Page 2 of 2
Re: ubable to connect from VMA to spefic host
Posted: Mon Mar 09, 2020 3:19 pm
by cdienger
Is it possible that encryption is disabled for the service? Are you able to run:
Code: Select all
wget http://servernameorip:443/sdk/vimService.wsdl
?
Re: ubable to connect from VMA to spefic host
Posted: Wed Mar 11, 2020 1:53 am
by mejokj
Hello,
The wget is not working from the VMA box, But when I try it from the nagios server it's working, Is there any package that need to update in VMA box for fix this issue ?
vi-admin@snagiosvra:~> wget --no-check-certificate
https://serverip:443/sdk/vimService.wsdl
--2020-02-24 15:32:52--
https://invddsdsawe/sdk/vimService.wsdl
Resolving invddsdsawe.. 11.62.12.10
Connecting to iinvddsdsawe|11.62.12.10|:443... connected.
Unable to establish SSL connection.
++++++++++++++++++++++++++++++
Re: ubable to connect from VMA to spefic host
Posted: Wed Mar 11, 2020 4:45 pm
by cdienger
What OS is the VMA box running?
I recently ran into an issue with another perl plugin that didn't work on cent6 because the SSL modules were outdated and didn't support SNI. Do you know if SNI is a requirement for the non-working machine? You may need to upgrade perl on the VMA system to get this support.
Re: ubable to connect from VMA to spefic host
Posted: Thu Mar 12, 2020 3:23 am
by mejokj
Hello,
VMA is SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) - Kernel)
It seems SNI is not enabled for the domain. I have checked using this command from Nagios server openssl s_client -connect serverip:443 and it's showing the SSL details.
Also, I have checked the SSL details of the working and not working domain. Please see the below details.
Not working
===========
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: 0D33508C6355C558B90CC04CCC48ED3E87AD0DDC7242897F3640B4DFC19BE15EE270DAFD52B821ACDCE1FDE5BDF9B34F
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1583995623
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
working
========
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: A4B7D48F6C5716932B85AD79B4B00AFCD7C4F877BBF8319AC49FB719F962E91BCBD7BFEA0EB150A11FB99310FAA1E65F
Key-Arg : None
Start Time: 1583995744
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
And below is the ciphers show from vma suse machine
vi-admin@vmabox:~> openssl ciphers -v
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDH-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
ECDH-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
ECDH-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1
ECDH-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
can you advise if we upgrade Perl or OpenSSL package is it affect current working domains check?
Also kindly provide the package name we need to update if it needs.
Re: ubable to connect from VMA to spefic host
Posted: Thu Mar 12, 2020 3:42 pm
by cdienger
I don't see ECDHE-RSA-AES256-GCM-SHA384 on vmabox. You may need to install the openssl 1.0.1g:
https://www.suse.com/c/introducing-the- ... ty-module/
Since updating libraries on another machine is a bit beyond our scope, you may want to reach out to the Suse team to assist with this if needed.