Advice for installing Xymon server supporting TLS 1.2
list Ian Burrowes
Hi All, I have an older Xymon server (4.3.9) that I am replacing / upgrading to the current version (4.3.26). What I absolutely require from my new build is HTTPS check compatibility with websites that only accept modern security protocols like TLS, i.e. not SSL2 or SSL3, that are no longer safe to use. My existing Xymon server can't connect to some of our more secure websites that only uses TLS 1.1+ or require SNI support. I have been practising my new Xymon build in a virtual environment on CentOS 7.2 but have not been able to get it into a state that can connect to all our more secure websites, usually getting 'SSL Error' on the HTTP check. (error also replicated with wget) I know this is related to the version of OpenSSL installed on the system. I think I want the newest version available! I have tried using both the Terabithia Xymon package and compiling myself. I have also tried to install or upgrade a newer version of OpenSSL either before or after installing xymon. (Often when I update the version of OpenSSL will revert to an older version when I do a 'yum update'). I have searched the mailing list and found others with related issues, but rather than ask for specific troubleshooting steps, I wonder if anyone could provide general advice in terms of the order of installing components when setting up a fresh Xymon server for it to hopefully use the most recent version of OpenSSL available and be able to be updated with yum in future? Kind Regards, Ian
list David Baldwin
Ian, I feel your pain. SSL/TLS issues have become a major thorn in the side in past few years, as well as updating recalcitrant services that use out of date protocols and/or poor cipher choices. It's a seriously fast moving target :( My thoughts are that the best option is to write a custom test using testssl.sh - https://testssl.sh This tool comes with its own statically linked version of openssl with all known ciphers supported. Its tests are very comprehensive and can be used for almost any server using SSL/TLS including many starttls protocols. It already does some colour coding - and the print functions that do the colouring are neatly grouped - wouldn't be a big stretch to add some logic to maintain an overall status and collect major warnings to highlight at the top of the message, then wrap the output as a status message to deliver to your xymon server. It's just waiting for a bash scripter to give it a bit of hacking. A test you'd only need to run every hour at most, because it takes a while to run and the target doesn't change quickly - more to pick up on dodgy changes possibly made in error. I understand that it's still important to get the in-built https tests working for checking site reachability, and that's as much as issue with the openssl version installed, which in turn depends on the underlying distro and version. I have a 4.3.19 server on Centos 6 that works just fine for TLS1.2 and SNI, but my older Centos 5 server would be too much of an issue to get working. Easier to off-load the xymonnet processing to a satellite server that is capable of running the tests and leave it there. There were also some recent SSL patches relating to negotiating around versions of openssl with SSLv2 removed, etc. David.
▸
Hi All, I have an older Xymon server (4.3.9) that I am replacing / upgrading to the current version (4.3.26). What I absolutely require from my new build is HTTPS check compatibility with websites that only accept modern security protocols like TLS, i.e. not SSL2 or SSL3, that are no longer safe to use. My existing Xymon server can't connect to some of our more secure websites that only uses TLS 1.1+ or require SNI support. I have been practising my new Xymon build in a virtual environment on CentOS 7.2 but have not been able to get it into a state that can connect to all our more secure websites, usually getting 'SSL Error' on the HTTP check. (error also replicated with wget) I know this is related to the version of OpenSSL installed on the system. I think I want the newest version available! I have tried using both the Terabithia Xymon package and compiling myself. I have also tried to install or upgrade a newer version of OpenSSL either before or after installing xymon. (Often when I update the version of OpenSSL will revert to an older version when I do a 'yum update'). I have searched the mailing list and found others with related issues, but rather than ask for specific troubleshooting steps, I wonder if anyone could provide general advice in terms of the order of installing components when setting up a fresh Xymon server for it to hopefully use the most recent version of OpenSSL available and be able to be updated with yum in future? Kind Regards, Ian
--
David Baldwin - Senior Systems Administrator (Datacentres + Networks) Digital Information Management and Technology Australian Sports Commission http://ausport.gov.au Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616 user-cbbf693f2c89@xymon.invalid 1 Leverrier Street Bruce ACT 2617 Our Values: RESPECT + INTEGRITY + TEAMWORK + EXCELLENCE Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
list Helge Jacobsen
Hi David, hi Ian, that’s interesting looking script. I will try it after my vacation. But maybe someone else is faster ☺ regards Helge
▸
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of David Baldwin Sent: Thursday, March 24, 2016 7:12 AM To: Ian Burrowes; Xymon at xymon.com Subject: Re: [Xymon] Advice for installing Xymon server supporting TLS 1.2 Ian, I feel your pain. SSL/TLS issues have become a major thorn in the side in past few years, as well as updating recalcitrant services that use out of date protocols and/or poor cipher choices. It's a seriously fast moving target :( My thoughts are that the best option is to write a custom test using testssl.sh - https://testssl.sh This tool comes with its own statically linked version of openssl with all known ciphers supported. Its tests are very comprehensive and can be used for almost any server using SSL/TLS including many starttls protocols. It already does some colour coding - and the print functions that do the colouring are neatly grouped - wouldn't be a big stretch to add some logic to maintain an overall status and collect major warnings to highlight at the top of the message, then wrap the output as a status message to deliver to your xymon server. It's just waiting for a bash scripter to give it a bit of hacking. A test you'd only need to run every hour at most, because it takes a while to run and the target doesn't change quickly - more to pick up on dodgy changes possibly made in error. I understand that it's still important to get the in-built https tests working for checking site reachability, and that's as much as issue with the openssl version installed, which in turn depends on the underlying distro and version. I have a 4.3.19 server on Centos 6 that works just fine for TLS1.2 and SNI, but my older Centos 5 server would be too much of an issue to get working. Easier to off-load the xymonnet processing to a satellite server that is capable of running the tests and leave it there. There were also some recent SSL patches relating to negotiating around versions of openssl with SSLv2 removed, etc. David. Hi All, I have an older Xymon server (4.3.9) that I am replacing / upgrading to the current version (4.3.26). What I absolutely require from my new build is HTTPS check compatibility with websites that only accept modern security protocols like TLS, i.e. not SSL2 or SSL3, that are no longer safe to use. My existing Xymon server can't connect to some of our more secure websites that only uses TLS 1.1+ or require SNI support. I have been practising my new Xymon build in a virtual environment on CentOS 7.2 but have not been able to get it into a state that can connect to all our more secure websites, usually getting 'SSL Error' on the HTTP check. (error also replicated with wget) I know this is related to the version of OpenSSL installed on the system. I think I want the newest version available! I have tried using both the Terabithia Xymon package and compiling myself. I have also tried to install or upgrade a newer version of OpenSSL either before or after installing xymon. (Often when I update the version of OpenSSL will revert to an older version when I do a 'yum update'). I have searched the mailing list and found others with related issues, but rather than ask for specific troubleshooting steps, I wonder if anyone could provide general advice in terms of the order of installing components when setting up a fresh Xymon server for it to hopefully use the most recent version of OpenSSL available and be able to be updated with yum in future? Kind Regards, Ian -- David Baldwin - Senior Systems Administrator (Datacentres + Networks) Digital Information Management and Technology Australian Sports Commission http://ausport.gov.au Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616
user-cbbf693f2c89@xymon.invalid<mailto:user-cbbf693f2c89@xymon.invalid> 1 Leverrier Street Bruce ACT 2617 Our Values: RESPECT + INTEGRITY + TEAMWORK + EXCELLENCE Keep up to date with what's happening in Australian sport visit www.ausport.gov.au<http://www.ausport.gov.au>;
▸
This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.