SSL Errors
list Vernon Everett
Hi all Trying to get an https test working to monitor certificate expiry. Test shows up red, with very descriptive "SSL Error". The xymonnet error appears a little more useful, but I can't find a resolution to the problem. Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4: error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list Additional info. xymonnet version 4.3.17 SSL library : OpenSSL 1.0.1j 15 Oct 2014 LDAP library: OpenLDAP 20423 Any advice appreciated. Regards Vernon -- "Accept the challenges so that you can feel the exhilaration of victory" - General George Patton
list Scott Pfister
Good morning, What version of SSL is on the client with the cert? ? Was SSLv3 disabled due to poodle exploit? Can you try forcing it to connect using only TLS or SSLv3? In host.cfg set https3://... or httpst://... thanks On Mon, Dec 8, 2014 at 4:33 AM, Vernon Everett <user-b3f8dacb72c8@xymon.invalid>
▸
wrote:
Hi all Trying to get an https test working to monitor certificate expiry. Test shows up red, with very descriptive "SSL Error". The xymonnet error appears a little more useful, but I can't find a resolution to the problem. Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4: error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list Additional info. xymonnet version 4.3.17 SSL library : OpenSSL 1.0.1j 15 Oct 2014 LDAP library: OpenLDAP 20423 Any advice appreciated. Regards Vernon -- "Accept the challenges so that you can feel the exhilaration of victory" - General George Patton
list Vernon Everett
Hi Scott All I get is a new error message. :-( https3 Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number httpt
▸
Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4:
error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid
ecpointformat list
And the https status remains red.
Regards
Vernon
▸
On 8 December 2014 at 20:50, Scott Pfister <user-3f57de7c453d@xymon.invalid> wrote:
Good morning, What version of SSL is on the client with the cert? ? Was SSLv3 disabled due to poodle exploit? Can you try forcing it to connect using only TLS or SSLv3? In host.cfg set https3://... or httpst://... thanks On Mon, Dec 8, 2014 at 4:33 AM, Vernon Everett <user-b3f8dacb72c8@xymon.invalid> wrote:Hi all Trying to get an https test working to monitor certificate expiry. Test shows up red, with very descriptive "SSL Error". The xymonnet error appears a little more useful, but I can't find a resolution to the problem. Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4: error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list Additional info. xymonnet version 4.3.17 SSL library : OpenSSL 1.0.1j 15 Oct 2014 LDAP library: OpenLDAP 20423 Any advice appreciated. Regards Vernon -- "Accept the challenges so that you can feel the exhilaration of victory" - General George Patton
-- "Accept the challenges so that you can feel the exhilaration of victory" - General George Patton
list Tim McCloskey
Vernon, That is a bug in an early version of openssl, http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2240. Guessing that you can't patch it, so like Scott mentioned you could try to force a version, one that you have. The following is from the docs in 4.2.0, I did not check if these are still available in 4.3.17. " Forcing an HTTP or SSL version Some SSL sites will only allow you to connect, if you use specific "dialects" of HTTP or SSL. Normally this is auto-negotiated, but experience shows that this fails on some systems. bbtest-net can be told to use specific dialects, by adding one or more "dialect names" to the URL scheme, i.e. the "http" or "https" in the URL: * "2", e.g. https2://www.sample.com/ : use only SSLv2 * "3", e.g. https3://www.sample.com/ : use only SSLv3 * "m", e.g. httpsm://www.sample.com/ : use only 128-bit ciphers * "h", e.g. httpsh://www.sample.com/ : use only >128-bit ciphers * "10", e.g. http10://www.sample.com/ : use HTTP 1.0 * "11", e.g. http11://www.sample.com/ : use HTTP 1.1 These can be combined where it makes sense, e.g to force SSLv2 and HTTP 1.0 you would use "https210". " You could try http10://urltocert and not auto-negotiate the handshake. Regards, Tim From: Xymon [xymon-bounces at xymon.com] on behalf of Vernon Everett [user-b3f8dacb72c8@xymon.invalid] Sent: Monday, December 8, 2014 3:42 PM To: Scott Pfister Cc: Xymon mailinglist Subject: Re: [Xymon] SSL Errors Hi Scott All I get is a new error message. :-( https3 Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4<http://1.2.3.4>;: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number httpt Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4<http://1.2.3.4>;: error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list
▸
And the https status remains red.
