SSL Error
list David Hay-Currie
This is another problem I am having checking some remote sites. When checking the https I get a SSL Error. I tried doing curl -I https:hosttocheck:8080 And I get curl: (35) error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter I am guessing that it might be that the SSL level is not 3? These are tomato firmware Linksys routers. If I try to do curl -sslv2 hosttocheck:8080 I get an error that OpenSSL was built without SSLv2 support. If I add SSLv2 to OpenSSL will the checks work? How would I go about using apt to do this in Ubuntu 12.04? I try not to build anything from source to make it easier to keep up to date, and so that the apt check do not fail. David Hay-Currie IT Manager Leisure Fitness Equipment LLC XXX Executive Dr. Suite XX Newark, DE XXXXX Phone: (XXX) XXX-XXXX [cid:image002.png at 01CE03CE.97895830]<http://www.leisurefitness.com/?referrer=dhaycurrie>;
list Scott Post
One of the websites that I am trying to monitor moved to a new site from
http to https.
Upon changing in Xymon, I am now getting SSL error
Server Info:
Ubuntu 16.04
Xymon 4.3.25-1
Openssl Version:
OpenSSL 1.0.2g 1 Mar 2016
Xymonnet
xymonnet version 4.3.25
SSL library : OpenSSL 1.0.2f 28 Jan 2016
LDAP library: OpenLDAP 20442
Error output:
Unspecified SSL error in SSL_connect to https (47873/tcp) on host
x.x.x.x: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure
I have tried using different combinations in the hosts.cfg
httpsc://
httpst://
--sni
--no-ssl
From the Xymon server, if I run the command:
openssl s_client -connect weburl:443, I get the errors:
CONNECTED(00000003)
140008606660248:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1515083787
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
trying: openssl s_client -connect weburl:443 -servername weburl
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2
Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.",
CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.",
OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure
Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = weburl
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=weburl
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure
Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure
Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy
Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy
Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2
Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=weburl
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure
Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4411 bytes and written 458 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 31590AD5C7EC70D6738AE51265DE3B3351503E280EDC0F147616E93CEA374BE3
Session-ID-ctx:
Master-Key:
FE4C481FDFEDC7933F5732859AEA6E6840848A8633E04BA4AA454ED256942E401846033109F1E9AA73534EA2B3261531
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 10800 (seconds)
TLS session ticket:
0000 - bc 67 70 3b a5 1f 62 23-2a 74 e8 04 33 5a e4 8b .gp;..b#*t..3Z..
0010 - 4d d0 77 a5 6f 5a 88 06-26 9e 19 78 da 59 ce 49 M.w.oZ..&..x.Y.I
0020 - e1 29 8a ec c7 7e 46 07-8c 5a f1 a4 b1 4a 3d c7 .)...~F..Z...J=.
0030 - 83 56 f7 d1 78 b4 0f 12-e6 ca 42 cd 30 b2 63 ac .V..x.....B.0.c.
0040 - e1 a3 0d fe d3 cf 37 4d-73 05 ae 99 cc 7e f1 7d ......7Ms....~.}
0050 - 92 fb 7f 87 95 f0 8e 12-17 bf 68 11 44 a1 83 45 ..........h.D..E
0060 - 2a bb 4c 9a 3e 63 ab ab-0a 3d a8 2f 5d e6 c5 f0 *.L.>c...=./]...
0070 - e1 37 5a 9d 3d ae 15 c3-2f ab 2a 0f 07 a5 f8 ee .7Z.=.../.*.....
0080 - 2b df 77 03 6b 40 d2 4a-19 d8 01 c6 18 ab 58 f1 +.w.k at .J......X.
0090 - 26 85 ff b2 b8 20 da 8f-8b c6 83 6d 94 5d 28 d4 &.... .....m.](.
00a0 - 6f d3 f0 0f 9e f8 70 ef-df 85 39 d9 1c cc 12 60 o.....p...9....`
Start Time: 1515083843
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
list Jonathan Trott
Have you tried adding the keyword "sni" to the end of the host line in the hosts.cfg? Thanks, JT From: Scott Post <user-0db42f24127d@xymon.invalid> To: xymon at xymon.com Date: 05/01/18 04:03 Subject: [Xymon] SSL Error Sent by: "Xymon" <xymon-bounces at xymon.com>
▸
One of the websites that I am trying to monitor moved to a new site from http to https. Upon changing in Xymon, I am now getting SSL error Server Info: Ubuntu 16.04 Xymon 4.3.25-1 Openssl Version: OpenSSL 1.0.2g 1 Mar 2016 Xymonnet xymonnet version 4.3.25 SSL library : OpenSSL 1.0.2f 28 Jan 2016 LDAP library: OpenLDAP 20442 Error output: Unspecified SSL error in SSL_connect to https (47873/tcp) on host x.x.x.x: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure I have tried using different combinations in the hosts.cfg httpsc:// httpst:// --sni --no-ssl From the Xymon server, if I run the command: openssl s_client -connect weburl:443, I get the errors: CONNECTED(00000003) 140008606660248:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 305 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1515083787 Timeout : 300 (sec) Verify return code: 0 (ok) --- trying: openssl s_client -connect weburl:443 -servername weburl CONNECTED(00000003) depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority verify return:1 depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2 verify return:1 depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2 verify return:1 depth=0 OU = Domain Control Validated, CN = weburl verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/CN=weburl
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU= http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU= http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
▸
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=weburlissuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU= http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
▸
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4411 bytes and written 458 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 31590AD5C7EC70D6738AE51265DE3B3351503E280EDC0F147616E93CEA374BE3
Session-ID-ctx:
Master-Key: FE4C481FDFEDC7933F5732859AEA6E6840848A8633E04BA4AA454ED256942E401846033109F1E9AA73534EA2B3261531
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 10800 (seconds)
TLS session ticket:
0000 - bc 67 70 3b a5 1f 62 23-2a 74 e8 04 33 5a e4 8b .gp;..b#*t..3Z..
0010 - 4d d0 77 a5 6f 5a 88 06-26 9e 19 78 da 59 ce 49 M.w.oZ..&..x.Y.I
0020 - e1 29 8a ec c7 7e 46 07-8c 5a f1 a4 b1 4a 3d c7 .)...~F..Z...J=.
0030 - 83 56 f7 d1 78 b4 0f 12-e6 ca 42 cd 30 b2 63 ac .V..x.....B.0.c.
0040 - e1 a3 0d fe d3 cf 37 4d-73 05 ae 99 cc 7e f1 7d ......7Ms....~.}
0050 - 92 fb 7f 87 95 f0 8e 12-17 bf 68 11 44 a1 83 45 ..........h.D..E
0060 - 2a bb 4c 9a 3e 63 ab ab-0a 3d a8 2f 5d e6 c5 f0 *.L.>c...=./]...
0070 - e1 37 5a 9d 3d ae 15 c3-2f ab 2a 0f 07 a5 f8 ee .7Z.=.../.*.....
0080 - 2b df 77 03 6b 40 d2 4a-19 d8 01 c6 18 ab 58 f1 +.w.k at .J......X.
0090 - 26 85 ff b2 b8 20 da 8f-8b c6 83 6d 94 5d 28 d4 &.... .....m.](.
00a0 - 6f d3 f0 0f 9e f8 70 ef-df 85 39 d9 1c cc 12 60 o.....p...9....`
Start Time: 1515083843
Timeout : 300 (sec)
Verify return code: 0 (ok)
---