webinject ssl issues?

[dmhp]

HI all,

I'm trying to setup some simple web address monitoring but it does not seem to like SSL.
I'm using the standalone webinject program for testing before adding to nagiosXI.

This is an initial test if ssl works but it seems it does not.

This is the config file:
<testcasefile>testcases.xml</testcasefile>
<globalhttplog>onfail</globalhttplog>
<proxy>internal proxy address</proxy>

This is the results page:
Verify : "itemscope"
Passed Positive Verification
Passed HTTP Response Code Verification (not in error range)
TEST CASE PASSED
Response Time = 0.417 sec

-------------------------------------------------------
Test: testcases.xml - 2
google https get

Verify : "itemscope"
Failed Positive Verification
Failed HTTP Response Code Verification (HTTP/1.1 400 Bad Request)
TEST CASE FAILED
Response Time = 0.086 sec

This is the httplog:

GET https://www.google.de
User-Agent: WebInject
Cookie: 1P_JAR=2018-01-31-15; NID=122=XMYTb_U-s8bSiPXO6ozVfuFI2OIy4v8sJzfXJAXpaxRUiw-wZVPWXcOeSdBYq1fkeMuW8bpChg0R8CCTGn_p8Pzp1meM-rPdmEyUvie8v7cD9a5zHYni6yIo0JDT0IUS
Cookie2: $Version="1"



HTTP/1.1 400 Bad Request
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Length: 691
Content-Type: text/html; charset=utf-8
Client-Date: Wed, 31 Jan 2018 15:05:36 GMT
Client-Peer: 16.46.16.11:8080
Client-Response-Num: 1
Proxy-Connection: close
Title: Request Error

<HTML><HEAD>
<TITLE>Request Error</TITLE>
</HEAD>
<BODY>
<FONT face="Helvetica">
<big><strong></strong></big><BR>
</FONT>
<blockquote>
<TABLE border=0 cellPadding=1 width="80%">
<TR><TD>
<FONT face="Helvetica">
<big>Request Error (invalid_request)</big>
<BR>
<BR>
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
Your request could not be processed. Request could not be handled
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
This could be caused by a misconfiguration, or possibly a malformed request.
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica" SIZE=2>
<BR>
For assistance, contact your network support team.
</FONT>
</TD></TR>
</TABLE>
</blockquote>
</FONT>
</BODY></HTML>

this is the testpages:

<testcases repeat="1">

<case
id="1"
description1="google http get"
method="get"
url="http://www.google.de"
verifypositive="itemscope"
/>

<case
id="2"
description1="google https get"
method="get"
url="https://www.google.de"
verifypositive="itemscope"
/>

</testcases>

[cdienger]

A https request through a proxy server would require a initial CONNECT request before it could make a GETrequest(in the TLS tunnel). It's not clear if webinject is or can do this. Can you test without a proxy?

[dmhp]

Unfortunately not, all traffic is routed through proxies and compartments.

[kyang]

I would like to mention that we do not fully support proxies.

Here's a kb article.

https://support.nagios.com/kb/article.php?id=147

[dmhp]

I would like to mention that we do not fully support proxies.

Here's a kb article.

https://support.nagios.com/kb/article.php?id=147

This issue is related to monitoring SSL enabled website availability through a proxy, our nagiosXI is working and configured correctly to work for updates & packages (yum/wget) already.

[kyang]

by cdienger
It's not clear if webinject is or can do this. Can you test without a proxy?

I would also like to mention that webinject is not maintained or created by us. It's capabilities were developed by someone else, and ultimately you would have to ask them for a way around this.

I have just been looking at the same help documentation as you on their website. You could try contacting the owner through his email as he has a github account.

[cdienger]

I've done a bit of testing and the problem is due to the request using the GET method prior to using a CONNECT. What kind of proxy is this? I tested with a Squid proxy and the tests actually did work although the communication between client and proxy were unencrypted(communication between proxy and destination were encrypted however). There may be options available on the proxy to handle this request differently - especially if the communication between client and proxy does not need to be encrypted.

[dmhp]

I've done a bit of testing and the problem is due to the request using the GET method prior to using a CONNECT. What kind of proxy is this? I tested with a Squid proxy and the tests actually did work although the communication between client and proxy were unencrypted(communication between proxy and destination were encrypted however). There may be options available on the proxy to handle this request differently - especially if the communication between client and proxy does not need to be encrypted.

The proxy type would be bluecoat.
We would not be able to recfg the proxy, maybe an exception could be made, but i'm not sure what i would be asking.

[cdienger]

Hopefully there won't be a need to make an exception on the Bluecoat...

Attached you'll find a zip file with updated webinject files that will make proper proxy requests for https sites. Make a copy of the current /usr/local/nagiosxi/etc/components/webinject/webinject.pl for backup and copy the contents of the zip file(webinject.pl and Webinject.pm) into /usr/local/nagiosxi/etc/components/webinject/. Make the new webinject.pl executable with:

chmod a+x /usr/local/nagiosxi/etc/components/webinject/webinject.pl

That should do the trick. Please test and let us know your results!

[dmhp]

Hopefully there won't be a need to make an exception on the Bluecoat...

Attached you'll find a zip file with updated webinject files that will make proper proxy requests for https sites. Make a copy of the current /usr/local/nagiosxi/etc/components/webinject/webinject.pl for backup and copy the contents of the zip file(webinject.pl and Webinject.pm) into /usr/local/nagiosxi/etc/components/webinject/. Make the new webinject.pl executable with:

chmod a+x /usr/local/nagiosxi/etc/components/webinject/webinject.pl

That should do the trick. Please test and let us know your results!

Ok so, i was originall testing from windows, but i spun up a redhat server to test your stuff.
This is NOT running through nagios, just webinject itself standalone.

I installed webinject along with whatever it asked for (xml simple, crypt ssleay etc)
I ran my test vs google.de with the proxy not added to webinject cfg and everything failed.
I ran my test vs google.de with the proxy, Http worked, Https failed (as before).

I then made a backup of webinject.pl
I unzipped and copied both your files to the webinject install location
I ran a test and there was no change in results.

But the httplog showed more info, with regard LWP not working/installed.

Onward to CPAn install, i needed to do a first time setup (full auto was failing to provide correct cfg so manual was needed).
Also gave cpan the proxy and set it permanent.
Install LWP::Protocol::https

Some more errors moved me to also installing these:
install IO::Socket::SSL
install Net::SSLeay

I then moved onto this error:
PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0 at /usr/local/share/perl5/LWP/Protocol/http.pm line 50
I changed hostname verification within http.pm and https.pm

It gave me the same errors about verification towards the ends so i stepped back and removed your custom file in favour of the standard file.

And then it worked
So my original issue has been resolved in most part.

----------
------------
FYI i'm onto a new issue of "500 SSL upgrade failed: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed"

So currently having a hard time getting the intermediary certs to install and be used by webinject, gotta decipher this.