SSL Certs on servers with multiple virtualhosts
list John D. Alexander
I'm running Xymon 4.3.12 on CentOS 6.4 and monitoring a number of Apache web servers that each have multiple SSL VirtualHosts. Xymon appears to be using the openssl s_client utility to check server certificates and since s_client is not SNI compliant, it only picks up the certificate of the first VirtualHost. All other VirtualHosts are reported having the same certificate. Does anyone know of a workaround (perhaps using curl) to validate SSL certificates and track expiration dates of those certificates? Thanks much. John Alexander Network Administrator
list Ralph Mitchell
I have a script that fakes the xymonnet http & sslcert columns. I'll post it to the list this evening when I get home from work. Ralph Mitchell On Tue, Aug 6, 2013 at 2:32 PM, John D. Alexander <
▸
user-9a0964743c57@xymon.invalid> wrote:
** ** I’m running Xymon 4.3.12 on CentOS 6.4 and monitoring a number of Apache web servers that each have multiple SSL VirtualHosts.**** ** ** Xymon appears to be using the openssl s_client utility to check server certificates and since s_client is not SNI compliant, it only picks up the certificate of the first VirtualHost. All other VirtualHosts are reported having the same certificate.**** ** ** Does anyone know of a workaround (perhaps using curl) to validate SSL certificates and track expiration dates of those certificates?**** ** ** Thanks much.**** ** ** *John Alexander* Network Administrator**** ** **
list Galen Johnson
Would something like this not work: group HTTP 0.0.0.0 host1.example.com # https://host1.example.com 0.0.0.0 host2.example.com # https://host2.example.com ... =G=
▸
From: Xymon [xymon-bounces at xymon.com] on behalf of Ralph Mitchell [user-00a5e44c48c0@xymon.invalid]
Sent: Tuesday, August 06, 2013 3:38 PM
To: John D. Alexander
Cc: xymon at xymon.com
Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts
I have a script that fakes the xymonnet http & sslcert columns. I'll post it to the list this evening when I get home from work.
Ralph Mitchell
On Tue, Aug 6, 2013 at 2:32 PM, John D. Alexander <user-9a0964743c57@xymon.invalid<mailto:user-9a0964743c57@xymon.invalid>> wrote:
I’m running Xymon 4.3.12 on CentOS 6.4 and monitoring a number of Apache web servers that each have multiple SSL VirtualHosts.
Xymon appears to be using the openssl s_client utility to check server certificates and since s_client is not SNI compliant, it only picks up the certificate of the first VirtualHost. All other VirtualHosts are reported having the same certificate.
Does anyone know of a workaround (perhaps using curl) to validate SSL certificates and track expiration dates of those certificates?
Thanks much.
John Alexander
Network Administrator
list Mark Felder
On Tue, 06 Aug 2013 14:45:07 -0500, Galen Johnson <user-87f955643e3d@xymon.invalid>
▸
wrote:
Would something like this not work: group HTTP 0.0.0.0 host1.example.com # https://host1.example.com 0.0.0.0 host2.example.com # https://host2.example.com ...
No, if the client doesn't support SNI it will always receive the first SSL certificate. In that example host2.example.com's data is useless.
list John D. Alexander
Given that s_client is rudimentary and actually pretty old, it might be a thing to do the tests using curl instead of openssl. Curl reports the proper certificates. Wonder how much work it would be to use curl instead of openssl. Does anyone know what drives the http tests? I'm not a programming guy, but know folks who are. John Alexander
▸
-----Original Message-----
From: Mark Felder [mailto:user-db141d317836@xymon.invalid]
Sent: Tuesday, August 06, 2013 12:55 PM
To: Ralph Mitchell; John D. Alexander; Galen Johnson
Cc: xymon at xymon.com
Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts
On Tue, 06 Aug 2013 14:45:07 -0500, Galen Johnson <user-87f955643e3d@xymon.invalid>
wrote:
Would something like this not work: group HTTP 0.0.0.0 host1.example.com # https://host1.example.com 0.0.0.0 host2.example.com # https://host2.example.com ...
No, if the client doesn't support SNI it will always receive the first SSL certificate. In that example host2.example.com's data is useless.
list Henrik Størner
▸
On 06-08-2013 22:26, John D. Alexander wrote:
Given that s_client is rudimentary and actually pretty old, it might be a thing to do the tests using curl instead of openssl. Curl reports the proper certificates. Wonder how much work it would be to use curl instead of openssl. Does anyone know what drives the http tests? I'm not a programming guy, but know folks who are.
Xymon uses OpenSSL, but only the library - not the s_client tool (or any other external tool). Supporting SNI in the Xymon tests should be a fairly simple change, though. The attached changed to Xymon 4.3.12 should do it - I would appreciate it if you could try it out, since I don't have the necessary test setup to really test it. Just save the attached file, then go to your xymon-4.3.12 directory and run cat /tmp/xymon-snisupport.patch | patch -p0 then run "make" and "make install" again. BTW, s_client does support SNI - you just need to specify the name with the "-servername NAME" option. Regards, Henrik
Attachments (1)
list John D. Alexander
I will have it tested here very soon. Thanks Henrik.
▸
-----Original Message-----
From: Henrik Størner [mailto:user-ce4a2c883f75@xymon.invalid] Sent: Tuesday, August 06, 2013 1:45 PM
To: xymon at xymon.com; John D. Alexander
Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts
On 06-08-2013 22:26, John D. Alexander wrote:Given that s_client is rudimentary and actually pretty old, it might be a thing to do the tests using curl instead of openssl. Curl reports the proper certificates. Wonder how much work it would be to use curl instead of openssl. Does anyone know what drives the http tests? I'm not a programming guy, but know folks who are.
Xymon uses OpenSSL, but only the library - not the s_client tool (or any other external tool). Supporting SNI in the Xymon tests should be a fairly simple change, though. The attached changed to Xymon 4.3.12 should do it - I would appreciate it if you could try it out, since I don't have the necessary test setup to really test it. Just save the attached file, then go to your xymon-4.3.12 directory and run cat /tmp/xymon-snisupport.patch | patch -p0 then run "make" and "make install" again. BTW, s_client does support SNI - you just need to specify the name with the "-servername NAME" option. Regards, Henrik
list John D. Alexander
Henrik, There seems to be a math error in there. It has my certificates having expired 15500 days ago. John Alexander
▸
-----Original Message-----
From: Henrik Størner [mailto:user-ce4a2c883f75@xymon.invalid] Sent: Tuesday, August 06, 2013 1:45 PM
To: xymon at xymon.com; John D. Alexander
Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts
On 06-08-2013 22:26, John D. Alexander wrote:Given that s_client is rudimentary and actually pretty old, it might be a thing to do the tests using curl instead of openssl. Curl reports the proper certificates. Wonder how much work it would be to use curl instead of openssl. Does anyone know what drives the http tests? I'm not a programming guy, but know folks who are.
Xymon uses OpenSSL, but only the library - not the s_client tool (or any other external tool). Supporting SNI in the Xymon tests should be a fairly simple change, though. The attached changed to Xymon 4.3.12 should do it - I would appreciate it if you could try it out, since I don't have the necessary test setup to really test it. Just save the attached file, then go to your xymon-4.3.12 directory and run cat /tmp/xymon-snisupport.patch | patch -p0 then run "make" and "make install" again. BTW, s_client does support SNI - you just need to specify the name with the "-servername NAME" option. Regards, Henrik
list Ralph Mitchell
Here's that script for checking web servers. It's not rocket surgery, but it gets the job done. I needed it to be able to poke a secure web server through a proxy.
▸
Ralph Mitchell
On Tue, Aug 6, 2013 at 2:32 PM, John D. Alexander <
▸
user-9a0964743c57@xymon.invalid> wrote:
** ** I’m running Xymon 4.3.12 on CentOS 6.4 and monitoring a number of Apache web servers that each have multiple SSL VirtualHosts.**** ** ** Xymon appears to be using the openssl s_client utility to check server certificates and since s_client is not SNI compliant, it only picks up the certificate of the first VirtualHost. All other VirtualHosts are reported having the same certificate.**** ** ** Does anyone know of a workaround (perhaps using curl) to validate SSL certificates and track expiration dates of those certificates?**** ** ** Thanks much.**** ** ** *John Alexander* Network Administrator**** ** **
Attachments (1)
list Henrik Størner
Hi John,
▸
On 06-08-2013 23:38, John D. Alexander wrote: There seems to be a math error in there. It has my certificates having expired 15500 days ago.
is this a public website so I can try it myself ?
