monitoring websites behind cloudflare?
list Matthew Goebel
Hello, We are running xymon 4.3.29 on sles 12 and trying to monitor a website that is behind cloudflare but I cannot find a find a combo of https flags in hosts.cfg that will connect to cloudflare. Has anyone else had this issue and come up with a solution? I have literally tried every reasonable combo... "Unspecified SSL error in SSL_con"..., 153Unspecified SSL error in SSL_connect to https (47873/tcp) on host 104.18.5.68: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure Thanks, Matt -- Matthew Goebel : user-74d13dabeb26@xymon.invalid : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating medher... "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
list Bruce Ferrell
Matt, Just for giggles I did a manual test using openssl: openssl s_client -connect 104.18.5.68:443 With the following results: CONNECTED(00000003) 140619981215560:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 247 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- This means that the IP address isn't serving SSL One I know is serving SSL: openssl s_client -connect 50.196.187.248:443 CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = baywinds.org verify return:1 --- Certificate chain ?0 s:/CN=baywinds.org ?? i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 ?1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 ?? i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- <cert info> -----END CERTIFICATE----- subject=/CN=baywinds.org issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 3233 bytes and written 373 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: ??? Protocol? : TLSv1.2 ??? Cipher??? : ECDHE-RSA-AES256-GCM-SHA384 ??? Session-ID: 338A6AA8E41A643BD51B57CB6BF55A9619110159A3390AD761C3E4AB1853437E ??? Session-ID-ctx: ??? Master-Key: 13BD58F4497A226F3B3713569D39CD38F2445C98E6D91D866BD8AB99CABBAF1D93599AB5CF5150FC2DE4CFDC6E99FADC ??? Key-Arg?? : None ??? Krb5 Principal: None ??? PSK identity: None ??? PSK identity hint: None ??? TLS session ticket lifetime hint: 300 (seconds) ??? TLS session ticket: blah blah blah ....... Bottom line, that IP address isn't serving HTTPS
▸
On 3/3/20 10:05 AM, Matthew Goebel wrote:Hello, ? We are running xymon 4.3.29 on sles 12 and trying to monitor a website that is behind cloudflare but I cannot find a find a combo of https flags in hosts.cfg that will connect to cloudflare.? Has anyone else had this issue and come up with a solution?? I have literally tried every reasonable combo...
"Unspecified SSL error in SSL_con"..., 153Unspecified SSL error in SSL_connect to https (47873/tcp) on host 104.18.5.68 <http://104.18.5.68>;: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure Thanks, Matt -- Matthew Goebel : user-74d13dabeb26@xymon.invalid <mailto:user-74d13dabeb26@xymon.invalid> : Unix Jockey @ EMU : Hail Eris
▸
Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...
?"Always with the negative waves, Moriarty" - Oddball
?"Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
list Matthew Goebel
Nice. I have figured out in the last hour or so that adding sni to the two entries in my hosts.cfg file seem to fix this issue, and I had never noticed the sni option before. Did not have to change the ip? Thanks, Matt
▸
On Tue, Mar 3, 2020 at 4:46 PM Bruce Ferrell <user-24fbf1912cfe@xymon.invalid> wrote:
Matt, Just for giggles I did a manual test using openssl: openssl s_client -connect 104.18.5.68:443 With the following results: CONNECTED(00000003) 140619981215560:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 247 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- This means that the IP address isn't serving SSL One I know is serving SSL: openssl s_client -connect 50.196.187.248:443 CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = baywinds.org verify return:1 --- Certificate chain 0 s:/CN=baywinds.org i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- <cert info> -----END CERTIFICATE----- subject=/CN=baywinds.org issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 3233 bytes and written 373 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 338A6AA8E41A643BD51B57CB6BF55A9619110159A3390AD761C3E4AB1853437E Session-ID-ctx: Master-Key: 13BD58F4497A226F3B3713569D39CD38F2445C98E6D91D866BD8AB99CABBAF1D93599AB5CF5150FC2DE4CFDC6E99FADC Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: blah blah blah ....... Bottom line, that IP address isn't serving HTTPS On 3/3/20 10:05 AM, Matthew Goebel wrote:Hello, We are running xymon 4.3.29 on sles 12 and trying to monitor a website that is behind cloudflare but I cannot find a find a combo of https flags in hosts.cfg that will connect to cloudflare. Has anyone else had this issue and come up with a solution? I have literally tried every reasonable combo... "Unspecified SSL error in SSL_con"..., 153Unspecified SSL error inSSL_connect to https (47873/tcp) on host 104.18.5.68 <http://104.18.5.68>;: error:14094410:SSLroutines:ssl3_read_bytes:sslv3 alert handshake failure Thanks, Matt -- Matthew Goebel : user-74d13dabeb26@xymon.invalid <mailto:user-74d13dabeb26@xymon.invalid>: Unix Jockey @ EMU : Hail ErisNeo-Student, Net Lurker, Donut consumer, and procrastinating medher... "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - DietrichBonhoeffer
-- Matthew Goebel : user-74d13dabeb26@xymon.invalid : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating medher... "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer