[Nagiosplug-devel] [ nagiosplug-Bugs-2555782 ] check_imap fails with SSL3

SourceForge.net noreply at sourceforge.net
Tue Apr 12 18:18:51 CEST 2011


Bugs item #2555782, was opened at 2009-02-01 11:48
Message generated for change (Comment added) made by omnipotus
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2555782&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: General plugin execution
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Jan Wagner (cyco_dd)
Assigned to: Nobody/Anonymous (nobody)
Summary: check_imap fails with SSL3

Initial Comment:
The following Bugreport we got against the ubuntu package:

imaps service on an Gutsy Server fails with CRITICAL - Cannot make SSL connection
Checking imaps on a Debian Sarge still works.

Both running courier-imap-ssl with SSL3
Verbose Output

Using service IMAP
Port: 143
flags: 0x7
CRITICAL - Cannot make SSL connection
26820:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:

and later ...

The imap-server expect a ssl-connect SSLv3 (TLS_PROTOCOL=SSL3) and the check_imap try to connect with SSLv2.

After changing the imap-server to SSLv2, everything works fine with nagios, but the most clients cannot connect due to recommended security-settings (no SSLv2-use) anymore.

Best way would be a new parameter to select the protocol-version (SSLv2, SSLv3, TLSv1).

You can track the bug at https://bugs.launchpad.net/ubuntu/+source/nagios-plugins/+bug/155699

Thanks, Jan.

----------------------------------------------------------------------

Comment By: Jason A. Lunn (omnipotus)
Date: 2011-04-12 12:18

Message:
FYI,
Today I submitted a patch (3285367) that addresses a similar issue for
check_http; the patch allows the connection function within sslutils.c to
take a version argument that controls the SSL protocol version. It
currently defaults to the current behavior (auto-negotiation), and supports
TLSv1, SSLv2 and SSLv3.
This might serve as a basis for another patch to add similar arguments to
check_imap

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2555782&group_id=29880




More information about the Devel mailing list