HTTPS tests fails when TLS 1.1 and 1.2 only is enabled 🔗 link

I saw a post back that someone suggested to use "httpst://url" but that is
not working either.
I am running build .17 , not sure if upgrading to .18 or .19 will work,
I'll read the notes.


Is there another way to fix?


Gab

On Tue, Apr 14, 2015, at 06:47, Dito wrote:

From hosts.cfg man page:

* "t",  e.g. httpst://www.sample.com/ : use only TLSv1


Looks like we need to patch xymonnet to let us specify TLS 1.1 and 1.2

On Tue, Apr 14, 2015, at 07:50, Mark Felder wrote:

I may have successfully created a patch to add this behavior, but I need
to do some extensive testing. Adding specific options for TLS 1.1 and
1.2 means it could break the build in environments where the OpenSSL
version does not recognize these protocols. I'm not sure we want to
break compatibility, although my personal opinion is that we should
encourage users to upgrade in the name of security....

that's exactly what we did, disabled TLS1.0 as well and SSL, HTTPST is only
TLS1.0
we'll disabled TLS1.1 soon as well... in the name of security :)

I am thinking maybe an OpenSSL script could work in the meanwhile, instead
of breaking things...


Gab

On Tue, Apr 14, 2015 at 9:11 AM, Mark Felder <user-db141d317836@xymon.invalid> wrote:

On Tue, Apr 14, 2015 at 07:50:32AM -0500, Mark Felder wrote:

Please see the attached patch. I can successfully build on FreeBSD 8.4
and 9.3 which use OpenSSL versions that don't support TLS 1.1 and 1.2,
so I'm certain I have not broken that functionality.

Considering how simple this patch is, I expect it to work reliably.
Using this patch you should be able to specify httpst1_1:// and
httpst1_2:// to get TLS 1.1 and 1.2

The default for https:// connections is as follows:

	default:
	item->sslctx = SSL_CTX_new(SSLv23_client_method()); break;

And the OpenSSL docs[1] describe this method:

SSLv23_method(void), SSLv23_server_method(void),
SSLv23_client_method(void)

A TLS/SSL connection established with these methods may understand
the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.

    If extensions are required (for example server name) a client will
send out TLSv1 client hello messages including extensions and will
indicate that it also understands TLSv1.1, TLSv1.2 and permits a
fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and
TLSv1.2 protocols. This is the best choice when compatibility is a
concern.

So I would expect Xymon to try to use TLSv1.2 if it's available... is it
possible your Xymon server's OpenSSL version is too old? This might
require more investigation...


Anyway, I haven't proven it beyond building yet -- I need to reconfigure my
webserver to print ciphers in the logs so I can ensure it's really
working. Please feel free to give it a try.

[1] https://www.openssl.org/docs/ssl/SSL_CTX_new.html
-------------- next part --------------
Index: common/hosts.cfg.5
===================================================================
--- common/hosts.cfg.5	(revision 7627)
+++ common/hosts.cfg.5	(working copy)
@@ -1004,6 +1004,10 @@
 .br
 * "t",  e.g. httpst://www.sample.com/ : use only TLSv1
 .br
+* "t1_1", e.g. httpst1_1://www.sample.com/ : use only TLSv1.1
+.br
+* "t1_2", e.g. httpst1_2://www.sample.com/ : use only TLSv1.2
+.br
 * "m",  e.g. httpsm://www.sample.com/ : use only 128-bit ciphers
 .br
 * "h",  e.g. httpsh://www.sample.com/ : use only >128-bit ciphers
Index: xymonnet/contest.c
===================================================================
--- xymonnet/contest.c	(revision 7627)
+++ xymonnet/contest.c	(working copy)
@@ -484,6 +484,13 @@
 			item->sslctx = SSL_CTX_new(SSLv3_client_method()); break;
 		  case SSLVERSION_TLS1:
 			item->sslctx = SSL_CTX_new(TLSv1_client_method()); break;
+/* TLS 1.1 and 1.2 require OpenSSL 1.0.1 */
+#if OPENSSL_VERSION_NUMBER >= 0x1000100fL
+		  case SSLVERSION_TLS1_1:
+			item->sslctx = SSL_CTX_new(TLSv1_1_client_method()); break;
+		  case SSLVERSION_TLS1_2:
+			item->sslctx = SSL_CTX_new(TLSv1_2_client_method()); break;
+#endif
 		  default:
 			item->sslctx = SSL_CTX_new(SSLv23_client_method()); break;
 		}
Index: xymonnet/contest.h
===================================================================
--- xymonnet/contest.h	(revision 7627)
+++ xymonnet/contest.h	(working copy)
@@ -60,6 +60,8 @@
 #define SSLVERSION_V2      1
 #define SSLVERSION_V3      2
 #define SSLVERSION_TLS1    3
+#define SSLVERSION_TLS1_1  4 
+#define SSLVERSION_TLS1_2  5
 
