XyMon 4.3.12 - what about HTTPS problems repoirted for 4.3.11 ? 🔗 link

Hi,

all indications are that this is an OpenSSL library problem (present in 
OpenSSL 1.x, but not in the older 0.9.x versions).

Debian has this bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702635

SuSE has this:
http://lists.opensuse.org/opensuse-bugs/2013-05/msg01048.html

It appears that the problem only shows up when testing sites with 
specific SSL implementations; e.g. I've seen it when connecting to some 
IIS versions.

Apparently, a work-around is to force the use of SSLv3 instead of 
TLSv1; you can do that by changing the URL in hosts.cfg so it has 
"https3" instead of just "https".

Regards,
Henrik


Den 25.07.2013 07:54, Andrey Chervonets skrev:

Good day!

I still not received any reply for my previous messages about https
tests problems in 4.3.11 or due openssl-1.0.nnnn.
Does 4.3.12 have fixes for that?

Or what should be the steps to find root cause and fix?
Just tell me in which direction should I go, I am not going to tale
much of Your time.

P.S. Really, I am surprised nobody else reported similar problems. I
fill I have done something wrong. :(

Best regards,

Andrey Chervonets
 SIA CoMinder
 http://www.cominder.eu/

From: Andrey Chervonets/Cominder/LV
To: user-ce4a2c883f75@xymon.invalid,
Date: 19.06.2013 09:41
Subject: Re: Fw: [Xymon] HTTPS problems in 4.3.11


Good day, Henrik!

Do You have any idea why we have such problems and how it can be
fixed?
I can send "make" and "make install" logs if this can help.

 Best regards,

Andrey Chervonets
 SIA CoMinder
 http://www.cominder.eu/
 mobile: +XXX XXXXXXXX

From: Andrey Chervonets/Cominder/LV
To: user-ce4a2c883f75@xymon.invalid,
Date: 13.06.2013 09:04
Subject: Fw: [Xymon] HTTPS problems in 4.3.11


just for information:

XyMon 4.3.4 where everything is OK:
-bash-3.2$ ./xymonnet --version
xymonnet version 4.3.4
SSL library : OpenSSL 0.9.8e-rhel5 01 Jul 2008
LDAP library: OpenLDAP 20343

-bash-3.2$ rpm -q openssl openssl-devel
openssl-0.9.8e-12.el5_5.7
openssl-0.9.8e-12.el5_5.7
openssl-devel-0.9.8e-12.el5_5.7
openssl-devel-0.9.8e-12.el5_5.7
-bash-3.2$ cat /etc/issue
CentOS release 5.6 (Final)

Hosts where NOK:

XyMon 4.3.11 on SuSE:
# rpm -q openssl libopenssl-devel
openssl-1.0.1e-1.1.1.i586
libopenssl-devel-1.0.1e-1.1.1.i586

# cat /etc/issue
Welcome to openSUSE 12.3 "Dartmouth"

XyMonx 4.3.11 on CentOS:
$ rpm -q openssl openssl-devel
openssl-1.0.0-27.el6_4.2.x86_64
openssl-devel-1.0.0-27.el6_4.2.x86_64

$ cat /etc/issue
CentOS release 6.4 (Final)

----- Forwarded by Andrey Chervonets/Cominder/LV on 13.06.2013 09:01

From: Andrey Chervonets/Cominder/LV
To: xymon at xymon.com,
Date: 13.06.2013 08:45
Subject: Re: [Xymon] HTTPS problems in 4.3.11

Message: 13
Date: Wed, 12 Jun 2013 08:00:28 +0200
From: Henrik St?rner <user-ce4a2c883f75@xymon.invalid>
To: xymon at xymon.com
Subject: Re: [Xymon] HTTPS problems in 4.3.11
Message-ID: <user-baad6e11a05a@xymon.invalid>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Den 12-06-2013 07:19, Andrey Chervonets skrev:

I had found 2 problems that are reproducable only on 4.3.11 

XyMon

server (CentOS release 6.4 (Final)),
on 4.3.4 (CentOS release 5.6 (Final)) works fine.

Problem 1) Some https resources reported with red (http) and
white
(content), while really it can be accessed

Going from CentOS 5->6 also means upgrading the OpenSSL libraries
to
version 1.0 (from 0.9.8e). I assume you compiled 4.3.11 on the new
server ?

Check that SSL support is enabled in xymon: Run "xymonnet

--version" and

check that there is a line with "SSL library: OpenSSL...."
 xymonnet --version just returns
xymonnet version 4.3.11

RPMs are OK
$ rpm -q openssl openssl-devel
openssl-1.0.0-27.el6_4.2.x86_64
openssl-devel-1.0.0-27.el6_4.2.x86_64

But I am was sure I had replied Y for SSL tests during installation.
To be double sure - I had renamed Makefile and run ./configure again
today
it was like:
..
Checking for OpenSSL ...
Compiling with SSL library works OK
Linking with SSL library works OK
Checking if your SSL library has SSLv2 enabled
Will support SSLv2 when testing SSL-enabled network services

Xymon can use the OpenSSL library to test SSL-enabled services
like https-encrypted websites, POP3S, IMAPS, NNTPS and TELNETS.
If you have the OpenSSL library installed, I recommend that you 
enable
this.

Do you want to be able to test SSL-enabled services (y) ?
Y
...

And resulting Makefile is the same as old. diff Makefile Makefile.old
returns nothing.
part of Makefile for SSL:
#
# OpenSSL settings
#
# OpenLDAP settings
LDAPFLAGS =
#
But... 4.3.4 has the same on machine where SSL is working
and ./xymonnet --version returns:
xymonnet version 4.3.4
SSL library : OpenSSL 0.9.8e-rhel5 01 Jul 2008
LDAP library: OpenLDAP 20343

I had checked on another one machine I had installed XyMon 4.3.11
recently - OpenSUSE 12.3
xymonnet --version returns the same output: xymonnet version 4.3.11
and nothing more.

Any ideas where could be the problem?

Best regards,

Andrey Chervonets
 SIA CoMinder
 http://www.cominder.eu/

Yes, there may be some specific or expired certificate, but workaround not working anyway,

Tested, using http3 does not help for CentOS and OpenSUSE 12.3

tested with URL:  https://epak.pmlp.gov.lv/NYX.Nyx002.WebSite/Default.aspx
and some others.

Best regards,

Andrey Chervonets
SIA CoMinder
http://www.cominder.eu/


From:   user-ce4a2c883f75@xymon.invalid
To:     Andrey Chervonets <user-e7fb5c02322c@xymon.invalid>, Cc:     <xymon at xymon.com>
Date:   25.07.2013 13:07
Subject:        Re: XyMon 4.3.12 - what about HTTPS problems repoirted for 4.3.11  ?


Hi,

all indications are that this is an OpenSSL library problem (present in OpenSSL 1.x, but not in the older 0.9.x versions).

Debian has this bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702635

SuSE has this:
http://lists.opensuse.org/opensuse-bugs/2013-05/msg01048.html

It appears that the problem only shows up when testing sites with specific SSL implementations; e.g. I've seen it when connecting to some IIS versions.

Apparently, a work-around is to force the use of SSLv3 instead of TLSv1; you can do that by changing the URL in hosts.cfg so it has "https3" instead of just "https".

Regards,
Henrik


Den 25.07.2013 07:54, Andrey Chervonets skrev: