[Nagiosplug-devel] [ nagiosplug-Patches-3612263 ] Expanded SSL Version Selection; Example Use in check_http
SourceForge.net
noreply at sourceforge.net
Tue Apr 30 12:38:02 CEST 2013
Patches item #3612263, was opened at 2013-04-30 03:38
Message generated for change (Tracker Item Submitted) made by j-bern
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=397599&aid=3612263&group_id=29880
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Enhancement
Group: release-1.4.16
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: J. Bern (j-bern)
Assigned to: Nobody/Anonymous (nobody)
Summary: Expanded SSL Version Selection; Example Use in check_http
Initial Comment:
I had a problem today which seems to have been reported in more or less similar fashion in the bug tracker several times: Misunderstandings between check_http and server implementations that do not support specific SSL/TLS versions. (In my case, the server is a web app running in a CentOS 6 Tomcat 7 and refuses standard check_http requests because of SSLv2 being enabled.)
I noted that the current (1.4.16) options do *not* allow to disable SSLv2 but leave *both* SSLv3 and TLSv1 enabled - so I added negative values to do just that into sslutils.c and (as an example case) check_http.c. Note that I didn't guard against old OpenSSL versions which may not have the required options ...
[root at nagios nagios-plugins-1.4.16b]# plugins/check_http --ssl $PARAMS
CRITICAL - Cannot make SSL connection.
23666:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:
[root at nagios nagios-plugins-1.4.16b]# for SSLVER in 3 2 1 -1 -2 -3 ; do plugins/check_http --ssl=$SSLVER $PARAMS 2>&1 | sed -e "s/^/$SSLVER /" ; done
3 HTTP OK: HTTP/1.1 200 OK - 338 bytes in 0,070 second response time |time=0,069910s;;;0,000000 size=338B;;;0
2 CRITICAL - Cannot make SSL connection.
1 HTTP OK: HTTP/1.1 200 OK - 338 bytes in 0,057 second response time |time=0,056833s;;;0,000000 size=338B;;;0
-1 CRITICAL - Cannot make SSL connection.
-1 19823:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:
-2 HTTP OK: HTTP/1.1 200 OK - 338 bytes in 0,061 second response time |time=0,061420s;;;0,000000 size=338B;;;0
-3 CRITICAL - Cannot make SSL connection.
-3 19827:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=397599&aid=3612263&group_id=29880
More information about the Devel
mailing list