[Nagiosplug-devel] [ nagiosplug-Bugs-2826570 ] check_http 1.4.13 does not work with some HTTPS servers
SourceForge.net
noreply at sourceforge.net
Fri Jul 24 15:37:18 CEST 2009
Bugs item #2826570, was opened at 2009-07-24 15:37
Message generated for change (Tracker Item Submitted) made by steffencl
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2826570&group_id=29880
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: General plugin execution
Group: Release (specify)
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Steffen (steffencl)
Assigned to: Nobody/Anonymous (nobody)
Summary: check_http 1.4.13 does not work with some HTTPS servers
Initial Comment:
Hello,
we recently made a nagios-plugin update which introduced
check_http v1.4.13 (nagios-plugins 1.4.13)
Since then checks of some HTTPS-servers faild with the error
"HTTP CRITICAL - Error on receive"
A detailed analysis and comparison with older version (1.4.12) revealed the following:
For testing we used the plugin on the Linux shell (Debian sid) like this:
/usr/lib/nagios/plugins/check_http -4 --ssl -v \
-H <testip> -I <testip>
A tcp-connection from the nagios host to the webserver was opened with the normal TCP-handshakes.
After that the nagios-plugin sends it's first SSL handshake packet ("Client Hello") to the webserver which is answered by a TCP-FIN packet to close the connection. The webserver logs a message indicating that the SSL compression method of the client is not supported.
I analysed the SSL protocol and found that the old plugin does NOT include a compression method in it's "Client Hello" message while the new one does.
The SSL Client Hello Packed decoded by whireshark of the NEW plugin looks like this:
---snip----
Secure Socket Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 109
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 105
Version: TLS 1.0 (0x0301)
Random
gmt_unix_time: Jul 24, 2009 13:42:28.000000000
random_bytes: 2930D11FA4...
Session ID Length: 0
Cipher Suites Length: 38
Cipher Suites (19 suites)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
(0x0014)
Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
(0x0011)
Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Compression Methods Length: 2
Compression Methods (2 methods)
Compression Method: DEFLATE (1)
Compression Method: null (0)
Extensions Length: 25
Extension: server_name
Type: server_name (0x0000)
Length: 17
Data (17 bytes)
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 0
Data (0 bytes)
---snip----
While the SSL Client Hello Packed of an old plugin looks like this:
---snip----
Secure Socket Layer
SSLv2 Record Layer: Client Hello
Length: 116
Handshake Message Type: Client Hello (1)
Version: TLS 1.0 (0x0301)
Cipher Spec Length: 75
Session ID Length: 0
Challenge Length: 32
Cipher Specs (25 specs)
Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x000039)
Cipher Spec: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x000038)
Cipher Spec: TLS_RSA_WITH_AES_256_CBC_SHA (0x000035)
Cipher Spec: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x000016)
Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)
Cipher Spec: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x000033)
Cipher Spec: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x000032)
Cipher Spec: TLS_RSA_WITH_AES_128_CBC_SHA (0x00002f)
Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x030080)
Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
Cipher Spec: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x000015)
Cipher Spec: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x000012)
Cipher Spec: TLS_RSA_WITH_DES_CBC_SHA (0x000009)
Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 (0x060040)
Cipher Spec: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000014)
Cipher Spec: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x000011)
Cipher Spec: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000008)
Cipher Spec: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x000006)
Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x040080)
Cipher Spec: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x000003)
Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 (0x020080)
Challenge
---snip----
As you see with no compression method field.
We had no problems with version 1.4.12, but since 1.4.13 we have the described problems with some
servers, primary with older servers and appliences useing HTTPS.
There are no problems against apache servers.
- Steffen
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2826570&group_id=29880
More information about the Devel
mailing list