SSL checks no longer working on 4.3.26?
list Jason Chambers
Hi All, I just did an upgrade from 4.3.21 to 4.3.26 and all of a sudden all of my SSL checks stopped working even though I configured the Makefile to use SSL. Is there a change that I'm unaware of that I need to make? I have reverted back to 4.3.21 for now. Jason Chambers Network Administrator | Geosoft geosoft.com<http://www.geosoft.com/>; | blog<http://blogs.geosoft.com/>; | twitter<http://twitter.com/geosoft>; | linkedIn<http://www.linkedin.com/company/geosoft-inc.>; | facebook<http://www.facebook.com/GeosoftInc>; | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX
list Japheth Cleaver
▸
On Wed, February 24, 2016 6:46 am, Jason Chambers wrote:
Hi All, I just did an upgrade from 4.3.21 to 4.3.26 and all of a sudden all of my SSL checks stopped working even though I configured the Makefile to use SSL. Is there a change that I'm unaware of that I need to make? I have reverted back to 4.3.21 for now.
Hi Jason,
There were some SSL certificate parsing fixes in 4.3.25, and a few
alterations in 4.3.22 to bring in additional certificate details, but
nothing that should have broken all SSL testing, nor any real changes in
the build process that I recall.
Are the tests reporting 'red' now, or simply 'purple' (not reporting at all)?
Can you provide the system you're building on, and the config output? If
it's built properly, xymonnet should indicate the OpenSSL version it's
using near the top of its own test results. e.g.:
xymonnet version 4.3.26
SSL library : OpenSSL 1.0.1e 11 Feb 2013
LDAP library: OpenLDAP 20440
-jc
list Jason Chambers
Ahh, maybe that's it. All the HTTPS checks went to red stating Forbidden. I guess it's actually parsing the state of the HTTP and not just checking if the port is alive? Is there tag I can use that would do the old method and just tell me if the port is up and responding, and not the HTTP response codes? Jason Chambers Network Administrator | Geosoft geosoft.com | blog | twitter | linkedIn | facebook | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX
▸
-----Original Message-----
From: J.C. Cleaver [mailto:user-87556346d4af@xymon.invalid]
Sent: February 24, 2016 11:09 AM
To: Jason Chambers <user-3fa671c0a30d@xymon.invalid>
Cc: Xymon Mailing List <xymon at xymon.com>
Subject: Re: SSL checks no longer working on 4.3.26?
On Wed, February 24, 2016 6:46 am, Jason Chambers wrote:Hi All, I just did an upgrade from 4.3.21 to 4.3.26 and all of a sudden all of my SSL checks stopped working even though I configured the Makefile to use SSL. Is there a change that I'm unaware of that I need to make? I have reverted back to 4.3.21 for now.
Hi Jason, There were some SSL certificate parsing fixes in 4.3.25, and a few alterations in 4.3.22 to bring in additional certificate details, but nothing that should have broken all SSL testing, nor any real changes in the build process that I recall. Are the tests reporting 'red' now, or simply 'purple' (not reporting at all)? Can you provide the system you're building on, and the config output? If it's built properly, xymonnet should indicate the OpenSSL version it's using near the top of its own test results. e.g.: xymonnet version 4.3.26 SSL library : OpenSSL 1.0.1e 11 Feb 2013 LDAP library: OpenLDAP 20440 -jc
list Japheth Cleaver
Hi Josh, Gotcha. Yes, as of Xymon 4.3.22 401's and 403's (all 4xx, really) are considered alert states instead of green. Explicitly allowing them (or taking a '301' from warning back to green) can be done, but it's not a globally available option yet. To change a specific test, use the 'httpstatus' prefix to the regular HTTP(s) check: 192.168.0.0 foobar.com # https://secure.example.com/ 192.168.0.0 foobar.com # httpstatus;https://secure.example.com/;403; cf. https://xymon.com/help/manpages/man5/hosts.cfg.5.html#lbAR HTH, -jc
▸
