After POODLE changes in server https and ssmtp is failing

[manokiss]

Hi there.

Recently we have made the changes in apache and also in our smtp server to disable sslv3 since then nagios monitoring these services are failing, have someone a correct command to test smtp with tls and https without sslv3?

Sounds like nagios is expecting for sslv3 to test this services.

Im using:

command_line $USER1$/check_ssmtp -S -H $HOSTADDRESS$ $ARG1$ -p 465

command_line $USER1$/check_http -S -I $HOSTADDRESS$ $ARG1$

Thanx in advance!

[sreinhardt]

I don't think that check_ssmtp is a nagios plugins plugin, so I can't comment on that one. However as for check_http. There is currently an issue with ssl autonegotiation picking the correct version. I would suggest trying to specify the various possible versions and ciphers that are still allowed with the -S flag.

-S, --ssl=VERSION
Connect via SSL. Port defaults to 443. VERSION is optional, and prevents
auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3).

[manokiss]

Thanx for the reply, unfortunately using that option im getting:

./check_http: option '--ssl' doesn't allow an argument

[tmcdonald]

Are you using the -S or the --ssl flag? Please show us the command being run.

[manokiss]

tested with:

./check_http -H hostname --ssl TLSv1

keeps getting connection refused

Thanx!

[sreinhardt]

That is not going to give the correct parameters to the plugin. Try this instead:

Code: Select all

./check_http -H hostname --ssl=1
OR
./check_http -H hostname -S1

[manokiss]

Both are giving me error

Thanx!


[root@]# ./check_http -H hostname --ssl=1
./check_http: option '--ssl' doesn't allow an argument
Usage:
check_http -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]
[-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-a auth]
[-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]
[-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]
[-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]
[-A string] [-k string] [-S] [--sni] [-C <age>] [-T <content-type>]
[-j method]



[root@]# ./check_http -H hostname -S1
./check_http: invalid option -- '1'
Usage:
check_http -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]
[-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-a auth]
[-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]
[-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]
[-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]
[-A string] [-k string] [-S] [--sni] [-C <age>] [-T <content-type>]
[-j method]

[manokiss]

just noticed i had outdated plugins...updated it and is working now for https....now im looking for ssmtp.

Thanx!

[sreinhardt]

Glad to hear it! You had me worried for a bit, some of that openssl code is a bit tricky! Let us know if you need further help with ssmtp, we can certainly test it on our end if you can send a link.