NCPA: Unable to connect with ssl-handshake failures

[citys-dmz-operator]

Hi,

i've installed NCPA from your nagios-repo:

# rpm -q ncpa
ncpa-2.3.1-1.el7.x86_64

After that i want to connect to the Server but i got an error. So i've tried with curl:

[nagios@nagios libexec]$ curl -k "https://IP.AD.RE.SS:5693/testconnect?token=<MYTOKEN>" -vvv
* Trying IP.AD.RE.SS...
* TCP_NODELAY set
* Connected to IP.AD.RE.SS (IP.AD.RE.SS) port 5693 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

Both Systems are CentOS, Nagios on 8, Client on 7.
I didn't find a solution, can you help me?

[gsmith]

Hi,

I am thinking the Centos7 machine can't do TLS1.3.

To test, on the Cent7 machine:

Code: Select all

curl -v --tlsv1.2 --tls-max 1.2 "https://IP.AD.RE.SS:5693/testconnect?token=<MYTOKEN>"

You can use the -k option if you are having cert issues

Thanks

[citys-dmz-operator]

Hi,

i've tried this:

Code: Select all

nagios #> curl -k "https://IP.AD.DR.ES:5693/testconnect?token=<MYTOKEN>" -vvv --tlsv1.2 --tls-max 1.2
*   Trying IP.AD.RE.SS...
* TCP_NODELAY set
* Connected to IP.AD.RE.SS (IP.AD.RE.SS) port 5693 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

i've tried it with an other CentOS7 System:

Code: Select all

curl -k "https://OT.HE.R-.IP:5693/testconnect?token=<MYTOKEN>-vvv --tlsv1.2 --tls-max 1.2
*   Trying OT.HE.R-.IP...
* TCP_NODELAY set
* Connected to OT.HE.R-.IP (OT.HE.R-.IP) port 5693 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=Minnesota; L=St. Paul; O=Nagios Enterprises, LLC; OU=Development; CN=host.name
*  start date: Dec 15 05:43:35 2020 GMT
*  expire date: Dec 13 05:43:35 2030 GMT
*  issuer: C=US; ST=Minnesota; L=St. Paul; O=Nagios Enterprises, LLC; OU=Development; CN=host.name
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /testconnect?token=ncpa@<MYTOKEN> HTTP/1.1
> Host: OT.HE.R-.IP:5693
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/json
< Content-Length: 25
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: frame-ancestors 'self'
< Date: Mon, 31 May 2021 09:25:22 GMT
<
{ 
  "value": "Success."
* Connection #0 to host OT.HE.R-.IP left intact

do you have another idea?

[gsmith]

On the Centos7 that is having problems do the following:

Code: Select all

openssl s_client -showcerts -servername server -connect server:443 > cacert.pem

note - in above the server name (or IP address) is required in two places

Code: Select all

openssl x509 -outform der -in cacert.pem -out cacert.crt
sudo cp cacer.crt file to /etc/pki/ca-trust/source/anchors
sudo update-ca-trust extract

Then test again:

Code: Select all

curl -k "https://IP.AD.DR.ES:5693/testconnect?token=<MYTOKEN>" -vvv --tlsv1.2 --tls-max 1.2

Thanks

[citys-dmz-operator]

Hi,

thanks for your help, now i can connect to the system.