 typedef struct {
 	char *cipherlist;
Index: xymonnet/httptest.c
===================================================================
--- xymonnet/httptest.c	(revision 7627)
+++ xymonnet/httptest.c	(working copy)
@@ -487,6 +487,11 @@
 		if      (strstr(httptest->weburl.desturl->schemeopts, "3"))      sslopt_version = SSLVERSION_V3;
 		else if (strstr(httptest->weburl.desturl->schemeopts, "2"))      sslopt_version = SSLVERSION_V2;
 		else if (strstr(httptest->weburl.desturl->schemeopts, "t"))      sslopt_version = SSLVERSION_TLS1;
+/* TLS 1.1 and 1.2 require OpenSSL 1.0.1 */
+#if OPENSSL_VERSION_NUMBER >= 0x1000100fL
+		else if (strstr(httptest->weburl.desturl->schemeopts, "t1_1"))   sslopt_version = SSLVERSION_TLS1_1;
+		else if (strstr(httptest->weburl.desturl->schemeopts, "t1_2"))   sslopt_version = SSLVERSION_TLS1_2;
+#endif
 
 		if      (strstr(httptest->weburl.desturl->schemeopts, "h"))      sslopt_ciphers = ciphershigh;
 		else if (strstr(httptest->weburl.desturl->schemeopts, "m"))      sslopt_ciphers = ciphersmedium;

On Tue, Apr 14, 2015, at 09:01, Dito wrote:

I enabled SSL cipher logging in my nginx webserver. It does appear to
use the best cipher available by default (TLS 1.2). I now strongly
suspect the OpenSSL on your Xymon server doesn't speak TLS 1.1 or 1.2.
Can you provide the OpenSSL version?

example:

% openssl version
OpenSSL 1.0.1l-freebsd 15 Jan 2015

On Tue, Apr 14, 2015, at 09:11, Mark Felder wrote:

It seems that to allow mixing of schemeopts they are intended to be
single characters. My new schemeopts of "t1_1" and "t1_2" are not
working correctly. If I simply change them to "x" and "y" they work
successfully.

I'm not sure what to do here; TLS 1.3 is on the horizon and we certainly
will have more protocols in the future. I could also enable DTLS as easy
as TLS 1.1 and TLS 1.2, but that's not in large demand...

I will wait for JC to chime in. With that simple modification my patch
will work if someone really needs to force a TLS version.

oh, I run yum update all the times, and openssl is still 0.9.8e-33.el5_11

Gab

On Tue, Apr 14, 2015 at 11:00 AM, Mark Felder <user-db141d317836@xymon.invalid> wrote:

On Tue, Apr 14, 2015, at 10:41, Dito wrote:

OpenSSL 0.9.8 doesn't know anything about TLS 1.1 and 1.2. You need a
minimum of OpenSSL 1.0.1.

yeah I didn't realize I was that behind, I took over this box and it's
Centos 5.11
I have 2 more versions to upgrade

Gab

On Tue, Apr 14, 2015 at 11:43 AM, Mark Felder <user-db141d317836@xymon.invalid> wrote:

On Tue, Apr 14, 2015, at 10:51, Dito wrote:

I'm not certain CentOS 5.x has a new enough OpenSSL available. It
appears CentOS 6.6 may be sufficient:

$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.6 (Santiago)

I would also advise you to be very careful if you consider manually
adding OpenSSL 1.0.1+ to your system to solve this. Multiple OpenSSL
versions on an OS is very problematic; things will either start breaking
silently or very loudly.