If not, could you please run
openssl s_client -servername "www.yoursite.com" \
-connect your.server.ip:443
(substite the site-name and IP as appropriate) ? I'm interested in the
certificate itself - the part of the output that looks like
Server certificate
-----BEGIN CERTIFICATE-----
MIIFITCCBAmgAwIBAgIDCDa4MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
al4b4feKk2DNYYrZ3N3v/8XruC27BRfo4HMi7P/xwUHu2LtcHvOIyQkHPg3GAENP
... more lines like these ...
psilcHKH+ghFIeP5KSaDJYlKN2WZ
-----END CERTIFICATE-----
Thanks,
Henrik
list John D. Alexander
Henrik, The website is private. I've already rolled back the code but I can reapply the patch and take screen shots if need be. Judging from the fact that Xymon was saying that the certificates expired about 42 years ago, a couple of the programmers here indicate that it's not picking up data from the certificate properly and interpreting that as the epoch and counting forward from there for expiration date. Here is the output from the command you requested... CONNECTED(00000003) depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority verify return:1 depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 07969287 verify return:1 depth=0 OU = Domain Control Validated, CN = fwbox.feeneywireless.com verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/CN=fwbox.feeneywireless.com i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIFaDCCBFCgAwIBAgIHB8iKC1CjJjANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlm aWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5 IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5Njky ODcwHhcNMTMwNDAzMjIyMzI4WhcNMTYwNDAzMjIyMzI4WjBGMSEwHwYDVQQLExhE b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxITAfBgNVBAMTGGZ3Ym94LmZlZW5leXdp cmVsZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMelCCph m8VoRZWtaa3H4OWE5G5NaVbsET1rB6OoX90mxUN1eIqi4S4aQtTYeEVFVk+gEq5W p50q3b/G2nUaZAztN4BjfW34FHA3hl8ODRrZNCzwIBpXuxsteVXWiqvWs8WawQVw mmlY62O4vyoUp0cwxm7Tc5j8ep6h0ORrmEmAoqrYqlgHJ09cpJ5kPHER6pp4V2DT ZmYC1u+cMAsmKr8VZ47qc2GUvzJxHuL7znkkpEaJVI+pqp5rhC0fCB0dZHq6rRTS YfxnOXuehS3EYqpQtgDAL0M7XxQlsvF0za//fS+Inlo45IA4vvAkblMatrLlCgVz HkPNcpU2JBQP0q8CAwEAAaOCAdQwggHQMA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0l BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8E LDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtODguY3JsMFMG A1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2Nl cnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEE dDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYB BQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9y eS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q6 53aZaMznMEEGA1UdEQQ6MDiCGGZ3Ym94LmZlZW5leXdpcmVsZXNzLmNvbYIcd3d3 LmZ3Ym94LmZlZW5leXdpcmVsZXNzLmNvbTAdBgNVHQ4EFgQUvv+bnMlX2yH6jZ5b 5JtnZFh+5H0wDQYJKoZIhvcNAQEFBQADggEBAJbY4wbgbUmkgBsbvAQJNPcNBW+R Rbyj3zQEyJovR0OA6nGfXwRsoR/ZgtlO64efL/+nuGQYv4XUrOK1z7dylfTvIgVY LDqSOF2kr+LK3WI1EuOSYlsmVooy5fcb4RG715S1fJqvaOEilmMX6LR6ys6F1wxb Cz2i6e/6qLkfKODDweh1Gp0rnFUFWhVOJedp/j5Erpy6cvzG+eviB+EfEdBGIvI6 850iEBUteVGu8BQ2A6pCjwAi6eK/Mb/3y+JaTXbi/9KvRRNH65Vczy/Q+Ud+9cci 9Ns6rNeVByqt7sptYR7QSsfh/YsSea4fWPDd2QtobJ4dFsZK6PRzwzedROo= -----END CERTIFICATE----- subject=/OU=Domain Control Validated/CN=fwbox.feeneywireless.com issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
▸
-----Original Message-----
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner
Sent: Tuesday, August 06, 2013 9:49 PM
To: xymon at xymon.com
Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts
Here is the output of the sslcert page in Xymon for that virtual server. It is the second virtual server configured - the first being vzw. SSL certificate for https://fwbox.feeneywireless.com/ expires in 1357 days Server certificate: subject:/OU=Domain Control Validated/CN=vzw.feeneywireless.com start date: 2013-04-25 23:08:28 GMT expire date:2017-04-25 22:44:17 GMT key size:2048 issuer:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 John Alexander
▸
Hi John,
On 06-08-2013 23:38, John D. Alexander wrote: There seems to be a math error in there. It has my certificates having expired 15500 days ago.