On Wed, February 24, 2016 8:11 am, Jason Chambers wrote:Ahh, maybe that's it. All the HTTPS checks went to red stating Forbidden. I guess it's actually parsing the state of the HTTP and not just checking if the port is alive? Is there tag I can use that would do the old method and just tell me if the port is up and responding, and not the HTTP response codes? Jason Chambers Network Administrator | Geosoft geosoft.com | blog | twitter | linkedIn | facebook | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX -----Original Message----- From: J.C. Cleaver [mailto:user-87556346d4af@xymon.invalid] Sent: February 24, 2016 11:09 AM To: Jason Chambers <user-3fa671c0a30d@xymon.invalid> Cc: Xymon Mailing List <xymon at xymon.com> Subject: Re: SSL checks no longer working on 4.3.26? On Wed, February 24, 2016 6:46 am, Jason Chambers wrote:Hi All, I just did an upgrade from 4.3.21 to 4.3.26 and all of a sudden all of my SSL checks stopped working even though I configured the Makefile to use SSL. Is there a change that I'm unaware of that I need to make? I have reverted back to 4.3.21 for now.Hi Jason, There were some SSL certificate parsing fixes in 4.3.25, and a few alterations in 4.3.22 to bring in additional certificate details, but nothing that should have broken all SSL testing, nor any real changes in the build process that I recall. Are the tests reporting 'red' now, or simply 'purple' (not reporting at all)? Can you provide the system you're building on, and the config output? If it's built properly, xymonnet should indicate the OpenSSL version it's using near the top of its own test results. e.g.: xymonnet version 4.3.26 SSL library : OpenSSL 1.0.1e 11 Feb 2013 LDAP library: OpenLDAP 20440 -jc
list Japheth Cleaver
And that was definitely for Jason, not Josh... My apologies :) -jc (Need more coffee)
▸
On Wed, February 24, 2016 8:22 am, J.C. Cleaver wrote:Hi Josh, Gotcha. Yes, as of Xymon 4.3.22 401's and 403's (all 4xx, really) are considered alert states instead of green. Explicitly allowing them (or taking a '301' from warning back to green) can be done, but it's not a globally available option yet. To change a specific test, use the 'httpstatus' prefix to the regular HTTP(s) check: 192.168.0.0 foobar.com # https://secure.example.com/ 192.168.0.0 foobar.com # httpstatus;https://secure.example.com/;403; cf. https://xymon.com/help/manpages/man5/hosts.cfg.5.html#lbAR HTH, -jc On Wed, February 24, 2016 8:11 am, Jason Chambers wrote:Ahh, maybe that's it. All the HTTPS checks went to red stating Forbidden. I guess it's actually parsing the state of the HTTP and not just checking if the port is alive? Is there tag I can use that would do the old method and just tell me if the port is up and responding, and not the HTTP response codes? Jason Chambers Network Administrator | Geosoft geosoft.com | blog | twitter | linkedIn | facebook | T +X XXX.XXX.XXXX #344 | M +X XXX.XXX.XXXX -----Original Message----- From: J.C. Cleaver [mailto:user-87556346d4af@xymon.invalid] Sent: February 24, 2016 11:09 AM To: Jason Chambers <user-3fa671c0a30d@xymon.invalid> Cc: Xymon Mailing List <xymon at xymon.com> Subject: Re: SSL checks no longer working on 4.3.26? On Wed, February 24, 2016 6:46 am, Jason Chambers wrote:Hi All, I just did an upgrade from 4.3.21 to 4.3.26 and all of a sudden all of my SSL checks stopped working even though I configured the Makefile to use SSL. Is there a change that I'm unaware of that I need to make? I have reverted back to 4.3.21 for now.Hi Jason, There were some SSL certificate parsing fixes in 4.3.25, and a few alterations in 4.3.22 to bring in additional certificate details, but nothing that should have broken all SSL testing, nor any real changes in the build process that I recall. Are the tests reporting 'red' now, or simply 'purple' (not reporting at all)? Can you provide the system you're building on, and the config output? If it's built properly, xymonnet should indicate the OpenSSL version it's using near the top of its own test results. e.g.: xymonnet version 4.3.26 SSL library : OpenSSL 1.0.1e 11 Feb 2013 LDAP library: OpenLDAP 20440 -jc