check_http sslv3 alert handshake failure

[as300182]

I do not have an update available. The best place to track this bug will be on our Github @ https://github.com/nagios-plugins/nagio ... issues/140

It's all very well reporting this bug, but when is someone going to do something about it? With a growing number of people having disabled SSL3 (or about to) check_http is now a worthless tool for secure sites. This bug was first reported in GitHub in February. It's now nearly June and it hasn't even been assigned to anyone yet. This is a pretty poor show to say the least.

Does anyone have an alternative to check_http for checking a secure site with SSL3 disabled?

[jfrickson]

The code that handles the ssl version switch is a little bit flaky. Try setting it to either --ssl=1+ (include the plus sign at the end) or preferably --ssl=1.1+ or --ssl=1.2+. Forcing it to use TLSv1 only is probably not a good idea.

Post a message here if that doesn't fix the problem. Post a message to the github issue if it does fix the problem.

Thanks,
John

[as300182]

Code: Select all

check_http v2.1.1 (nagios-plugins 2.1.1)
Copyright (c) 1999 Ethan Galstad <nagios@nagios.org>
Copyright (c) 1999-2014 Nagios Plugin Development Team
        <devel@nagios-plugins.org>

Unfortunately none of those --ssl switches work. I'm using the latest version of check_http (as you can see from above help extract) and you just can't stop it from (presumably auto-negotiating) using SSLv3. No matter what you use you always get the same error back.

Code: Select all

1739:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:

It seems evident from this that it's trying to use SSLv3 no matter what. As soon as SSLv3 is re-enabled it works just fine. It seems that if you're keen on security and you have secure sites to check, right now check_http is worthless. I'm currently having to seek an alternative as this bug has obviously been there since the day the --ssl switch was added and there's currently no projected date on when it's going to be fixed.

[jfrickson]

I found a public server that's running with SSLv3 disabled. We don't want to inundate it with requests, so don't go crazy.

At the command line, run

Code: Select all

./check_http -H testas2.mendelson-e-c.com -u /as2/HttpReceiver -p 8444 -S --ssl=XXX

Replacing the "XXX" with a '3' for SSLv3, I get "CRITICAL - Cannot make SSL connection."
Replacing the "XXX" with a '1' for TLSv1, I get a valid response and a TLSv1 connection.
Replacing the "XXX" with a '1+', I get a valid response and a TLSv1.2 connection.

Try running those commands, and post the results.

[as300182]

None of those worked for me and then I read somewhere that the plugins need to be re-built against a later set of libraries. So I got a later version of openssl and did just that. I updated openssl and then rebuilt the plugins with

Code: Select all

wget http://www.nagios-plugins.org/download/nagios-plugins-2.1.1.tar.gz
tar vfzx nagios-plugins-2.1.1.tar.gz
cd nagios-plugins-2.1.1
./configure --with-openssl=/usr/bin/openssl
make clean
make
make install

This seems to have made quite a difference. I can now use check_http successfully on most of my web servers except for 2 or 3 where I am still getting:

Code: Select all

CRITICAL - Cannot make SSL connection.
3086513804:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40

The command I'm using from the CLI is:

Code: Select all

 ./check_http -f follow -H xxxxxxxxxxxxxx -ssl=1.1 -J clientcert.pem -K privatekey.pem -e HTTP/1. -s "Home page" -v

The verbose switch is largely irrelevant as you get the same output regardless of whether you use it or not.
The "SSL alert number 40" is thought to be synonynous with a bad client certificate. However, both the client cert and key are good because I've tested them in openssl. I've tried the full cert chain in the clientcert.pem file as well as variations of it in my ca-bundle.crt file. So does anyone have any idea on what check_http might be up to now please?

[rkennedy]

We do not have an update available at this time.

With the new information regarding the client certs not working, could you raise an issue for this on the nagios-plugins GitHub? That way, that part also gets addressed. If it's working through the openssl test, then it should be through this as well.
https://github.com/nagios-plugins/nagio ... ns/issues/

[mguthrie]

Running into this issue as well for a lot of our newer AWS resources. I would suggest bumping this up in priority since this will be a deal killer for a lot of people wanting to monitor AWS HTTP resources.

[jfrickson]

Running into this issue as well for a lot of our newer AWS resources. I would suggest bumping this up in priority since this will be a deal killer for a lot of people wanting to monitor AWS HTTP resources.

Are you seeing the original problem, or the "SSL alert number 40" problem?

[jfrickson]

EDIT Wrong place -- deleting

[as300182]

@jfrickson

Have you posted in the right place? What has check_nrpe got to do with check_http in this instance?