is this a public website so I can try it myself ? If not, could you please run openssl s_client -servername "www.yoursite.com" \ -connect your.server.ip:443 (substite the site-name and IP as appropriate) ? I'm interested in the certificate itself - the part of the output that looks like Server certificate -----BEGIN CERTIFICATE----- MIIFITCCBAmgAwIBAgIDCDa4MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew al4b4feKk2DNYYrZ3N3v/8XruC27BRfo4HMi7P/xwUHu2LtcHvOIyQkHPg3GAENP ... more lines like these ... psilcHKH+ghFIeP5KSaDJYlKN2WZ -----END CERTIFICATE----- Thanks, Henrik
list Henrik Størner
▸
On 07-08-2013 19:56, John D. Alexander wrote:
The website is private. I've already rolled back the code but I can reapply the patch and take screen shots if need be. Judging from the fact that Xymon was saying that the certificates expired about 42 years ago, a couple of the programmers here indicate that it's not picking up data from the certificate properly and interpreting that as the epoch and counting forward from there for expiration date.
Xymon uses the OpenSSL library routines to handle the SSL details, so I would be rather surprised if some kind of bogus certificate data got through all the way to the Xymon code - the openssl library is supposed to discard such invalid data and report an error. More likely it is some kind of integer overflow. 15500 days before now is suspiciously close to Jan 1st 1970 (start of Unix epoch). But it surprises me a bit, since I setup a test site here with two vhosts and different certificates, and the new code worked fine here - got the right certificate for each of the two hosts. What version of OpenSSL are you running on the server where Xymon is compiled ? You can check by running "xymonnet --version". I'll probably send you (directly, not via the list) a test-version of Xymon that logs some more debugging data for this - sometime later this week. Regards, Henrik
list John D. Alexander
We checked on the expiration dates that the patched Xymon was reporting and they were January 1, 1970 plus the number of days from present to the expiration date of the certificate. Output from xymonnet is: xymonnet version 4.3.12 SSL library : OpenSSL 1.0.0 29 Mar 2010 LDAP library: OpenLDAP 20423 John Alexander
▸
Xymon uses the OpenSSL library routines to handle the SSL details, so I would be rather surprised if some kind of bogus certificate data got through all the way to the Xymon code - the openssl library is supposed to discard such invalid data and report an error.
More likely it is some kind of integer overflow. 15500 days before now is suspiciously close to Jan 1st 1970 (start of Unix epoch).
But it surprises me a bit, since I setup a test site here with two vhosts and different certificates, and the new code worked fine here - got the right certificate for each of the two hosts.
What version of OpenSSL are you running on the server where Xymon is compiled ? You can check by running "xymonnet --version".
I'll probably send you (directly, not via the list) a test-version of Xymon that logs some more debugging data for this - sometime later this week.
Regards,
Henrik
list John D. Alexander
Hey Ralph, Thanks for the script. I'll give it a whirl. I'm guessing that each separate server will need to be set up with the script run against it. Also, I suppose that I'll need to stop the https://.... Test from the xymon hosts.cfg Thanks again John Alexander
▸
From: Ralph Mitchell [mailto:user-00a5e44c48c0@xymon.invalid]
Sent: Tuesday, August 06, 2013 6:50 PM
To: John D. Alexander
Cc: xymon at xymon.com
Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts
Here's that script for checking web servers. It's not rocket surgery, but it gets the job done. I needed it to be able to poke a secure web server through a proxy.
