[Nagiosplug-devel] [ nagiosplug-Bugs-2826570 ] check_http 1.4.13 does not work with some HTTPS servers

SourceForge.net noreply at sourceforge.net
Tue Aug 11 15:20:14 CEST 2009


Bugs item #2826570, was opened at 2009-07-24 09:37
Message generated for change (Comment added) made by dermoth
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2826570&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: General plugin execution
Group: Release (specify)
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Steffen (steffencl)
Assigned to: Thomas Guyot-Sionnest (dermoth)
Summary: check_http 1.4.13 does not work with some HTTPS servers

Initial Comment:
Hello,

we recently made a nagios-plugin update which introduced
  check_http v1.4.13 (nagios-plugins 1.4.13) 

Since then checks of some HTTPS-servers faild with the error
  "HTTP CRITICAL - Error on receive"

A detailed analysis and comparison with older version (1.4.12) revealed the following:

For testing we used the plugin on the Linux shell (Debian sid) like this:
/usr/lib/nagios/plugins/check_http -4 --ssl -v \
                                   -H <testip> -I <testip>

A tcp-connection from the nagios host to the webserver was opened with the normal TCP-handshakes.
After that the nagios-plugin sends it's first SSL handshake packet ("Client Hello") to the webserver which is answered by a TCP-FIN packet to close the connection. The webserver logs a message indicating that the SSL compression method of the client is not supported.

I analysed the SSL protocol and found that the old plugin does NOT include a compression method in it's "Client Hello" message while the new one does.

The SSL Client Hello Packed decoded by whireshark of the NEW plugin looks like this:

---snip----
Secure Socket Layer
    SSL Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 109
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 105
            Version: TLS 1.0 (0x0301)
            Random
                gmt_unix_time: Jul 24, 2009 13:42:28.000000000
                random_bytes: 2930D11FA4...
            Session ID Length: 0
            Cipher Suites Length: 38
            Cipher Suites (19 suites)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
                Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
                Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
                Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
                              (0x0014)
                Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
                              (0x0011)
                Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
                Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
                Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
            Compression Methods Length: 2
            Compression Methods (2 methods)
                Compression Method: DEFLATE (1)
                Compression Method: null (0)
            Extensions Length: 25
            Extension: server_name
                Type: server_name (0x0000)
                Length: 17
                Data (17 bytes)
            Extension: SessionTicket TLS
                Type: SessionTicket TLS (0x0023)
                Length: 0
                Data (0 bytes)
---snip----
 
While the SSL Client Hello Packed of an old plugin looks like this:

---snip----
Secure Socket Layer
    SSLv2 Record Layer: Client Hello
        Length: 116
        Handshake Message Type: Client Hello (1)
        Version: TLS 1.0 (0x0301)
        Cipher Spec Length: 75
        Session ID Length: 0
        Challenge Length: 32
        Cipher Specs (25 specs)
            Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x000039)
            Cipher Spec: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x000038)
            Cipher Spec: TLS_RSA_WITH_AES_256_CBC_SHA (0x000035)
            Cipher Spec: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x000016)
            Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
            Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
            Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)
            Cipher Spec: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x000033)
            Cipher Spec: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x000032)
            Cipher Spec: TLS_RSA_WITH_AES_128_CBC_SHA (0x00002f)
            Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x030080)
            Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
            Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
            Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
            Cipher Spec: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x000015)
            Cipher Spec: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x000012)
            Cipher Spec: TLS_RSA_WITH_DES_CBC_SHA (0x000009)
            Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 (0x060040)
            Cipher Spec: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000014)
            Cipher Spec: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x000011)
            Cipher Spec: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000008)
            Cipher Spec: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x000006)
            Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x040080)
            Cipher Spec: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x000003)
            Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 (0x020080)
        Challenge
---snip----

As you see with no compression method field.

We had no problems with version 1.4.12, but since 1.4.13 we have the described problems with some
servers, primary with older servers and appliences useing HTTPS.
There are no problems against apache servers.

- Steffen

----------------------------------------------------------------------

>Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2009-08-11 09:20

Message:
>From IRC:

<spy6> dermoth: stable: 0.9.8g-15+lenny3 and on unstable actually
0.9.8k-3
<spy6> dermoth: you can also have a look at
http://packages.debian.org/openssl

----------------------------------------------------------------------

Comment By: Jan Wagner (cyco_dd)
Date: 2009-08-05 14:56

Message:
> Obviously. As far as I can see it seems like a problem with the specific
> OpenSSL package in debian, so unless you can come up with an openssl
> version to test with I can't do much in term of debugging (I check many
> SSL-enabled sites, and also have multiple succeeding tests on my
tinderbox
> and dev workstation).

I rolled out the package recompiled against stable on our monitoring
infrastructure. So fas we don't have any problems with our SSL-enabled
sites there. But just out of kind, what maybe all apache webserver, which
was stated as still working by the initial bug report. So we need to be
supplied with a public available test sites, where we can reproduce the
problem (by using the debian package from sid and maybe the lenny
backported one and the one from stable).

Steffen: please supply such a ssl-site if possible.

> > > You shouldn't expect high stability out of debian Sid.
> >
> > Why not? Packages uploaded to sid (and migrating later to testing) are
> > considered to be released in the next stable release.
>
> Then that is strange that Nagios-plugins has been updated to a git HEAD.
> What makes matter worse is that uses often aren't well aware of
development
> process and in this case is was reported against 1.4.13. When I looked
at
> differences between 1.4.12 and 1.4.13 I was obviously missing a lot of
> patches.

