Nagios SSL Checks on KEMP Loadmaster

[scheema31]

Hi,

i have a KEMP virtual loadmaster that run ssl enabled virtual service.
i am using the check_https command to check SSL connection to the website.
all was working fine until we made a change on the loadmaster, we disabled TLSv1.0 but left TLSv1.1 and 1.2 enabled, SSLv3 was already disabled.
so i made a change to my command on nagios to use TLSv1.1 and 1.2 by adding the argument "-S --ssl=1.1" and also tried "-S --ssl=1.2"
but i just keep getting a "Cannot make SSL connection"
doing just a simple HTTP check works fine.
thanks,

[mcapra]

This issue might be related to the one in this thread:
https://support.nagios.com/forum/viewto ... =6&t=37070

From the guy who maintains check_http:

The code that handles the ssl version switch is a little bit flaky. Try setting it to either --ssl=1+ (include the plus sign at the end) or preferably --ssl=1.1+ or --ssl=1.2+. Forcing it to use TLSv1 only is probably not a good idea.

You also might try the solution found by @as300182
https://support.nagios.com/forum/viewto ... 10#p184982

[scheema31]

just tried that but still getting "cannot make SSL connection)
here is the exact command im using: # /usr/local/nagios/libexec/check_http -S --ssl=1.2+ -H mywebsite.com (if i take away the "-S" option then HTTP check are successful)

[mcapra]

Can you run check_http in verbose mode and share the output? Add the -v flag to the end of your command.

[scheema31]

adding -V to end of that command doesn't seem to wanna give me much info just returns the version check_http v2.0.3 (nagios-plugins 2.0.3)

thanks

[mcapra]

Can you try a lower-case -v?

[scheema31]

yep i did try that as well, but that give NO output.
ive tried all combinations of adding --ssl=(1.1,1.2,1.1+,1.2+)

[rkennedy]

Please show us the full commands you're running in the terminal, a screenshot will help as well.

I just tried to replicate this, and was unable to. It works on my end, using the same version of plugins that you are, against google as an example.

Code: Select all

[root@localhost libexec]# /usr/local/nagios/libexec/check_http -S --ssl=1.2+ -H google.com

and, with verbosity -

Code: Select all

HTTP OK: HTTP/1.1 301 Moved Permanently - 666 bytes in 0.117 second response time |time=0.116545s;;;0.000000 size=666B;;;0
[root@localhost libexec]# /usr/local/nagios/libexec/check_http -S --ssl=1.2+ -H google.com -v
GET / HTTP/1.1
User-Agent: check_http/v2.0.3 (nagios-plugins 2.0.3)
Connection: close
Host: google.com
Accept: */*


https://google.com:443/ is 666 characters
STATUS: HTTP/1.1 301 Moved Permanently
**** HEADER ****
Location: https://www.google.com/
Content-Type: text/html; charset=UTF-8
Date: Thu, 21 Jul 2016 14:36:27 GMT
Expires: Sat, 20 Aug 2016 14:36:27 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 220
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 443:quic
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32,31,30,29,28,27,26,25"
Connection: close
**** CONTENT ****
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

HTTP OK: HTTP/1.1 301 Moved Permanently - 666 bytes in 0.115 second response time |time=0.115152s;;;0.000000 size=666B;;;0
[root@localhost libexec]#

[scheema31]

yes i get that to work as well.
the problem here is making checks on Kemp Loadmaster, we disabled TLS1.0 and that's when it stopped making checks, we then tested it by enabling TLS1.0 on Kemp and nagios passed the checks.
so im not sure why its trying to make TLS1.0 checks even though i specified the --ssl parameter.

[tgriep]

Are you running the latest version of the plugins?
Try upgrading and see if that helps.
https://www.nagios.org/downloads/nagios-plugins/