Ralph Mitchell
On Tue, Aug 6, 2013 at 2:32 PM, John D. Alexander <user-9a0964743c57@xymon.invalid<mailto:user-9a0964743c57@xymon.invalid>> wrote:
I'm running Xymon 4.3.12 on CentOS 6.4 and monitoring a number of Apache web servers that each have multiple SSL VirtualHosts.
Xymon appears to be using the openssl s_client utility to check server certificates and since s_client is not SNI compliant, it only picks up the certificate of the first VirtualHost. All other VirtualHosts are reported having the same certificate.
Does anyone know of a workaround (perhaps using curl) to validate SSL certificates and track expiration dates of those certificates?
Thanks much.
John Alexander
Network Administrator
list Ralph Mitchell
You're right about separate entries per server - as it stands, it will ping one server. I don't know if Xymon concatenates multiple http / sslcert reports for the same server into the one column, or if each one overwrites the previous report. However, it wouldn't be very hard to pass a file of urls to the script and turn the main body into a loop that pings each url and accumulating the results into https & sslcert files, then end by posting those files to Xymon. And yes, you would want to remove the urls from the xymon hosts.cfg, otherwise xymonnet would duplicate the effort. Ralph Mitchell On Wed, Aug 7, 2013 at 7:30 PM, John D. Alexander <
▸
user-9a0964743c57@xymon.invalid> wrote:
Hey Ralph,**** ** ** Thanks for the script. I’ll give it a whirl. I’m guessing that each separate server will need to be set up with the script run against it.**** Also, I suppose that I’ll need to stop the https://.... Test from the xymon hosts.cfg**** ** ** Thanks again**** ** ** John Alexander**** ** ** ** ** *From:* Ralph Mitchell [mailto:user-00a5e44c48c0@xymon.invalid] *Sent:* Tuesday, August 06, 2013 6:50 PM *To:* John D. Alexander *Cc:* xymon at xymon.com *Subject:* Re: [Xymon] SSL Certs on servers with multiple virtualhosts**** ** ** Here's that script for checking web servers. It's not rocket surgery, but it gets the job done. I needed it to be able to poke a secure web server through a proxy.**** ** ** Ralph Mitchell**** ** ** On Tue, Aug 6, 2013 at 2:32 PM, John D. Alexander < user-9a0964743c57@xymon.invalid> wrote:**** **** I’m running Xymon 4.3.12 on CentOS 6.4 and monitoring a number of Apache web servers that each have multiple SSL VirtualHosts.**** **** Xymon appears to be using the openssl s_client utility to check server certificates and since s_client is not SNI compliant, it only picks up the certificate of the first VirtualHost. All other VirtualHosts are reported having the same certificate.**** **** Does anyone know of a workaround (perhaps using curl) to validate SSL certificates and track expiration dates of those certificates?**** **** Thanks much.**** **** *John Alexander* Network Administrator**** **** ** **
list John D. Alexander
Henrik, Have you been able to make any progress on the multiple ssl VirtualHost issue? If need be, I can let apply the patch on a system that is reachable from outside and give you access (https) if I can get your IP address. Thanks much John Alexander
▸
-----Original Message-----
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner
Sent: Wednesday, August 07, 2013 2:23 PM
To: xymon at xymon.com
Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts
On 07-08-2013 19:56, John D. Alexander wrote:
The website is private. I've already rolled back the code but I can reapply the patch and take screen shots if need be. Judging from the fact that Xymon was saying that the certificates expired about 42 years ago, a couple of the programmers here indicate that it's not picking up data from the certificate properly and interpreting that as the epoch and counting forward from there for expiration date.
Xymon uses the OpenSSL library routines to handle the SSL details, so I would be rather surprised if some kind of bogus certificate data got through all the way to the Xymon code - the openssl library is supposed to discard such invalid data and report an error. More likely it is some kind of integer overflow. 15500 days before now is suspiciously close to Jan 1st 1970 (start of Unix epoch). But it surprises me a bit, since I setup a test site here with two vhosts and different certificates, and the new code worked fine here - got the right certificate for each of the two hosts. What version of OpenSSL are you running on the server where Xymon is compiled ? You can check by running "xymonnet --version". I'll probably send you (directly, not via the list) a test-version of Xymon that logs some more debugging data for this - sometime later this week. Regards, Henrik
list Troy Adams
I know this is an old thread but I am still interested in this functionality. Does the latest Xymon support this? cheers, Troy ----- Original Message ----- From: "John D. Alexander" <user-9a0964743c57@xymon.invalid> To: xymon at xymon.com Sent: Friday, August 9, 2013 3:03:55 PM GMT -07:00 US/Canada Mountain Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts
▸
Henrik,
Have you been able to make any progress on the multiple ssl VirtualHost issue?