Reasons was stated for example at
http://blog.waja.info/2009/07/07/nagios-plugins-1413git200906171200-1-uploaded/

> > From Debian point of view, this is absolutely necessary to reproduce
this
> > bug (and maybe fixing, if needed).
> 
> Could you at least check that latest sid is not affected on random SSL
> sites. If it's only specific to certain setups and/or web servers then
at
> least it's not as critical.

I've tested the following server on stable and sid:

Server: Microsoft-IIS/7.0
Server: lighttpd/1.4.19
Server: nginx/0.7.60
Server: Apache

No problem so far.

----------------------------------------------------------------------

Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2009-08-05 09:15

Message:
> > Well, then first of all you should have reported this against debian's
> bug
> > database (if you already did please link the bug #). It could be a
> > debian-specific bug.
> 
> Maybe and maybe not. :)

Obviously. As far as I can see it seems like a problem with the specific
OpenSSL package in debian, so unless you can come up with an openssl
version to test with I can't do much in term of debugging (I check many
SSL-enabled sites, and also have multiple succeeding tests on my tinderbox
and dev workstation).

> > It also looks like your package is based on a development version with
> > known bugs.
> 
> You was discussing to release months ago. So did guess that it would be
> released "soon" (and is some kind of stable).

A bunch of things went in since then...  And we could have sent a release
with the last blocker bug before I discovered it (check_snmp regression)
but I'm sure it would have been discovered very quickly and we'd have to
make a 2nd release to fix it.

> > You shouldn't expect high stability out of debian Sid.
> 
> Why not? Packages uploaded to sid (and migrating later to testing) are
> considered to be released in the next stable release.

Then that is strange that Nagios-plugins has been updated to a git HEAD.
What makes matter worse is that uses often aren't well aware of development
process and in this case is was reported against 1.4.13. When I looked at
differences between 1.4.12 and 1.4.13 I was obviously missing a lot of
patches.

> > Finally it would be *very* helpful if you can reproduce this on an
> > external http web site so I can test as well.
> 
> From Debian point of view, this is absolutely necessary to reproduce
this
> bug (and maybe fixing, if needed).

Could you at least check that latest sid is not affected on random SSL
sites. If it's only specific to certain setups and/or web servers then at
least it's not as critical.

Thanks

----------------------------------------------------------------------

Comment By: Jan Wagner (cyco_dd)
Date: 2009-08-05 05:31

Message:
> Well, then first of all you should have reported this against debian's
bug
> database (if you already did please link the bug #). It could be a
> debian-specific bug.

Maybe and maybe not. :)

> It also looks like your package is based on a development version with
> known bugs.

You was discussing to release months ago. So did guess that it would be
released "soon" (and is some kind of stable). 

> You shouldn't expect high stability out of debian Sid.

Why not? Packages uploaded to sid (and migrating later to testing) are
considered to be released in the next stable release.

> Finally it would be *very* helpful if you can reproduce this on an
> external http web site so I can test as well.

>From Debian point of view, this is absolutely necessary to reproduce this
bug (and maybe fixing, if needed).

With kind regards, Jan.

----------------------------------------------------------------------

Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2009-08-05 00:42

Message:
Well, then first of all you should have reported this against debian's bug
database (if you already did please link the bug #). It could be a
debian-specific bug.

It also looks like your package is based on a development version with
known bugs. You shouldn't expect high stability out of debian Sid.

Finally it would be *very* helpful if you can reproduce this on an
external http web site so I can test as well.

Thanks

----------------------------------------------------------------------

Comment By: Steffen (steffencl)
Date: 2009-07-27 14:58

Message:
We use Debian "sid".
OpenSSL was before the update and still is verion 0.9.8k 25 Mar 2009

According to Debian's update log the following has changed:
[UPGRADE] nagios-nrpe-plugin 2.12-3 -> 2.12-3.1
[UPGRADE] nagios-plugins 1.4.12-5 -> 1.4.13+git200906171200-1
[UPGRADE] nagios-plugins-basic 1.4.12-5 -> 1.4.13+git200906171200-1
[UPGRADE] nagios-plugins-standard 1.4.12-5 -> 1.4.13+git200906171200-1
[UPGRADE] nagios3 3.0.6-4 -> 3.0.6-5
[UPGRADE] nagios3-common 3.0.6-4 -> 3.0.6-5
[UPGRADE] nagios3-doc 3.0.6-4 -> 3.0.6-5

Since we use packages of provided by or for the used distribution, we do
not compile but use the packagetmanager of the distribution (here Debian
sid).

- Steffen

----------------------------------------------------------------------

Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2009-07-24 21:51

Message:
Hi, and thanks for your report.

I checked the change logs between these two release and there's absolutely
no difference between 1.4.12 and 1.4.13 that could explain this (the only
change that affects what check_http sends is that is doesn't send the
defaut port anymore on the Host: line - RFC 2616).

My best guess would be a change in your OpenSSL installation. Can you try
recompiling 1.4.12 from scratch (don't re-use your previous compile tree)?

It would also be nice to know:
- Your configure parameters
- Your OpenSSL version
- An externally accessible server to test with, if possible.

Thanks

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2826570&group_id=29880




More information about the Devel mailing list