SSL Error [SEC=UNCLASSIFIED]
list Martin R Wojak Dedjtr
Hi Xymon community, I'm getting a bunch of SSL Error alerts on some websites. Here is one example: https://kct-uat.agriculture.vic.gov.au/ If I add this to xymon, I get: Thu Nov 3 03:50:38 2016: SSL error red https://kct-uat.agriculture.vic.gov.au/ - SSL error I did some digging through the xymon archives and openssl errors and found this: http://lists.xymon.com/archive/2013-January/036688.html and this: http://stackoverflow.com/questions/24457408/openssl-command-to-check-if-a-server-is-presenting-a-certificate so when I run this command from my Xymon server I get the 104 error: # openssl s_client -connect kct-uat.agriculture.vic.gov.au:443 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 247 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE But if I add the SNI, I get a nice connection: # openssl s_client -connect kct-uat.agriculture.vic.gov.au:443 -servername kct-uat.agriculture.vic.gov.au CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify return:1 depth=0 C = AU, ST = Victoria, L = Melbourne, O = "Department of Economic Development, Jobs Transport and Resources", CN = *.agriculture.vic.gov.au verify return:1 New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: DC460000EC412D00D689C7E10DF575272E026FF475153A6367229629D79D15CF Session-ID-ctx: Master-Key: 0EE96C944F5746D3524A17580FD7907716FBA724C1B8909CA96430C2F7262EC469CD9CBD1D25A6ADDB791A6E45AAAB76 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1478145325 Timeout : 300 (sec) Verify return code: 0 (ok) But now I'm not sure what to do next... Any ideas? Thanks, Martin. --- ******************************************************************************** Department of Economic Development, Jobs, Transport and Resources, Government of Victoria, Victoria, Australia. This email, and any attachments, may contain privileged and confidential information. If you are not the intended recipient, you may not distribute or reproduce this e-mail or the attachments. If you have received this message in error, please notify us by return email. ********************************************************************************
list David Baldwin
Martin,
There is an option for xymonnet to enable SNI - here's my tasks.cfg
snippet - see man xymonnet
[xymonnet]
ENVFILE /home/xymon/server/etc/xymonserver-net.cfg
NEEDS xymond
CMD xymonnet --report --ping --checkresponse --bb-proxy-syntax
--sni=on --timeout=20 --sslkeysize=2048
LOGFILE $XYMONSERVERLOGS/xymonnet.log
INTERVAL 5m
▸
Hi Xymon community, I'm getting a bunch of SSL Error alerts on some websites. Here is one example: https://kct-uat.agriculture.vic.gov.au/ If I add this to xymon, I get: Thu Nov 3 03:50:38 2016: SSL error red https://kct-uat.agriculture.vic.gov.au/- SSL error I did some digging through the xymon archives and openssl errors and found this: http://lists.xymon.com/archive/2013-January/036688.html and this: http://stackoverflow.com/questions/24457408/openssl-command-to-check-if-a-server-is-presenting-a-certificate so when I run this command from my Xymon server I get the 104 error: # openssl s_client -connect kct-uat.agriculture.vic.gov.au:443 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 247 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE But if I add the SNI, I get a nice connection: # openssl s_client -connect kct-uat.agriculture.vic.gov.au:443 -servername kct-uat.agriculture.vic.gov.au CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify return:1 depth=0 C = AU, ST = Victoria, L = Melbourne, O = "Department of Economic Development, Jobs Transport and Resources", CN = *.agriculture.vic.gov.au verify return:1 New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: DC460000EC412D00D689C7E10DF575272E026FF475153A6367229629D79D15CF Session-ID-ctx: Master-Key: 0EE96C944F5746D3524A17580FD7907716FBA724C1B8909CA96430C2F7262EC469CD9CBD1D25A6ADDB791A6E45AAAB76 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1478145325 Timeout : 300 (sec) Verify return code: 0 (ok) But now I'm not sure what to do next... Any ideas? Thanks, Martin. --- ******************************************************************************** Department of Economic Development, Jobs, Transport and Resources, Government of Victoria, Victoria, Australia. This email, and any attachments, may contain privileged and confidential information. If you are not the intended recipient, you may not distribute or reproduce this e-mail or the attachments. If you have received this message in error, please notify us by return email. ********************************************************************************
--
David Baldwin - Senior Systems Administrator (Datacentres + Networks) Digital Information Management and Technology Australian Sports Commission http://ausport.gov.au Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616 user-cbbf693f2c89@xymon.invalid 1 Leverrier Street Bruce ACT 2617 Our Values: RESPECT + INTEGRITY + TEAMWORK + EXCELLENCE Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
list John Thurston
▸
On 11/2/2016 8:22 PM, David Baldwin wrote:
Martin,
There is an option for xymonnet to enable SNI - here's my tasks.cfg
snippet - see man xymonnet
[xymonnet]
ENVFILE /home/xymon/server/etc/xymonserver-net.cfg
NEEDS xymond
CMD xymonnet --report --ping --checkresponse --bb-proxy-syntax
--sni=on --timeout=20 --sslkeysize=2048
LOGFILE $XYMONSERVERLOGS/xymonnet.log
INTERVAL 5mSNI can also be enabled per-host. See the man page for hosts.cfg:
sni
nosni
Enables or disables use of SNI (Server Name Indication) for SSL tests.
Some SSL implementations cannot handle SSL handshakes with SNI data, so Xymon by default does not use SNI. This default can be changed with the "--sni" option for xymonnet(1) but can also be managed per host with these tags.
SNI support was added in Xymon 4.3.13, where the default was to use SNI. This was changed in 4.3.14 so SNI support is disabled by default, and the "sni" and "nosni" tags were introduced together with the "--sni" option for xymonnet.
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Enterprise Technology Services
Department of Administration
State of Alaska