check_http cannot make ssl connection

[s.wiki]

Hi , I am trying to check_http but return this error.

Code: Select all

[root@ ]# /usr/local/nagios/libexec/check_http -H ipaddress -S -p 443
CRITICAL - Cannot make SSL connection.
139987061589864:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316:
139987061589864:error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib:s3_clnt.c:1641:
[root@ ]#

Code: Select all

i have tested the port is opened.
[root@ ]# nmap 10.103.8.31 -p 443

Starting Nmap 6.47 ( http://nmap.org ) at 2017-05-15 11:25 MYT
Nmap scan report for hostname.bank.com (ipaddress)
Host is up (0.00032s latency).
PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
[root@ ]#

check_http version,

Code: Select all

[root@]# ./check_http -V
check_http v2.2.1 (nagios-plugins 2.2.1)

I have tried to check_http myOwnNagiosIP -S -p 443 and it works. Any ideas?
Appreciate if you help. Thanks

[s.wiki]

on the agent side it is configured like this.

Code: Select all

; TODO
[/settings/NRPE/server]

; Undocumented key
ssl options = no-sslv2,no-sslv3

could this be the issue?

[tgriep]

Can you run the command in verbose mode and post the output so we can view the errors?

Code: Select all

/usr/local/nagios/libexec/check_http -H ipaddress -S -p 443 -vv

What version of openssl is installed on the Nagios server?
Run the following as root and post the output.

Code: Select all

yum list installed |grep openssl
openssl version

Thanks

[s.wiki]

Can you run the command in verbose mode and post the output so we can view the errors?

Code: Select all

/usr/local/nagios/libexec/check_http -H ipaddress -S -p 443 -vv

What version of openssl is installed on the Nagios server?
Run the following as root and post the output.

Code: Select all

yum list installed |grep openssl
openssl version

Thanks

Hi, thank you for your reply. kindly check the output below

Code: Select all

[root@~]# /usr/local/nagios/libexec/check_http -H ipaddress -S -p 443 -vv
CRITICAL - Cannot make SSL connection.
140061322540904:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316:
140061322540904:error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib:s3_clnt.c:1641:
SSL initialized
[root@~]#

Code: Select all

[root@~]# yum list |grep openssl
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
file:///mnt/rhel6.5/repodata/repomd.xml: [Errno 14] Could not open/read file:///mnt/rhel6.5/repodata/repomd.xml
Trying other mirror.
openssl.x86_64                          1.0.1e-15.el6                        @anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5
openssl-devel.x86_64                    1.0.1e-15.el6                        @lr
krb5-pkinit-openssl.x86_64              1.10.3-10.el6_4.6                    lr
openssl.i686                            1.0.1e-15.el6                        lr
openssl-devel.i686                      1.0.1e-15.el6                        lr
openssl098e.i686                        0.9.8e-17.el6_2.2                    lr
openssl098e.x86_64                      0.9.8e-17.el6_2.2                    lr
[root@~]#

[tgriep]

After searching for that error, I am finding some links that are pointing to some bugs in the openssl and openssl-devel packages.
Can you upgrade those packages, recompile the check_http plugin and see if it resolves the issue?

You may also have to upgrade the remote server if it is running the same openssl package with the bug.

https://bugzilla.redhat.com/show_bug.cgi?id=1019390
https://bugzilla.redhat.com/show_bug.cgi?id=1019251

[s.wiki]

Hi ,
Thanks alot for your assistance
I have update packages to version

openssl-devel-1.0.1e-57.el6.x86_64
openssl-1.0.1e-57.el6.x86_64

and check_http is working now.

Thanks

[tgriep]

Your welcome. Glad it is working now.
I'll mark the post as solved and lock it up but if you have any questions in the future, feel free to open a new post.