[Nagiosplug-devel] [ nagiosplug-Bugs-2826570 ] check_http 1.4.13 does not work with some HTTPS servers

SourceForge.net noreply at sourceforge.net
Mon Jul 27 20:58:22 CEST 2009


Bugs item #2826570, was opened at 2009-07-24 15:37
Message generated for change (Comment added) made by steffencl
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2826570&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: General plugin execution
Group: Release (specify)
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Steffen (steffencl)
Assigned to: Thomas Guyot-Sionnest (dermoth)
Summary: check_http 1.4.13 does not work with some HTTPS servers

Initial Comment:
Hello,

we recently made a nagios-plugin update which introduced
  check_http v1.4.13 (nagios-plugins 1.4.13) 

Since then checks of some HTTPS-servers faild with the error
  "HTTP CRITICAL - Error on receive"

A detailed analysis and comparison with older version (1.4.12) revealed the following:

For testing we used the plugin on the Linux shell (Debian sid) like this:
/usr/lib/nagios/plugins/check_http -4 --ssl -v \
                                   -H <testip> -I <testip>

A tcp-connection from the nagios host to the webserver was opened with the normal TCP-handshakes.
After that the nagios-plugin sends it's first SSL handshake packet ("Client Hello") to the webserver which is answered by a TCP-FIN packet to close the connection. The webserver logs a message indicating that the SSL compression method of the client is not supported.

I analysed the SSL protocol and found that the old plugin does NOT include a compression method in it's "Client Hello" message while the new one does.

The SSL Client Hello Packed decoded by whireshark of the NEW plugin looks like this:

---snip----
Secure Socket Layer
    SSL Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 109
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 105
            Version: TLS 1.0 (0x0301)
            Random
                gmt_unix_time: Jul 24, 2009 13:42:28.000000000
                random_bytes: 2930D11FA4...
            Session ID Length: 0
            Cipher Suites Length: 38
            Cipher Suites (19 suites)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
                Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
                Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
                Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
                              (0x0014)
                Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
                              (0x0011)
                Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
                Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
                Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
            Compression Methods Length: 2
            Compression Methods (2 methods)
                Compression Method: DEFLATE (1)
                Compression Method: null (0)
            Extensions Length: 25
            Extension: server_name
                Type: server_name (0x0000)
                Length: 17
                Data (17 bytes)
            Extension: SessionTicket TLS
                Type: SessionTicket TLS (0x0023)
                Length: 0
                Data (0 bytes)
---snip----
 
While the SSL Client Hello Packed of an old plugin looks like this:

---snip----
Secure Socket Layer
    SSLv2 Record Layer: Client Hello
        Length: 116
        Handshake Message Type: Client Hello (1)
        Version: TLS 1.0 (0x0301)
        Cipher Spec Length: 75
        Session ID Length: 0
        Challenge Length: 32
        Cipher Specs (25 specs)
            Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x000039)
            Cipher Spec: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x000038)
            Cipher Spec: TLS_RSA_WITH_AES_256_CBC_SHA (0x000035)
            Cipher Spec: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x000016)
            Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
            Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
            Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)
            Cipher Spec: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x000033)
            Cipher Spec: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x000032)
            Cipher Spec: TLS_RSA_WITH_AES_128_CBC_SHA (0x00002f)
            Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x030080)
            Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
            Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
            Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
            Cipher Spec: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x000015)
            Cipher Spec: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x000012)
            Cipher Spec: TLS_RSA_WITH_DES_CBC_SHA (0x000009)
            Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 (0x060040)
            Cipher Spec: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000014)
            Cipher Spec: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x000011)
            Cipher Spec: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000008)
            Cipher Spec: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x000006)
            Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x040080)
            Cipher Spec: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x000003)
            Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 (0x020080)
        Challenge
---snip----

As you see with no compression method field.

We had no problems with version 1.4.12, but since 1.4.13 we have the described problems with some
servers, primary with older servers and appliences useing HTTPS.
There are no problems against apache servers.

- Steffen

----------------------------------------------------------------------

>Comment By: Steffen (steffencl)
Date: 2009-07-27 20:58

Message:
We use Debian "sid".
OpenSSL was before the update and still is verion 0.9.8k 25 Mar 2009

According to Debian's update log the following has changed:
[UPGRADE] nagios-nrpe-plugin 2.12-3 -> 2.12-3.1
[UPGRADE] nagios-plugins 1.4.12-5 -> 1.4.13+git200906171200-1
[UPGRADE] nagios-plugins-basic 1.4.12-5 -> 1.4.13+git200906171200-1
[UPGRADE] nagios-plugins-standard 1.4.12-5 -> 1.4.13+git200906171200-1
[UPGRADE] nagios3 3.0.6-4 -> 3.0.6-5
[UPGRADE] nagios3-common 3.0.6-4 -> 3.0.6-5
[UPGRADE] nagios3-doc 3.0.6-4 -> 3.0.6-5

Since we use packages of provided by or for the used distribution, we do
not compile but use the packagetmanager of the distribution (here Debian
sid).

- Steffen

----------------------------------------------------------------------

Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2009-07-25 03:51

Message:
Hi, and thanks for your report.

I checked the change logs between these two release and there's absolutely
no difference between 1.4.12 and 1.4.13 that could explain this (the only
change that affects what check_http sends is that is doesn't send the
defaut port anymore on the Host: line - RFC 2616).

My best guess would be a change in your OpenSSL installation. Can you try
recompiling 1.4.12 from scratch (don't re-use your previous compile tree)?

It would also be nice to know:
- Your configure parameters
- Your OpenSSL version
- An externally accessible server to test with, if possible.

Thanks

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2826570&group_id=29880




More information about the Devel mailing list