedHat 6.5 and I was thinking I could roll-back the SSL libraries to a previous release although that is less than appealing.
Well, sort of, yes :) If a simple 'openssl s_client -connect my.ip.addr:443' hangs (as it did in our case, from any 6.5 or Fedora 19 box), then anything that's doing TLS handshaking the same way will have the same problems. xymonnet brought it to light, but as more and more clients start being more strict about TLS (and cipher lists) I wouldn't be surprised if more things break in the future. Rolling back the openssl lib should (have) work(ed), but there's a bit of a difference in how RPM was tagging them in x86_64 builds and that would have required lots of other packages to be swapped out as well for us. Also, FTR, it's not the RHEL bug indicated here: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 We had the same problem with openssl-1.0.1e-15 and -16. Regards, -jc
list Japheth Cleaver
▸
On Sun, December 8, 2013 12:29 pm, Japheth Cleaver wrote:
On Sun, December 8, 2013 6:36 am, Gore, David W (David) wrote:JC, are you implying the server is misconfigured and ssllabs would tell me why? Regardless, it's on the intranet and not publicly accessible not that it is a server in my realm of control anyway. We too just upgraded to RedHat 6.5 and I was thinking I could roll-back the SSL libraries to a previous release although that is less than appealing.Well, sort of, yes :) If a simple 'openssl s_client -connect my.ip.addr:443' hangs (as it did in our case, from any 6.5 or Fedora 19 box), then anything that's doing TLS handshaking the same way will have the same problems. xymonnet brought it to light, but as more and more clients start being more strict about TLS (and cipher lists) I wouldn't be surprised if more things break in the future. Rolling back the openssl lib should (have) work(ed), but there's a bit of a difference in how RPM was tagging them in x86_64 builds and that would have required lots of other packages to be swapped out as well for us. Also, FTR, it's not the RHEL bug indicated here: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 We had the same problem with openssl-1.0.1e-15 and -16.
For reference (assuming it was an F5 in the middle): https://bugzilla.redhat.com/show_bug.cgi?id=1042908 https://www.imperialviolet.org/2013/10/07/f5update.html http://www.ietf.org/mail-archive/web/tls/current/msg10423.html HTH, -jc