If need be, I can let apply the patch on a system that is reachable from outside and give you access (https) if I can get your IP address.
Thanks much
John Alexander
-----Original Message----- From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner Sent: Wednesday, August 07, 2013 2:23 PM To: xymon at xymon.com Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts
On 07-08-2013 19:56, John D. Alexander wrote: The website is private. I've already rolled back the code but I can reapply the patch and take screen shots if need be. Judging from the fact that Xymon was saying that the certificates expired about 42 years ago, a couple of the programmers here indicate that it's not picking up data from the certificate properly and interpreting that as the epoch and counting forward from there for expiration date.
Xymon uses the OpenSSL library routines to handle the SSL details, so I would be rather surprised if some kind of bogus certificate data got through all the way to the Xymon code - the openssl library is supposed to discard such invalid data and report an error. More likely it is some kind of integer overflow. 15500 days before now is suspiciously close to Jan 1st 1970 (start of Unix epoch). But it surprises me a bit, since I setup a test site here with two vhosts and different certificates, and the new code worked fine here - got the right certificate for each of the two hosts. What version of OpenSSL are you running on the server where Xymon is compiled ? You can check by running "xymonnet --version". I'll probably send you (directly, not via the list) a test-version of Xymon that logs some more debugging data for this - sometime later this week. Regards, Henrik --
This communication is intended for the use of the recipient to whom it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communications received in error, or
subsequent reply, should be deleted or destroyed.
---
list Japheth Cleaver
▸
On Thu, March 26, 2015 11:53 am, Troy Adams wrote:
I know this is an old thread but I am still interested in this functionality. Does the latest Xymon support this?
----- Original Message ----- From: "John D. Alexander" <user-9a0964743c57@xymon.invalid> To: xymon at xymon.com Sent: Friday, August 9, 2013 3:03:55 PM GMT -07:00 US/Canada Mountain Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts Henrik, Have you been able to make any progress on the multiple ssl VirtualHost issue? If need be, I can let apply the patch on a system that is reachable from outside and give you access (https) if I can get your IP address. Thanks much John Alexander -----Original Message----- From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner Sent: Wednesday, August 07, 2013 2:23 PM To: xymon at xymon.com Subject: Re: [Xymon] SSL Certs on servers with multiple virtualhosts On 07-08-2013 19:56, John D. Alexander wrote:The website is private. I've already rolled back the code but I can reapply the patch and take screen shots if need be. Judging from the fact that Xymon was saying that the certificates expired about 42 years ago, a couple of the programmers here indicate that it's not picking up data from the certificate properly and interpreting that as the epoch and counting forward from there for expiration date.Xymon uses the OpenSSL library routines to handle the SSL details, so I would be rather surprised if some kind of bogus certificate data got through all the way to the Xymon code - the openssl library is supposed to discard such invalid data and report an error. More likely it is some kind of integer overflow. 15500 days before now is suspiciously close to Jan 1st 1970 (start of Unix epoch). But it surprises me a bit, since I setup a test site here with two vhosts and different certificates, and the new code worked fine here - got the right certificate for each of the two hosts. What version of OpenSSL are you running on the server where Xymon is compiled ? You can check by running "xymonnet --version". I'll probably send you (directly, not via the list) a test-version of Xymon that logs some more debugging data for this - sometime later this week.
Troy, SNI was added in in 4.3.13, but disabled (by default) in 4.3.14 and beyond (since some servers didn't handle it too well). It can be re-enabled by using the 'sni' tag in hosts.cfg or by passing --sni as an option to xymonnet. See https://www.xymon.com/help/manpages/man5/hosts.cfg.5.html#lbAM and https://www.xymon.com/help/manpages/man1/xymonnet.1.html#lbAI HTH, -jc