ftps tests
list Galen Johnson
Hey, I need to test FTPS on a server but the test keeps complaining that it isn't getting the expected response. The vsftpd server is NOT running implicit ftps so there is nothing listening on port 990. I've tested using curl so I know STARTTLS is working over port 21. I've tried adding the following to my host entry: ftps:21:s but it still comes up yellow (log is less than helpful "Service ftps on ftphost1 is not OK : Unexpected service response?"). Has anyone else been able to test ftps with tls over port 21 using xymon? What am I missing? thanks =G=
list Japheth Cleaver
"ftps" with STARTTLS isn't natively supported by xymonnet, so it's not going to be seen as intended. Only the SSL-wrapped version of any of the simple TCP services are. Regards, -jc
▸
On 12/17/2015 1:02 PM, Galen Johnson wrote:Hey, I need to test FTPS on a server but the test keeps complaining that it isn't getting the expected response. The vsftpd server is NOT running implicit ftps so there is nothing listening on port 990. I've tested using curl so I know STARTTLS is working over port 21. I've tried adding the following to my host entry: ftps:21:s but it still comes up yellow (log is less than helpful "Service ftps on ftphost1 is not OK : Unexpected service response"). Has anyone else been able to test ftps with tls over port 21 using xymon? What am I missing? thanks =G=
list Galen Johnson
oh...well I guess that would explain it :-). It seems like it would be a useful function since starttls is a common implementation for various services (like ldaps...I would hope it handles that). thanks =G=
▸
From: Japheth Cleaver <user-87556346d4af@xymon.invalid>
Sent: Thursday, December 17, 2015 4:32 PM
To: Galen Johnson; xymon at xymon.com
Subject: Re: [Xymon] ftps tests
"ftps" with STARTTLS isn't natively supported by xymonnet, so it's not going to be seen as intended. Only the SSL-wrapped version of any of the simple TCP services are.
Regards,
-jc
On 12/17/2015 1:02 PM, Galen Johnson wrote:
Hey,
I need to test FTPS on a server but the test keeps complaining that it isn't getting the expected response. The vsftpd server is NOT running implicit ftps so there is nothing listening on port 990. I've tested using curl so I know STARTTLS is working over port 21. I've tried adding the following to my host entry:
ftps:21:s
but it still comes up yellow (log is less than helpful "Service ftps on ftphost1 is not OK : Unexpected service response?"). Has anyone else been able to test ftps with tls over port 21 using xymon? What am I missing?
thanks
=G=
list Jeremy Laidman
▸
On Fri, Dec 18, 2015 at 9:06 AM Galen Johnson <user-87f955643e3d@xymon.invalid> wrote:
oh...well I guess that would explain it :-). It seems like it would be a useful function since starttls is a common implementation for various services (like ldaps...I would hope it handles that).
I agree that this would be useful. However it's probably not trivial to implement. Each protocol (FTP, LDAP, SMTP, etc) has its own dialogue to go through before the STARTTLS command can be issued, as well as negotiations to determine whether STARTTLS is supported, and how to handle in the negative. These protocols don't even use the same command (POP uses "STLS", for example).
list Galen Johnson
Actually, it may not be as bad as all that. openssl already supports this. Not 100% sure but I thought Xymon leveraged that for the ssl connections. I'm looking at https://www.madboa.com/geek/openssl/. The syntax is not exactly correct there but I'm currently trying to amend it. Looking at https://www.openssl.org/docs/manmaster/apps/s_client.html, the openssl s_client supports starttls for ftp (Currently, the only supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server", and "irc.") =G=
▸
From: Jeremy Laidman <user-71895fb2e44c@xymon.invalid>
Sent: Thursday, December 17, 2015 10:16 PM
To: Galen Johnson; Japheth Cleaver; xymon at xymon.com
Subject: Re: [Xymon] ftps tests
On Fri, Dec 18, 2015 at 9:06 AM Galen Johnson <user-87f955643e3d@xymon.invalid<mailto:user-87f955643e3d@xymon.invalid>> wrote:
oh...well I guess that would explain it :-). It seems like it would be a useful function since starttls is a common implementation for various services (like ldaps...I would hope it handles that).
I agree that this would be useful. However it's probably not trivial to implement. Each protocol (FTP, LDAP, SMTP, etc) has its own dialogue to go through before the STARTTLS command can be issued, as well as negotiations to determine whether STARTTLS is supported, and how to handle in the negative. These protocols don't even use the same command (POP uses "STLS", for example).
list Galen Johnson
Well, I was able to get it to connect using openssl s_client -starttls ftp -crlf -connect remote.host:21 This dumps the cert as expected... It should work the same as ftp/ftpd only using implicit ftps. That said, I would have thought ftps would have worked but I expect under the covers xymonnet is just doing something different. I doubt adding the following stanza would help: [ftpstls] send "quit\r\n" expect "220" options ssl,banner port 21 Any thoughts on how we might be able to integrate this? =G=
▸
From: Xymon <xymon-bounces at xymon.com> on behalf of Galen Johnson <user-87f955643e3d@xymon.invalid> Sent: Friday, December 18, 2015 1:03 PM To: Jeremy Laidman; Japheth Cleaver; xymon at xymon.com Subject: Re: [Xymon] ftps tests Actually, it may not be as bad as all that. openssl already supports this. Not 100% sure but I thought Xymon leveraged that for the ssl connections. I'm looking at https://www.madboa.com/geek/openssl/. The syntax is not exactly correct there but I'm currently trying to amend it. Looking at https://www.openssl.org/docs/manmaster/apps/s_client.html, the openssl s_client supports starttls for ftp (Currently, the only supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server", and "irc.") =G= From: Jeremy Laidman <user-71895fb2e44c@xymon.invalid> Sent: Thursday, December 17, 2015 10:16 PM To: Galen Johnson; Japheth Cleaver; xymon at xymon.com Subject: Re: [Xymon] ftps tests On Fri, Dec 18, 2015 at 9:06 AM Galen Johnson <user-87f955643e3d@xymon.invalid<mailto:user-87f955643e3d@xymon.invalid>> wrote: oh...well I guess that would explain it :-). It seems like it would be a useful function since starttls is a common implementation for various services (like ldaps...I would hope it handles that). I agree that this would be useful. However it's probably not trivial to implement. Each protocol (FTP, LDAP, SMTP, etc) has its own dialogue to go through before the STARTTLS command can be issued, as well as negotiations to determine whether STARTTLS is supported, and how to handle in the negative. These protocols don't even use the same command (POP uses "STLS", for example).
list Galen Johnson
Actually, this would make more sense: [ftps-implicit] send "quit\r\n" expect "220" options ssl,banner port 21 [ftps|ftps-explicit] send "quit\r\n" expect "220" options ssl,banner port 990
▸
=G= From: Xymon <xymon-bounces at xymon.com> on behalf of Galen Johnson <user-87f955643e3d@xymon.invalid> Sent: Friday, December 18, 2015 1:19 PM To: Jeremy Laidman; Japheth Cleaver; xymon at xymon.com Subject: Re: [Xymon] ftps tests Well, I was able to get it to connect using openssl s_client -starttls ftp -crlf -connect remote.host:21 This dumps the cert as expected... It should work the same as ftp/ftpd only using implicit ftps. That said, I would have thought ftps would have worked but I expect under the covers xymonnet is just doing something different. I doubt adding the following stanza would help: [ftpstls] send "quit\r\n" expect "220" options ssl,banner port 21 Any thoughts on how we might be able to integrate this? =G= From: Xymon <xymon-bounces at xymon.com> on behalf of Galen Johnson <user-87f955643e3d@xymon.invalid> Sent: Friday, December 18, 2015 1:03 PM To: Jeremy Laidman; Japheth Cleaver; xymon at xymon.com Subject: Re: [Xymon] ftps tests Actually, it may not be as bad as all that. openssl already supports this. Not 100% sure but I thought Xymon leveraged that for the ssl connections. I'm looking at https://www.madboa.com/geek/openssl/. The syntax is not exactly correct there but I'm currently trying to amend it. Looking at https://www.openssl.org/docs/manmaster/apps/s_client.html, the openssl s_client supports starttls for ftp (Currently, the only supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server", and "irc.") =G= From: Jeremy Laidman <user-71895fb2e44c@xymon.invalid> Sent: Thursday, December 17, 2015 10:16 PM To: Galen Johnson; Japheth Cleaver; xymon at xymon.com Subject: Re: [Xymon] ftps tests On Fri, Dec 18, 2015 at 9:06 AM Galen Johnson <user-87f955643e3d@xymon.invalid<mailto:user-87f955643e3d@xymon.invalid>> wrote: oh...well I guess that would explain it :-). It seems like it would be a useful function since starttls is a common implementation for various services (like ldaps...I would hope it handles that). I agree that this would be useful. However it's probably not trivial to implement. Each protocol (FTP, LDAP, SMTP, etc) has its own dialogue to go through before the STARTTLS command can be issued, as well as negotiations to determine whether STARTTLS is supported, and how to handle in the negative. These protocols don't even use the same command (POP uses "STLS", for example).
list John Thurston
▸
On 12/18/2015 9:19 AM, Galen Johnson wrote:
Well, I was able to get it to connect using /openssl s_client -starttls ftp -crlf -connect remote.host:21/
- snip -
Any thoughts on how we might be able to integrate this?
We pull the cert from our ftps servers with an EXT script we created back in Big Brother days (before cert expiration checking was native in bb/xymonnet). Our script uses openssl s_client and option-in "-starttls ftp" when we ask for certs from a predefined list of ports.
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Enterprise Technology Services
Department of Administration
State of Alaska
list Galen Johnson
It would be easy to write a script to capture this but it would be better if Xymon were able to do this since it already manages these basic services through explicit ssl. I poked a bit in the code but I don't see where it's really trying to manage this. While I am not strong in the ways of C, I'd be willing to see if it's within my limited capabilities to extend what is already there. It's essentially the same test just with different options since xymonnet is already using the openssl libs (I'm sure I'm oversimplifying).
▸
=G=
From: Xymon <xymon-bounces at xymon.com> on behalf of John Thurston <user-ce4d79d99bab@xymon.invalid>
Sent: Friday, December 18, 2015 1:27 PM
To: xymon at xymon.com
Subject: Re: [Xymon] ftps tests
On 12/18/2015 9:19 AM, Galen Johnson wrote:Well, I was able to get it to connect using /openssl s_client -starttls ftp -crlf -connect remote.host:21/
- snip -
Any thoughts on how we might be able to integrate this?
We pull the cert from our ftps servers with an EXT script we created
back in Big Brother days (before cert expiration checking was native in
bb/xymonnet). Our script uses openssl s_client and option-in "-starttls
ftp" when we ask for certs from a predefined list of ports.
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Enterprise Technology Services
Department of Administration
State of Alaska
list Henrik Størner
Hi, Den 18-12-2015 kl. 19:03 skrev Galen Johnson:
Actually, it may not be as bad as all that. openssl already supports this. Not 100% sure but I thought Xymon leveraged that for the ssl connections. I'm looking at https://www.madboa.com/geek/openssl/. The syntax is not exactly correct there but I'm currently trying to amend it. Looking at https://www.openssl.org/docs/manmaster/apps/s_client.html, the openssl s_client supports starttls for ftp (/Currently, the only supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server", and "irc."/)
the various starttls methods in openssl are implemented in the s_client application, not as part of the openssl library. So it isn't something that can be pulled into Xymon easily.
The xymonnet program really does not allow for the multiple exchanges of commands/responses that are required for supporting starttls-mechanisms (in ftp, it is actually an "AUTH TLS" command that xymonnet must send after seeing the server banner). Xymonnet really only supports sending one command and the listening for a simple reponse.
You can do it with the new net-code which is in the Xymon source-tree right now. The protocols2.cfg stanza would look like this:
[ftps]
port 21
expect:220
send:AUTH TLS\r\n
expect:234
starttls
send:PBSZ 0\r\n
expect:200
send:PROT P\r\n
expect:200
close
Regards,
Henrik