New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
check_http - SSLv3 forced even when the --ssl flag = 1. #140
Comments
This is a serious bug. Is no one looking at this? |
Please note that this is a community-driven open-source project. While we do have paid developers on-staff, it is not always possible to address every issue as a priority. We welcome contributions in the form of pull requests for issues such as these. Barring that, the best I can do is ask our in-house C dev to look into this and put the rest of his work on-hold. |
Hi Trevor, I appreciate the situation but this is a pretty serious bug, especially now that many people have disabled SSLv3, so any urgency you can attach to this would be much appreciated. Thanks for responding so promptly. |
This will affect a LOT of AWS related sites, including S3, CloudFront, and Lambda functions. We need this fixed in order for Nagios to be a viable option for our AWS resources. Even though Nagios plugins are community maintained, this will make the website monitor in Nagios XI useless against a lot of AWS endpoints. |
For anyone having this problem: please post the version of nagios plugins you are using, and the version of openssl. There have been reports that a newer version of openssl is needed. |
Hello, |
Per @Imprecator 's comment above, and no other responses, I'm assuming the older openssl is the problem and am closing this issue. |
I'm not sure (yet!) it is the openssl version. This is on centos 7: openssl version ./check_http --version So, the version of openssl is > 1.0.0k (which seemed to resolve the issue above). I've just re-pulled all of the plugins and recompiled but I seem to get the same problem. |
Very odd, I'm using Centos 5 and tried OpenSSL 1.0.1e 11 Feb 2013 (downloaded from https://www-origin.openssl.org/source/old/1.0.1/ ) works fine |
FWIW, observing this with OpenSSL 1.0.1e and an older check_http v1.4.15
Example -
Yes that's nagios-plugins from obsolete Debian Squeeze, posting to confirm this can happen with OpenSSL 1.0.1e :) |
Re-opening the issue, since there are still problems. |
Just coming back to this. @dnorth98 have you tried any openssl version greater than 1.0.1e? Maybe try with 1.0.1s or 1.0.1t. |
I addressed our issues with Debian Squeeze by swapping in the binary from Debian's monitoring-plugins for Wheezy. (I know and accept the risks here.) Thought this also may be useful - while
(Not posting to request support, just to provide info for others who run into this. Sorry for noise if this isn't helpful to you.) |
observing the same issue on Redhat 6.8 server connecting to a Wildfly 8.2 instance after enforcing TLS1.1+
The result is sporadic. About 50% of all requests show alert number 40
Im observing the same issue on using "wget --no-check-certificate"
|
We also found this problem on redhat 5.7 and centos 6.7-6.8. This problem is occured from cipher suit. Currently, openssl 0.98 is not work |
I just went through debugging this against an AWS Cloudfront host, and it turns out that some newer web servers require SNI, and unlike web browsers, |
Nobody has come up with an example of it failing with a version of OpenSSL greater than |
I'm getting this error on my monitoring server running Debian "stretch" amd64, either with check_http from the monitoring-plugins package or with the version included in the OMD 2.60 package. Both are version 2.2, the OpenSSL library is 1.1.0f-3+deb9u1 (libssl 1.0.2l-2+deb9u2 is also installed on this system, but I've verified with ldd that both check_http binaries are using 1.1). Only some host checks are failing, notably towards Windows Server 2003 servers (yes, I'm going to get rid of these soon!) and on HP iLO3 management ports. An example:
OpenSSL only supports TLS here, it appears. If I use option -S3, I get: Using --sni doesn't make any difference. The host supports SSLv3, TLSv1 and TLSv1.1; openssl s_client connects without trouble. I can attach a nmap scan if you think it could be useful. This is a new install on amd64 because OMD version 2.60 doesn't support i386 any more; the old monitoring server running OMD 2.10 has no problem doing the checks with check_http v2.1.1 and OpenSSL 1.0.1t-1+deb8u7. |
I'm getting check_http service errors to most of my webservers that do not have SSLv3 enabled.
As you can see, even when I explicitly force TLSv1, it still attempts
sslv3.
Here's the nmap scan showing the ciphers available on my webserver:
The text was updated successfully, but these errors were encountered: