Monitoring websites using TLS1.3
list Martin Davies
I'm trying to monitor a website that is operated on part of Cloudflare's setup and I am failing to get a positive result. The website uses TLS1.3 and Xymonnet tells me that it was built USING OpenSSL v 1.1.0g (Xymon version 4.3.28) which only handles TLS variants 1.0, 1.1, and 1.2. I'm monitoring the server using the hosts.cfg entry: 0.0.0.0 Website # noconn nosslcert https3://www.website.com/ I've tried other httpsX variants and no joy. The result I get from the website test is the rather sparse "- SSL error" Digging into Xymonnet gives a more cryptic Unspecified SSL error in SSL_connect to https (47873/tcp) on host xx.xx.xx.xx: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure I'm assuming the issue is around the version of OpenSSL, as the OpenSSL v1.1.1 beta version manages TLS1.3 whereas OpenSSL v1.1.0g does not. I have three questions: - Is there a way of setting Xymon up to manage this monitoring? - When is it planned to include OpenSSL v1.1.1 in a Xymon build? - In the meantime, is it worth writing a simple script to test the HTTPS response I need and feed this to Xymon separately? Many thanks Martin Davies
list Matthew Goebel
Try adding sni to your hosts.cfg line for that server. Matt
▸
On Wed, Mar 25, 2020 at 8:45 AM <user-a3e8c15f1d86@xymon.invalid> wrote:
I?m trying to monitor a website that is operated on part of Cloudflare?s setup and I am failing to get a positive result. The website uses TLS1.3 and Xymonnet tells me that it was built USING OpenSSL v 1.1.0g (Xymon version 4.3.28) which only handles TLS variants 1.0, 1.1, and 1.2. I?m monitoring the server using the hosts.cfg entry: 0.0.0.0 Website # noconn nosslcert https3://www.website.com/ I?ve tried other httpsX variants and no joy. The result I get from the website test is the rather sparse ?- SSL error? Digging into Xymonnet gives a more cryptic Unspecified SSL error in SSL_connect to https (47873/tcp) on host xx.xx.xx.xx: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure I?m assuming the issue is around the version of OpenSSL, as the OpenSSL v1.1.1 beta version manages TLS1.3 whereas OpenSSL v1.1.0g does not. I have three questions: - Is there a way of setting Xymon up to manage this monitoring? - When is it planned to include OpenSSL v1.1.1 in a Xymon build? - In the meantime, is it worth writing a simple script to test the HTTPS response I need and feed this to Xymon separately? Many thanks Martin Davies
--
Matthew Goebel : user-74d13dabeb26@xymon.invalid : Unix Jockey @ EMU : Hail Eris
Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...
"Always with the negative waves, Moriarty" - Oddball
"Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
list Martin Davies
Thank you. The Sni has worked. Martin
▸
From: Matthew Goebel <user-15cc4fabfae6@xymon.invalid>
Sent: 25 March 2020 13:16
To: user-a3e8c15f1d86@xymon.invalid
Cc: xymon at xymon.com
Subject: Re: [Xymon] Monitoring websites using TLS1.3
Try adding sni to your hosts.cfg line for that server.
Matt
On Wed, Mar 25, 2020 at 8:45 AM <user-a3e8c15f1d86@xymon.invalid <mailto:user-a3e8c15f1d86@xymon.invalid> > wrote:
I?m trying to monitor a website that is operated on part of Cloudflare?s setup and I am failing to get a positive result. The website uses TLS1.3 and Xymonnet tells me that it was built USING OpenSSL v 1.1.0g (Xymon version 4.3.28) which only handles TLS variants 1.0, 1.1, and 1.2.
I?m monitoring the server using the hosts.cfg entry:
0.0.0.0 Website # noconn nosslcert https3://www.website.com/ <http://www.website.com/>;
▸
I?ve tried other httpsX variants and no joy. The result I get from the website test is the rather sparse ?- SSL error?
Digging into Xymonnet gives a more cryptic
Unspecified SSL error in SSL_connect to https (47873/tcp) on host xx.xx.xx.xx: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
I?m assuming the issue is around the version of OpenSSL, as the OpenSSL v1.1.1 beta version manages TLS1.3 whereas OpenSSL v1.1.0g does not.
I have three questions:
- Is there a way of setting Xymon up to manage this monitoring?
- When is it planned to include OpenSSL v1.1.1 in a Xymon build?
- In the meantime, is it worth writing a simple script to test the HTTPS response I need and feed this to Xymon separately?
Many thanks
Martin Davies
--
Matthew Goebel : user-74d13dabeb26@xymon.invalid <mailto:user-74d13dabeb26@xymon.invalid> : Unix Jockey @ EMU : Hail Eris
▸
Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...
"Always with the negative waves, Moriarty" - Oddball
"Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
list Martin Davies
Sorry, I should have published my revised hosts.cfg line: 0.0.0.0 Website # noconn sni https://www.website.com/ I now get a green status, an ?HTTP/1.1 200 OK? response ? and the certificate info too: SSL certificate for https://www.website.com/ expires in nnn days Server certificate: <data removed> Cipher used: TLS_AES_256_GCM_SHA384 (256 bits) Thanks for your help, Matt. Kind regards Martin