Kirby_Timm
NeophyteJoined 3 years ago
User Profile
Neophyte
User Widgets
Contributions
Re: SSLError for HTTPS module
For anyone else that may be looking at this in the future, support has supplied me with a solution that works. In LogicMonitor, Open up Settings -> Collectors -> [locate the Collector in question] -> Collector Configuration -> Wrapper Config Within wrapper config, look at all the "wrapper.java.additional.##" where the ## is going to be a number starting at 1 and incrementing by 1. For example in my environment I had wrapper.java.additional.1 - wrapper.java.additional.28 Add 1 to the last wrapper.java.additional.## (so for me it would be wrapper.java.additional.29) and add the following line to the end of your config wrapper.java.additional.29=-Djdk.tls.maxHandshakeMessageSize=50000 Then click "save and restart" to restart the collector. This solved the issue. The "why" is a bit more iffy. According to LogicMonitor support: It looks like it was basically just buffer overflow protection built in to the Collector. We have a buffer of 32KiB for the handshake response, if the response exceeds that buffer size we discard it as invalid. To be clear, the following is conjecture, but I figure what's going on here is that most SSL handshake responses are less than 32KiB, so that value was probably chosen arbitrarily as 'good enough' for most cases. Given that the SSL handshake response contains the entire certificate chain, if the chain is long enough it could in theory exceed that buffer size, which I assume is why the developers offered this as a knob to turn in the config. According some random sources I found online, a typical enterprise certificate chain for an internal server using TLS 1.2 can be 6-10KiB, so 32KiB should be enough in most cases. Looks like in this case it wasn't.32Views1like0CommentsRe: SSLError for HTTPS module
I did find this in the wrapper log. Not sure it's helpful or not? [FSMWebpageTask$HttpResponseCallback.failed:958] Caught SSL exception, CONTEXT=host=<IP>, sslErrorReason=unknown., EXCEPTION=javax.net.ssl.SSLProtocolException: The size of the handshake message (37037) exceeds the maximum allowed size (32768) I'm not sure how one would adjust the size of the handshake message or how it got wonky to begin with... or if it's just a red herring?21Views0likes6CommentsRe: SSLError for HTTPS module
Well, I went ahead and actually opened a ticket with LogicMonitor support on this. I've had a ticket open with FortiNet support since last week but that ticket has kind of gone stale. On a related but different note, is there some where to see in LM exactly what the OID is that's being queried?17Views0likes8CommentsRe: SSLError for HTTPS module
Correct, it's specifically net::ERR_CERT_AUTHORITY_INVALID which is the same error I get from my other 5 sites running self signed certs but are not throwing any error in logicmonitor. I tried running the website checker but we don't have the licensing for that so it's not setup for anything and just tosses an error. I'll have to look deeper into how to set that up. I also didn't find wrapper/smproxy log files so I'll also have to look into where to find those.12Views0likes0Comments
