[0.20.6] SSL / TLS issue with eventmachine

[BarthV]

# /opt/sensu/bin/sensu-server -V
0.20.6

# /opt/sensu/embedded/bin/gem list |egrep -i "eventmachine|em-"
em-http-request (1.1.2)
em-redis-unified (1.0.0)
em-socksify (0.3.1)
em-worker (0.0.2)
eventmachine (1.0.8)

Using this simple script :

require 'em-http-request'
EventMachine.run {
  http = EventMachine::HttpRequest.new('https://*********').get :timeout => 10
  http.callback {
    p http.response_header.status
    p http.response_header
    p http.response
    EventMachine.stop
  }
}

Output with a ruby 2.2.3 "vanilla" + latest em-http-request gem :

> time ruby ssltest.rb
405
{"ALLOW"=>"OPTIONS, POST", "CONTENT_TYPE"=>"text/plain; charset=utf-8", "X_CONTENT_TYPE_OPTIONS"=>"nosniff", "DATE"=>"Mon, 02 Nov 2015 09:12:24 GMT", "CONTENT_LENGTH"=>"19", "CONNECTION"=>"close"}
"Method Not Allowed\n"

  0,13s user
  0,00s system
  73% cpu 0,174 total

Output with Sensu embedded Ruby

> time /opt/sensu/embedded/bin/ruby /root/ssltest.rb 
< had to CTRL+C after 10 minutes ... just to end the command >
/opt/sensu/embedded/lib/ruby/gems/2.0.0/gems/eventmachine-1.0.8/lib/eventmachine.rb:193:in `run_machine': Interrupt
    from /opt/sensu/embedded/lib/ruby/gems/2.0.0/gems/eventmachine-1.0.8/lib/eventmachine.rb:193:in `run'
    from /root/ssltest.rb:2:in `<main>'

real    11m10.405s
user    0m0.468s
sys 0m0.092s

Supported ciphers for the target URL :

Obtaining cipher list from OpenSSL 1.0.1f 6 Jan 2014.
Testing ECDHE-RSA-AES256-GCM-SHA384...YES
Testing ECDHE-RSA-AES256-SHA...YES
Testing AES256-SHA...YES
Testing ECDHE-RSA-DES-CBC3-SHA...YES
Testing DES-CBC3-SHA...YES
Testing ECDHE-RSA-AES128-GCM-SHA256...YES
Testing ECDHE-RSA-AES128-SHA...YES
Testing AES128-SHA...YES

This test is working when I use http and not https.
What can I do to make this work inside Sensu & using EM ?

[portertech]

What's the Interrupt for? Usually you see something like that when eventmachine was not built with OpenSSL.

[BarthV]

The interrupt was just here to end the command...
Without it, ruby would have ran indefinitely.

[portertech]

@BarthV Ah, sorry, I didn't read < had to CTRL+C after 10 minutes ... just to end the command >. Are you able to observe an HTTP query in progress? Hanging? What if you try the test with a vanilla 2.0.0? It may be the Ruby version.

[dcrawkstar]

::bump::
I have the same issue going to the InfluxDB hosted solution that uses https to connect.
I ran a tcpdump of both http & https using
$ tcpdump -vv -s 0 -A 'tcp dst port 8086 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'

&

$ tcpdump -vvv -n dst port 8086

I was able to the post and length of the post over http (length 3728), over https (length 0). Using cURL i can post the metrics after i use a handler to write them to a file on disk. So i can verify that metrics make it in over https. Wondering if building the embedded eventmachine against the system openssl would fix that?
$ /opt/sensu/embedded/bin/gem install eventmachine -v '1.0.8' -- --with-cppflags=-I/usr/include/openssl/

not sure... im not fantastic with ruby or its underpinnings. thoughts?

[portertech]

Hmm, Sensu's Ruby is currently capable of communicating with SSL, e.g. RabbitMQ. I will try to test this myself, it may be time to make the jump to a newer Ruby with the GC changes etc.

[BarthV]

(last message was deleted)
@portertech :
It also working great with a ruby 2.0.0-p645 vanilla + http-request gem.
So the problem is really sticked to Sensu embedded ruby.

It probably depends on available SSL ciphers since www.google.fr:443 (and many other ssl services) are working great.

I searched but I didn't found any cipher list or cipher group restriction inside Sensu source :-/ . So maybe I'm wrong ...

[portertech]

@BarthV it could be a combination of EventMachine and the Ruby version. I'll test Sensu Core w/ a newer Ruby, it is time to make the jump anyways 👍

[calebhailey]

@BarthV Sensu 0.23 was released this week with a new Ruby (version 2.3). See here for more information: https://sensuapp.org/docs/0.23/changelog

I'm going to presumptively close this issue, but please feel free to create a new issue if the matter is not resolved.

#monitoringlove