[solved] check_smtp: TLS not supported by server (bug?)
Posted: Thu Jan 03, 2019 4:03 pm
I have Nagios Core running on a CentOS server, monitoring (among other things) TLS certs for Postfix, which is also running on a CentOS server.
Both the Nagios and Postfix servers were upgraded from CentOS 7.5 to CentOS 7.6. After the upgrade, check_smtp began reporting "WARNING - TLS not supported by server". Prior to the upgrade the check_smtp plugin was able to successfully test the TLS cert.
No changes have been made to the configuration of either server. Only a single "yum update" command was used to perform the upgrade on each server.
The command line I am using is:
This is the plugin output:
This is the plugin output if I add -v to the command line:
My first guess was that the upgrade had actually broken TLS, and that check_smtp was reporting accurate results. However, testing the TLS connection with gnutls-cli shows that TLS *is* available and working properly, and that the certificate and CA chain are valid:
I haven't had a chance to do a deep dive on this, but I'm guessing (and it really is just a guess) that the CentOS upgrade installed a new version of Postfix which deprecated an older version of TLS which check_smtp is using, and which gnutls-cli is not? Gnutls-cli seems to be using TLS v1.2. Or perhaps a cipher has been deprecated that check_smtp is trying to use? I don't see any info about this in the check_smtp man page however, or in the output of check_smtp -?, and am not sure how to determine this?
Both the Nagios and Postfix servers were upgraded from CentOS 7.5 to CentOS 7.6. After the upgrade, check_smtp began reporting "WARNING - TLS not supported by server". Prior to the upgrade the check_smtp plugin was able to successfully test the TLS cert.
No changes have been made to the configuration of either server. Only a single "yum update" command was used to perform the upgrade on each server.
The command line I am using is:
Code: Select all
check_smtp -H 2602:ffc5:1f::1f:8435 -p 25 -F mail2.nullmodem.org -S -D 21,7
Code: Select all
WARNING - TLS not supported by server
Code: Select all
HELOCMD: EHLO mail2.nullmodem.org
Sending header PROXY TCP4 0.0.0.0 0.0.0.0 25 25
220 vps1.nullmodem.org ESMTP Postfix
WARNING - TLS not supported by server
sent QUIT
received 250-vps1.nullmodem.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Code: Select all
# gnutls-cli --starttls --port 25 mail2.nullmodem.org
Processed 151 CA certificate(s).
Resolving 'mail2.nullmodem.org'...
Connecting to '2602:ffc5:1f::1f:8435:25'...
- Simple Client Mode:
220 vps1.nullmodem.org ESMTP Postfix
ehlo vps1
250-vps1.nullmodem.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
starttls
220 2.0.0 Ready to start TLS
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `CN=mail2.nullmodem.org', issuer `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3', RSA key 2048 bits, signed using RSA-SHA256, activated `2018-11-05 07:16:13 UTC', expires `2019-02-03 07:16:13 UTC', SHA-1 fingerprint `2df33c8d4f40b220a5964edc0a0c199fb54119b1'
Public Key ID:
15da33ba3435010340056691d0693256623cdd74
Public key's random art:
+--[ RSA 2048]----+
| .+*OX+.E.o |
| .*+* .. + o |
| . = . B |
| + + |
| S |
| . o |
| . |
| |
| |
+-----------------+
- Certificate[1] info:
- subject `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3', issuer `O=Digital Signature Trust Co.,CN=DST Root CA X3', RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', SHA-1 fingerprint `e6a3b45b062d509b3382282d196efe97d5956ccb'
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
- Session ID: 93:23:EB:F9:FA:0B:DB:FD:25:4B:ED:AF:68:04:54:3F:5B:D0:D3:98:40:78:78:3A:4F:5C:29:BF:9C:B4:27:C6
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP256R1
- Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA256
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
- Options: safe renegotiation,
quit
221 2.0.0 Bye
- Peer has closed the GnuTLS connection