[Nagiosplug-devel] [ nagiosplug-Bugs-2826570 ] check_http 1.4.13 does not work with some HTTPS servers
SourceForge.net
noreply at sourceforge.net
Sat Jul 25 03:51:09 CEST 2009
Bugs item #2826570, was opened at 2009-07-24 09:37
Message generated for change (Comment added) made by dermoth
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2826570&group_id=29880
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: General plugin execution
Group: Release (specify)
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Steffen (steffencl)
>Assigned to: Thomas Guyot-Sionnest (dermoth)
Summary: check_http 1.4.13 does not work with some HTTPS servers
Initial Comment:
Hello,
we recently made a nagios-plugin update which introduced
check_http v1.4.13 (nagios-plugins 1.4.13)
Since then checks of some HTTPS-servers faild with the error
"HTTP CRITICAL - Error on receive"
A detailed analysis and comparison with older version (1.4.12) revealed the following:
For testing we used the plugin on the Linux shell (Debian sid) like this:
/usr/lib/nagios/plugins/check_http -4 --ssl -v \
-H <testip> -I <testip>
A tcp-connection from the nagios host to the webserver was opened with the normal TCP-handshakes.
After that the nagios-plugin sends it's first SSL handshake packet ("Client Hello") to the webserver which is answered by a TCP-FIN packet to close the connection. The webserver logs a message indicating that the SSL compression method of the client is not supported.
I analysed the SSL protocol and found that the old plugin does NOT include a compression method in it's "Client Hello" message while the new one does.
The SSL Client Hello Packed decoded by whireshark of the NEW plugin looks like this:
---snip----
Secure Socket Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 109
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 105
Version: TLS 1.0 (0x0301)
Random
gmt_unix_time: Jul 24, 2009 13:42:28.000000000
random_bytes: 2930D11FA4...
Session ID Length: 0
Cipher Suites Length: 38
Cipher Suites (19 suites)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
(0x0014)
Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
(0x0011)
Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Compression Methods Length: 2
Compression Methods (2 methods)
Compression Method: DEFLATE (1)
Compression Method: null (0)
Extensions Length: 25
Extension: server_name
Type: server_name (0x0000)
Length: 17
Data (17 bytes)
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 0
Data (0 bytes)
---snip----
While the SSL Client Hello Packed of an old plugin looks like this:
---snip----
Secure Socket Layer
SSLv2 Record Layer: Client Hello
Length: 116
Handshake Message Type: Client Hello (1)
Version: TLS 1.0 (0x0301)
Cipher Spec Length: 75
Session ID Length: 0
Challenge Length: 32
Cipher Specs (25 specs)
Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x000039)
Cipher Spec: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x000038)
Cipher Spec: TLS_RSA_WITH_AES_256_CBC_SHA (0x000035)
Cipher Spec: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x000016)
Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)
Cipher Spec: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x000033)
Cipher Spec: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x000032)
Cipher Spec: TLS_RSA_WITH_AES_128_CBC_SHA (0x00002f)
Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x030080)
Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
Cipher Spec: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x000015)
Cipher Spec: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x000012)
Cipher Spec: TLS_RSA_WITH_DES_CBC_SHA (0x000009)
Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 (0x060040)
Cipher Spec: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000014)
Cipher Spec: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x000011)
Cipher Spec: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000008)
Cipher Spec: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x000006)
Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x040080)
Cipher Spec: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x000003)
Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 (0x020080)
Challenge
---snip----
As you see with no compression method field.
We had no problems with version 1.4.12, but since 1.4.13 we have the described problems with some
servers, primary with older servers and appliences useing HTTPS.
There are no problems against apache servers.
- Steffen
----------------------------------------------------------------------
>Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2009-07-24 21:51
Message:
Hi, and thanks for your report.
I checked the change logs between these two release and there's absolutely
no difference between 1.4.12 and 1.4.13 that could explain this (the only
change that affects what check_http sends is that is doesn't send the
defaut port anymore on the Host: line - RFC 2616).
My best guess would be a change in your OpenSSL installation. Can you try
recompiling 1.4.12 from scratch (don't re-use your previous compile tree)?
It would also be nice to know:
- Your configure parameters
- Your OpenSSL version
- An externally accessible server to test with, if possible.
Thanks
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2826570&group_id=29880
More information about the Devel
mailing list