Expanded SSL Version Selection; Example Use in check_http [sf#3612263] #1137
Comments
|
This should be fixed with 5a5d3d7 and shipped with the next stable release. Please reopen if the problem is still present. |
|
FYI: Tried with 1.5 today, SSLv2 connections to the app in question are still denied: plugins/check_http -Vcheck_http v1.5 (nagios-plugins 1.5) plugins/check_http $CUSTOMERAPP --ssl=1HTTP WARNING: HTTP/1.1 400 Bad Request - 130 bytes in 0.026 second response time |time=0.025818s;;;0.000000 size=130B;;;0 plugins/check_http $CUSTOMERAPP --ssl=2CRITICAL - Cannot make SSL connection. plugins/check_http $CUSTOMERAPP --ssl=3HTTP WARNING: HTTP/1.1 400 Bad Request - 130 bytes in 0.070 second response time |time=0.069680s;;;0.000000 size=130B;;;0 But since IE8 apparently has the same problem, the app developers made sure that requests without SSL/TLS version restriction now succeed: /usr/lib64/nagios/plugins/check_http -Vcheck_http v1.4.16 (nagios-plugins 1.4.16) /usr/lib64/nagios/plugins/check_http $CUSTOMERAPP --sslHTTP WARNING: HTTP/1.1 400 Bad Request - 130 bytes in 0.039 second response time |time=0.039499s;;;0.000000 size=130B;;;0
|
Submitted by j-bern on 2013-04-30 12:38:02
I had a problem today which seems to have been reported in more or less similar fashion in the bug tracker several times: Misunderstandings between check_http and server implementations that do not support specific SSL/TLS versions. (In my case, the server is a web app running in a CentOS 6 Tomcat 7 and refuses standard check_http requests because of SSLv2 being enabled.)
I noted that the current (1.4.16) options do not allow to disable SSLv2 but leave both SSLv3 and TLSv1 enabled - so I added negative values to do just that into sslutils.c and (as an example case) check_http.c. Note that I didn't guard against old OpenSSL versions which may not have the required options ...
[root@nagios nagios-plugins-1.4.16b]# plugins/check_http --ssl $PARAMS
CRITICAL - Cannot make SSL connection.
23666:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:
[root@nagios nagios-plugins-1.4.16b]# for SSLVER in 3 2 1 -1 -2 -3 ; do plugins/check_http --ssl=$SSLVER $PARAMS 2>&1 | sed -e "s/^/$SSLVER /" ; done
3 HTTP OK: HTTP/1.1 200 OK - 338 bytes in 0,070 second response time |time=0,069910s;;;0,000000 size=338B;;;0
2 CRITICAL - Cannot make SSL connection.
1 HTTP OK: HTTP/1.1 200 OK - 338 bytes in 0,057 second response time |time=0,056833s;;;0,000000 size=338B;;;0
-1 CRITICAL - Cannot make SSL connection.
-1 19823:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:
-2 HTTP OK: HTTP/1.1 200 OK - 338 bytes in 0,061 second response time |time=0,061420s;;;0,000000 size=338B;;;0
-3 CRITICAL - Cannot make SSL connection.
-3 19827:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:
The text was updated successfully, but these errors were encountered: