Nagios SSL Checks on KEMP Loadmaster
Re: Nagios SSL Checks on KEMP Loadmaster
thanks tgriep but unfortunately updating the plugin to version 2.1.1 did not resolve the issue.
Re: Nagios SSL Checks on KEMP Loadmaster
The above will help for us to replicate on our end to see what's going on with TLS exactly.Please show us the full commands you're running in the terminal, a screenshot will help as well.
Former Nagios Employee
Re: Nagios SSL Checks on KEMP Loadmaster
here is my command im using
[root@myserver /]# /usr/local/nagios/libexec/check_http -S --ssl=1.2 -H www.mysite.com
CRITICAL - Cannot make SSL connection.
and ive tried using --ssl=1.1, 1.1+, 1.2, 1.2+
[root@myserver /]# /usr/local/nagios/libexec/check_http -S --ssl=1.2 -H www.mysite.com
CRITICAL - Cannot make SSL connection.
and ive tried using --ssl=1.1, 1.1+, 1.2, 1.2+
Re: Nagios SSL Checks on KEMP Loadmaster
Could you upgrade your nagios plugins to 2.1.2? This was released a short time ago, and made a fix to TLS specifically. I think you might be running into an issue where it wasn't letting you specify the SSL version properly.
https://www.nagios.org/downloads/nagios-plugins/– The check_http -S/–ssl option now accepts the arguments “1.1” and “1.2” to force TLSv1.1 and TLSv1.2 connections, respectively
– The check_http -S/–ssl option now allows for specifying the desired protocol with a “+” suffix to also accept newer versions
Former Nagios Employee
Re: Nagios SSL Checks on KEMP Loadmaster
okay ive updated the plugin to nagios-plugins-2.1.2 and getting a different error...
Command - # /usr/local/nagios/libexec/check_http -S --ssl=1.1 -H www.mysite.com
Response - UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.
Command - # /usr/local/nagios/libexec/check_http -S --ssl=1.2 -H www.mysite.com
Response - UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.
Command - # /usr/local/nagios/libexec/check_http -S --ssl=1.1 -H www.mysite.com
Response - CRITICAL - Cannot make SSL connection.
1595:error:140740BF:SSL routines:SSL23_CLIENT_HELLO:no protocols available:s23_clnt.c:269:
And i have confirmed that TLS 1.1 AND 1.2 are enabled on the loadbalancer, its just 1.0 that is disabled.
Command - # /usr/local/nagios/libexec/check_http -S --ssl=1.1 -H www.mysite.com
Response - UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.
Command - # /usr/local/nagios/libexec/check_http -S --ssl=1.2 -H www.mysite.com
Response - UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.
Command - # /usr/local/nagios/libexec/check_http -S --ssl=1.1 -H www.mysite.com
Response - CRITICAL - Cannot make SSL connection.
1595:error:140740BF:SSL routines:SSL23_CLIENT_HELLO:no protocols available:s23_clnt.c:269:
And i have confirmed that TLS 1.1 AND 1.2 are enabled on the loadbalancer, its just 1.0 that is disabled.
Re: Nagios SSL Checks on KEMP Loadmaster
Does your SSL support TLS1.1/1.2 on the Nagios machine? Please post the output of the following - openssl s_client -connect google.com:443 -tls1_2 (also, please run it against your site as well and post the output)
This should help us track down where the version issue is.
This should help us track down where the version issue is.
Former Nagios Employee
Re: Nagios SSL Checks on KEMP Loadmaster
thanks rkennedy,
Here is the output from checking both your URL and my site:
Command - # openssl s_client -connect google.com:443 -tls1_2
Response - unknown option -tls1_2
usage: s_client args
Command - # openssl s_client -connect mysite.com:443 -tls1_2
Response - unknown option -tls1_2
usage: s_client args
so i tried just tls_1: getting different response for my site and google.com
Command - # openssl s_client -connect google.com:443 -tls1
Response - CONNECTED(00000003)
...more detalied certificate/ssl info
Command - openssl s_client -connect mysite.com:443 -tls1
Response - CONNECTED(00000003)
write:errno=104
Thanks
Here is the output from checking both your URL and my site:
Command - # openssl s_client -connect google.com:443 -tls1_2
Response - unknown option -tls1_2
usage: s_client args
Command - # openssl s_client -connect mysite.com:443 -tls1_2
Response - unknown option -tls1_2
usage: s_client args
so i tried just tls_1: getting different response for my site and google.com
Command - # openssl s_client -connect google.com:443 -tls1
Response - CONNECTED(00000003)
...more detalied certificate/ssl info
Command - openssl s_client -connect mysite.com:443 -tls1
Response - CONNECTED(00000003)
write:errno=104
Thanks
Re: Nagios SSL Checks on KEMP Loadmaster
If tls1_2 does not work, then neither will check_http trying to use tls1.2. Your Nagios machine does not have support for it. You'll most likely need to upgrade openssl, and then I assume the check will work as well.
Code: Select all
[root@localhost python]# openssl s_client -connect google.com:443 -tls1_2
CONNECTED(00000003)
[root@localhost python]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
Former Nagios Employee
Re: Nagios SSL Checks on KEMP Loadmaster
sounds like a plan!
my current version is definitely older:
Command - # openssl version
Response - OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
how would i go about updating openssl on my Linux Red Hat server.
Thanks,
my current version is definitely older:
Command - # openssl version
Response - OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
how would i go about updating openssl on my Linux Red Hat server.
Thanks,
Re: Nagios SSL Checks on KEMP Loadmaster
yum install openssl -y should work, but it could vary depending on how it was originally installed.scheema31 wrote:sounds like a plan!
my current version is definitely older:
Command - # openssl version
Response - OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
how would i go about updating openssl on my Linux Red Hat server.
Thanks,
Former Nagios Employee