Nagios SSL Checks on KEMP Loadmaster

[scheema31]

thanks tgriep but unfortunately updating the plugin to version 2.1.1 did not resolve the issue.

[rkennedy]

Please show us the full commands you're running in the terminal, a screenshot will help as well.

The above will help for us to replicate on our end to see what's going on with TLS exactly.

[scheema31]

here is my command im using
[root@myserver /]# /usr/local/nagios/libexec/check_http -S --ssl=1.2 -H www.mysite.com
CRITICAL - Cannot make SSL connection.

and ive tried using --ssl=1.1, 1.1+, 1.2, 1.2+

[rkennedy]

Could you upgrade your nagios plugins to 2.1.2? This was released a short time ago, and made a fix to TLS specifically. I think you might be running into an issue where it wasn't letting you specify the SSL version properly.

– The check_http -S/–ssl option now accepts the arguments “1.1” and “1.2” to force TLSv1.1 and TLSv1.2 connections, respectively
– The check_http -S/–ssl option now allows for specifying the desired protocol with a “+” suffix to also accept newer versions

https://www.nagios.org/downloads/nagios-plugins/

[scheema31]

okay ive updated the plugin to nagios-plugins-2.1.2 and getting a different error...

Command - # /usr/local/nagios/libexec/check_http -S --ssl=1.1 -H www.mysite.com
Response - UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.

Command - # /usr/local/nagios/libexec/check_http -S --ssl=1.2 -H www.mysite.com
Response - UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.

Command - # /usr/local/nagios/libexec/check_http -S --ssl=1.1 -H www.mysite.com
Response - CRITICAL - Cannot make SSL connection.
1595:error:140740BF:SSL routines:SSL23_CLIENT_HELLO:no protocols available:s23_clnt.c:269:

And i have confirmed that TLS 1.1 AND 1.2 are enabled on the loadbalancer, its just 1.0 that is disabled.

[rkennedy]

Does your SSL support TLS1.1/1.2 on the Nagios machine? Please post the output of the following - openssl s_client -connect google.com:443 -tls1_2 (also, please run it against your site as well and post the output)

This should help us track down where the version issue is.

[scheema31]

thanks rkennedy,

Here is the output from checking both your URL and my site:

Command - # openssl s_client -connect google.com:443 -tls1_2
Response - unknown option -tls1_2
usage: s_client args

Command - # openssl s_client -connect mysite.com:443 -tls1_2
Response - unknown option -tls1_2
usage: s_client args

so i tried just tls_1: getting different response for my site and google.com

Command - # openssl s_client -connect google.com:443 -tls1
Response - CONNECTED(00000003)
...more detalied certificate/ssl info

Command - openssl s_client -connect mysite.com:443 -tls1
Response - CONNECTED(00000003)
write:errno=104

Thanks

[rkennedy]

If tls1_2 does not work, then neither will check_http trying to use tls1.2. Your Nagios machine does not have support for it. You'll most likely need to upgrade openssl, and then I assume the check will work as well.

Code: Select all

[root@localhost python]# openssl s_client -connect google.com:443 -tls1_2
CONNECTED(00000003)

[root@localhost python]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

[scheema31]

sounds like a plan!
my current version is definitely older:
Command - # openssl version
Response - OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

how would i go about updating openssl on my Linux Red Hat server.

Thanks,

[rkennedy]

sounds like a plan!
my current version is definitely older:
Command - # openssl version
Response - OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

how would i go about updating openssl on my Linux Red Hat server.

Thanks,

yum install openssl -y should work, but it could vary depending on how it was originally installed.