Regards
Vernon
On 8 December 2014 at 20:50, Scott Pfister <user-3f57de7c453d@xymon.invalid<mailto:user-3f57de7c453d@xymon.invalid>> wrote:
Good morning,
What version of SSL is on the client with the cert? ? Was SSLv3 disabled due to poodle exploit? Can you try forcing it to connect using only TLS or SSLv3? In host.cfg set https3://... or httpst://...
thanks
On Mon, Dec 8, 2014 at 4:33 AM, Vernon Everett <user-b3f8dacb72c8@xymon.invalid<mailto:user-b3f8dacb72c8@xymon.invalid>> wrote:
Hi all
Trying to get an https test working to monitor certificate expiry.
Test shows up red, with very descriptive "SSL Error".
The xymonnet error appears a little more useful, but I can't find a resolution to the problem.
Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4: error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list
Additional info.
xymonnet version 4.3.17
SSL library : OpenSSL 1.0.1j 15 Oct 2014
LDAP library: OpenLDAP 20423
Any advice appreciated.
Regards
Vernon
--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
list Vernon Everett
Hi all Thanks for that. httpsh works beautifully. Regards Vernon
▸
On 9 December 2014 at 08:12, Tim McCloskey <user-440820cc07d6@xymon.invalid> wrote:
Vernon, That is a bug in an early version of openssl, http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2240. Guessing that you can't patch it, so like Scott mentioned you could try to force a version, one that you have. The following is from the docs in 4.2.0, I did not check if these are still available in 4.3.17. " Forcing an HTTP or SSL version Some SSL sites will only allow you to connect, if you use specific "dialects" of HTTP or SSL. Normally this is auto-negotiated, but experience shows that this fails on some systems. bbtest-net can be told to use specific dialects, by adding one or more "dialect names" to the URL scheme, i.e. the "http" or "https" in the URL: * "2", e.g. https2://www.sample.com/ : use only SSLv2 * "3", e.g. https3://www.sample.com/ : use only SSLv3 * "m", e.g. httpsm://www.sample.com/ : use only 128-bit ciphers * "h", e.g. httpsh://www.sample.com/ : use only >128-bit ciphers * "10", e.g. http10://www.sample.com/ : use HTTP 1.0 * "11", e.g. http11://www.sample.com/ : use HTTP 1.1 These can be combined where it makes sense, e.g to force SSLv2 and HTTP 1.0 you would use "https210". " You could try http10://urltocert and not auto-negotiate the handshake. Regards, Tim From: Xymon [xymon-bounces at xymon.com] on behalf of Vernon Everett [ user-b3f8dacb72c8@xymon.invalid] Sent: Monday, December 8, 2014 3:42 PM To: Scott Pfister Cc: Xymon mailinglist Subject: Re: [Xymon] SSL Errors Hi Scott All I get is a new error message. :-( https3 Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4<
http://1.2.3.4>;: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
▸
version number
httpt
Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4<http://1.2.3.4>;: error:1411809D:SSL
▸
routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list
And the https status remains red.
Regards
Vernon
On 8 December 2014 at 20:50, Scott Pfister <user-3f57de7c453d@xymon.invalid<mailto:
▸
user-3f57de7c453d@xymon.invalid>> wrote:
Good morning,
What version of SSL is on the client with the cert? ? Was SSLv3 disabled
due to poodle exploit? Can you try forcing it to connect using only TLS or
SSLv3? In host.cfg set https3://... or httpst://...
thanks
On Mon, Dec 8, 2014 at 4:33 AM, Vernon Everett <user-b3f8dacb72c8@xymon.invalid
<mailto:user-b3f8dacb72c8@xymon.invalid>> wrote:
Hi all
Trying to get an https test working to monitor certificate expiry.
Test shows up red, with very descriptive "SSL Error".
The xymonnet error appears a little more useful, but I can't find a
resolution to the problem.
Unspecified SSL error in SSL_connect to 47873/tcp on host 1.2.3.4:
error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid
ecpointformat list
Additional info.
xymonnet version 4.3.17
SSL library : OpenSSL 1.0.1j 15 Oct 2014
LDAP library: OpenLDAP 20423
Any advice appreciated.
Regards
Vernon
--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
-- "Accept the challenges so that you can feel the exhilaration of victory" - General George Patton