ssl errors since updating from 4.3.12 to 4.3.16 with openssl 1.0.1 🔗 link

Since updating one of my xymon servers from 4.3.12 to 4.3.16, I have been seeing a lot of flapping on https tests to several tomcat servers. These failures are accompanied by lines in xymonnet.log of the form:

Unspecified SSL error in SSL_connect to 8443/tcp on host 10.203.10.42: error:00000000:lib(0):func(0):reason(0)

I've just noticed that:
  4.3.12 was built with openssl 0.9.8w
  4.3.16 was built with openssl 1.0.1e

These hosts were reporting well on the 4.3.12 instance of this Xymon server. They are still reporting well on my other (4.3.12) server. This appears, to me, to be a failure at establishing an SSL connection so I strongly suspect a difference in openssl behavior is the cause.

The flapping does not appear to be occurring with https checks against my apache web servers, nor against my IIS web servers. Only against instances of tomcat.

I'm going to go explore the differences between 0.9.8 and 1.0.1. My hypothesis is the cause is a change in cipher lists with 1.0.1. Has anyone else already seen these failures and found the cause?

-- 
    Do things because you should, not just because you can.

John Thurston    XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Enterprise Technology Services
Department of Administration
State of Alaska

Den 14-02-2014 21:00, John Thurston skrev:

There has been several reports of SSL problems when going from version 0.9.x to 1.0.x of OpenSSL. You will also find reports of this problem around the net involving other software, not just Xymon - so it's a compatibility issue with OpenSSL.

As I recall, it could be worked around by forcing either SSLv3 or TLS. You can do that by changing "https" in the URL to "https3" or "httpst", respectively.


Regards,
Henrik