[Nagiosplug-devel] [ nagiosplug-Bugs-2555782 ] check_imap fails with SSL3
SourceForge.net
noreply at sourceforge.net
Tue Apr 12 18:18:51 CEST 2011
Bugs item #2555782, was opened at 2009-02-01 11:48
Message generated for change (Comment added) made by omnipotus
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2555782&group_id=29880
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: General plugin execution
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Jan Wagner (cyco_dd)
Assigned to: Nobody/Anonymous (nobody)
Summary: check_imap fails with SSL3
Initial Comment:
The following Bugreport we got against the ubuntu package:
imaps service on an Gutsy Server fails with CRITICAL - Cannot make SSL connection
Checking imaps on a Debian Sarge still works.
Both running courier-imap-ssl with SSL3
Verbose Output
Using service IMAP
Port: 143
flags: 0x7
CRITICAL - Cannot make SSL connection
26820:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
and later ...
The imap-server expect a ssl-connect SSLv3 (TLS_PROTOCOL=SSL3) and the check_imap try to connect with SSLv2.
After changing the imap-server to SSLv2, everything works fine with nagios, but the most clients cannot connect due to recommended security-settings (no SSLv2-use) anymore.
Best way would be a new parameter to select the protocol-version (SSLv2, SSLv3, TLSv1).
You can track the bug at https://bugs.launchpad.net/ubuntu/+source/nagios-plugins/+bug/155699
Thanks, Jan.
----------------------------------------------------------------------
Comment By: Jason A. Lunn (omnipotus)
Date: 2011-04-12 12:18
Message:
FYI,
Today I submitted a patch (3285367) that addresses a similar issue for
check_http; the patch allows the connection function within sslutils.c to
take a version argument that controls the SSL protocol version. It
currently defaults to the current behavior (auto-negotiation), and supports
TLSv1, SSLv2 and SSLv3.
This might serve as a basis for another patch to add similar arguments to
check_imap
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2555782&group_id=29880
More information about the Devel
mailing list