Web Inject testing

[dancormack]

Hello,
We are using a script to test a website availability. This has been working quite well however we are adding servers to a new location and the infrastructure is changing and it's breaking our ability to connect to the website. There are multiple hosts behind the IP and our script is missing a value to get it directed correctly. What is required now is the inclusion of the SNI Hostname in the scripting. Is there a standard way to include this in the scripting? If additional detail is required, please let me know. Thank you in advance!

[cdienger]

Which version of webinject is installed? I tested with 1.41 and SNI was included in the request. To find the version:

/usr/local/nagiosxi/etc/components/webinject/webinjet -V

I've attached a copy of the 1.41 script here as well if needed.

[dancormack]

Which version of webinject is installed? I tested with 1.41 and SNI was included in the request. To find the version:

/usr/local/nagiosxi/etc/components/webinject/webinjet -V

I've attached a copy of the 1.41 script here as well if needed.

Hello, we are using v 1.41 and the webinject file appears to be the same one we have. During troubleshooting, I was sent a screenshot from the environment and it shows that SNI Hostname is not set. Is there a way which this needs to be set properly? In the script we have the url in the <baseurl>

When I connect from the Nagios server via Firefox, the connection is fine. I was told the following by the infrastructure host..

I just found your requests… As I mentioned previously we need proper SNI Hostname to allow this connection..
This is not Apache and it must be provided in requests to be compliant with RFC.

[cdienger]

Can you share the screenshot? My test was really simple:

<testcases repeat="1">
<case
id="1"
description1="short description"
description2="long description"
method="get"
url="https://gosomethingsomething.com"
postbody="username=corey&password=welcome"
verifypositive="verify this string exists"
verifynegative="verify this string does not exist"
logrequest="yes"
logresponse="yes"
sleep="3"
/>
</testcases>

and the SNI is visable:

sni.png

I'm also running with OpenSSL 1.0.2k-fips - you may need to update openssl:

yum -y install openssl

[dancormack]

Here's the screenshot which was sent to me. I had a look at my packet capture of the connection attempt and it is missing the Extension: server_name in the capture. It does successfully establish an ssl connection though (v 1.2). I also included a shot of my capture

Webinject.png

Screen Shot 2018-10-31 at 3.36.17 PM.png

[cdienger]

What OS is XI on and what version of openssl is installed on the XI server?

[dancormack]

What OS is XI on and what version of openssl is installed on the XI server?

XI is on RHEL 6.9 and has OpenSSL 1.0.1e-fips 11 Feb 2013

Edit: This is the latest from RHEL's repo.

[cdienger]

I've been able to reproduce it on a centos 6 box as well. It looks like openssl has had support for SNI since 0.9.8 so it's some other package that needs an update. Possibly the perl libraries.

That said, a migration to a Redhat or CentOS 7 box is solution documented in https://assets.nagios.com/downloads/nag ... ios-XI.pdf.

[dancormack]

I've been able to reproduce it on a centos 6 box as well. It looks like openssl has had support for SNI since 0.9.8 so it's some other package that needs an update. Possibly the perl libraries.

That said, a migration to a Redhat or CentOS 7 box is solution documented in https://assets.nagios.com/downloads/nag ... ios-XI.pdf.

I'm not clear on what you are saying here.. Were you able to replicate the issue I am having or replicate the successful call? What would migrating from RHEL to RHEL solve?

[cdienger]

Yes, I was able to replicate the behavior of the webinject request not including SNI on a centos 6 machine. The Nagios process does not control how the request is made - this is dependent on the plugin and libraries the plugin uses. Migrating to a newer OS will include newer libraries that generate the request in a desired way to include SNI.