Hi
I am getting the below error in Nagios server
FIRST NAGIOS SERVER>$ ./check_http -S -H "HOSTNAME" -p 7010 -C 60
CRITICAL - Cannot make SSL connection
139725209868136:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
CRITICAL - Cannot retrieve server certificate.
Openssl version on the server is
openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
The same command works from another Nagios server.
SECOND NAGIOS SERVER>$ ./check_http -S -H "HOSTNAME" -p 7010 -C 60
OK - Certificate will expire on 09/15/2015 09:41.
# openssl version
OpenSSL 1.0.0-fips 29 Mar 2010
In problematic server I get proper response if I use ssl3
openssl s_client -connect HOSTNAME:7010 -ssl3
But openssl s_client -connect HOSTNAME:7010 is giving following error.
CONNECTED(00000003)
139687424456520:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
---
no peer certificate available
Could you please help here.
Regards
Cannot make SSL connection
Re: Cannot make SSL connection
Is there any difference in the version between your check_http plugins?
Code: Select all
/usr/local/nagios/libexec/check_http -VRe: Cannot make SSL connection
Hi jolson,
Both are same.
Nagios server 1:~$ /usr/local/nagios/libexec/check_http -V
check_http v2053 (nagios-plugins 1.4.13)
Nagios server 2:~$ /usr/local/nagios/libexec/check_http -V
check_http v2053 (nagios-plugins 1.4.13)
Regards
Tino
Both are same.
Nagios server 1:~$ /usr/local/nagios/libexec/check_http -V
check_http v2053 (nagios-plugins 1.4.13)
Nagios server 2:~$ /usr/local/nagios/libexec/check_http -V
check_http v2053 (nagios-plugins 1.4.13)
Regards
Tino
Re: Cannot make SSL connection
Hi All,
How can I make sure that check_http uses ssl version SSLv3 instead of the default ssl version which is not working.
I do not find a method to pass ssl version in command.
plugins]$ ./check_http --ssl=3 -H "HOSTNAME" -p 7010 -C 60
./check_http: option '--ssl' doesn't allow an argument
Regards
Tino
How can I make sure that check_http uses ssl version SSLv3 instead of the default ssl version which is not working.
I do not find a method to pass ssl version in command.
plugins]$ ./check_http --ssl=3 -H "HOSTNAME" -p 7010 -C 60
./check_http: option '--ssl' doesn't allow an argument
Regards
Tino
Re: Cannot make SSL connection
To set the SSL version, you will have to upgrade to a newer version of the plugin. Here is the link to where it can be downloaded from.
https://www.nagios.org/download/plugins/
https://www.nagios.org/download/plugins/
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Cannot make SSL connection
tgriep is correct, the latest version of the plugins supports it, you may want to update your plugins:
Code: Select all
check_http v2.0.3 (nagios-plugins 2.0.3)
-S, --ssl=VERSION
Connect via SSL. Port defaults to 443. VERSION is optional, and prevents
auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3).Re: Cannot make SSL connection
First of all, SSLv3 has a vulnerability and should be disabled:
https://www.linode.com/docs/security/se ... for-poodle
http://disablessl3.com/
You need to upgrade nagios-plugins to get support:
I believe nagios-plugins 1.4.16 was the earliest you will find SSLv3 support.
https://www.linode.com/docs/security/se ... for-poodle
http://disablessl3.com/
You need to upgrade nagios-plugins to get support:
Code: Select all
-S, --ssl=VERSION
Connect via SSL. Port defaults to 443. VERSION is optional, and prevents
auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3).Former Nagios employee
"It is turtles. All. The. Way. Down. . . .and maybe an elephant or two."
VI VI VI - The editor of the Beast!
Come to the Dark Side.
"It is turtles. All. The. Way. Down. . . .and maybe an elephant or two."
VI VI VI - The editor of the Beast!
Come to the Dark Side.
Re: Cannot make SSL connection
Hi All,
Thanks for the updates.
There is no intention to use SSLv3. I was troubleshooting the actual issue.
The issue is that I am getting the below error in Nagios server
FIRST NAGIOS SERVER>$ ./check_http -S -H "HOSTNAME" -p 7010 -C 60
CRITICAL - Cannot make SSL connection
139725209868136:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
CRITICAL - Cannot retrieve server certificate.
Openssl version on the server is
openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
The same command works from another Nagios server.
SECOND NAGIOS SERVER>$ ./check_http -S -H "HOSTNAME" -p 7010 -C 60
OK - Certificate will expire on 09/15/2015 09:41.
openssl version on that server
# openssl version
OpenSSL 1.0.0-fips 29 Mar 2010
Regards
Tino
Thanks for the updates.
There is no intention to use SSLv3. I was troubleshooting the actual issue.
The issue is that I am getting the below error in Nagios server
FIRST NAGIOS SERVER>$ ./check_http -S -H "HOSTNAME" -p 7010 -C 60
CRITICAL - Cannot make SSL connection
139725209868136:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
CRITICAL - Cannot retrieve server certificate.
Openssl version on the server is
openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
The same command works from another Nagios server.
SECOND NAGIOS SERVER>$ ./check_http -S -H "HOSTNAME" -p 7010 -C 60
OK - Certificate will expire on 09/15/2015 09:41.
openssl version on that server
# openssl version
OpenSSL 1.0.0-fips 29 Mar 2010
Regards
Tino
Re: Cannot make SSL connection
There is a good chance that all of these servers are effected by the heartbleed vulnerability due to their SSL versions: https://www.us-cert.gov/ncas/alerts/TA14-098A
Furthermore, there may be issues with compatibility between the versions of SSL. Could you run these checks again with the "very very verbose" flag (-vvv)?
Furthermore, there may be issues with compatibility between the versions of SSL. Could you run these checks again with the "very very verbose" flag (-vvv)?
Code: Select all
FIRST NAGIOS SERVER>$ ./check_http -S -H "HOSTNAME" -p 7010 -C 60 -vvv
SECOND NAGIOS SERVER>$ ./check_http -S -H "HOSTNAME" -p 7010 -C 60 -vvvFormer Nagios employee
"It is turtles. All. The. Way. Down. . . .and maybe an elephant or two."
VI VI VI - The editor of the Beast!
Come to the Dark Side.
"It is turtles. All. The. Way. Down. . . .and maybe an elephant or two."
VI VI VI - The editor of the Beast!
Come to the Dark Side.
Re: Cannot make SSL connection
Hi abrist,
Thank you for the help.
Looks like verbose mode is not working as expected.
First server]$ ./check_http -S -H HOSTNAME -p 7010 -C 60 -vvv
CRITICAL - Cannot make SSL connection
140101398648680:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
CRITICAL - Cannot retrieve server certificate.
Second Server]$ ./check_http -S -H HOSTNAME -p 7010 -C 60 -vvv
OK - Certificate will expire on 09/15/2015 09:41.
Regards
Tino
Thank you for the help.
Looks like verbose mode is not working as expected.
First server]$ ./check_http -S -H HOSTNAME -p 7010 -C 60 -vvv
CRITICAL - Cannot make SSL connection
140101398648680:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
CRITICAL - Cannot retrieve server certificate.
Second Server]$ ./check_http -S -H HOSTNAME -p 7010 -C 60 -vvv
OK - Certificate will expire on 09/15/2015 09:41.
Regards
Tino