[Nagiosplug-devel] [ nagiosplug-Bugs-1402262 ] check_http SSL doesn't work for Tomcat servers

SourceForge.net noreply at sourceforge.net
Tue Mar 7 02:34:01 CET 2006


Bugs item #1402262, was opened at 2006-01-11 00:01
Message generated for change (Comment added) made by tonvoon
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=1402262&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: General plugin execution
Group: Release (specify)
Status: Open
Resolution: None
Priority: 5
Submitted By: richard (rag777)
>Assigned to: Ton Voon (tonvoon)
Summary: check_http SSL doesn't work for Tomcat servers

Initial Comment:
check_http fails with CRITICAL - Cannot retrieve server
certificate for checks against Tomcat servers.

This is from release 1.4.2 and tested against Tomcat
4.x and 5.x servers. It is completely reproducable.


This example works:
check_http --ssl www.verisign.com

HTTP OK HTTP/1.1 200 OK - 30606 bytes in 1.754 seconds
|time=1.754026s;;;0.000000 size=30606B;;;0


This example fails:
check_http --ssl www.icpkp.com

CRITICAL - Cannot retrieve server certificate.


I have tried this against a bunch of Tomcat sites and
always get the same result. I also get it when trying
against a self-signed certificate.

The browsers access the certificate fine, and don't
report any problems.

Any help would be greatly appreciated!


----------------------------------------------------------------------

>Comment By: Ton Voon (tonvoon)
Date: 2006-03-07 10:32

Message:
Logged In: YES 
user_id=664364

Hi!

Thanks for the bug report and the investigations.

I've tried this on the latest CVS version and all the sites here seem to work 
okay. Sean Finney has changed the SSL code so there is no SSL_set_cipher_list 
call anymore - I'm not sure what it is doing. Sean?

Can you please try the snapshot at http://nagiosplug.sf.net/snapshot to see 
if you still have problems with the latest CVS version.

I've added in tests for check_http to connect to www.verisign.com and 
www.e-paycobalt.com so we can pick up these certificate failures in future.

Ton


----------------------------------------------------------------------

Comment By: David Kelly (at-one)
Date: 2006-03-07 08:46

Message:
Logged In: YES 
user_id=1275092

Verified never_to_late's solution, changing ALL to DEFAULT
and recompiling works great. Thank you!

----------------------------------------------------------------------

Comment By: never_too_late (never_too_late)
Date: 2006-03-07 02:11

Message:
Logged In: YES 
user_id=1469521

Not sure what the root cause is exactly, but this fixed it
for me:

In check_http.c change "ALL" in SSL_set_cipher_list(ssl,
"ALL") to "DEFAULT" and recompile.

For anybody wanting to probe deeper, you can see the same
behaviour with s_client:

1. openssl s_client -connect www.e-paycobalt.com:443 -cipher
ALL will not get you a peer certficate

2. Replacing ALL with DEFAULT will


----------------------------------------------------------------------

Comment By: Scott Hunter (huntes)
Date: 2006-03-02 15:57

Message:
Logged In: YES 
user_id=315297

I am also having this exact problem with an AES certificate
in Tomcat.

----------------------------------------------------------------------

Comment By: David Kelly (at-one)
Date: 2006-03-01 12:03

Message:
Logged In: YES 
user_id=1275092

Incidentally I just checked out the certificate for
icpkp.com to which the original bug report refers and it too
is using an AES ciphered cert. This leads me to believe that
it's the cipher that is the issue, not Tomcat.

----------------------------------------------------------------------

Comment By: David Kelly (at-one)
Date: 2006-03-01 11:59

Message:
Logged In: YES 
user_id=1275092

I can't comment on Tomcat servers but it seems this error
also applies to site certificates using the AES cipher:

insight2:/s2s/apps/nagios-plugins# ./check_http --ssl
www.verisign.com
HTTP OK HTTP/1.1 200 OK - 31062 bytes in 1.206 seconds
|time=1.205539s;;;0.000000 size=31062B;;;0

insight2:/s2s/apps/nagios-plugins# ./check_http --ssl
www.e-paycobalt.com
CRITICAL - Cannot retrieve server certificate.

e-paycobalt.com is just one of many of our customer sites
using the aes encrypted certificates that I have tested this
on. All fail with the same error.


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=1402262&group_id=29880




More information about the Devel mailing list