check_http SSL3/TLS support

[jtata]

This morning we changed one of our loadbalancer VIPs to only accept SSL3 RSA_WITH_RC4_128_MD5. Now my check_http check fails with:

Code: Select all

CRITICAL - Cannot make SSL connection
31691:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:s23_clnt.c:583:
HTTP CRITICAL - Error on receive

Digging around a bit I found I had an out of date nagios plugins set (1.4.14) which doesn't have the --sni option. However after updating my test Nagios instance to the new plugin version I get the same error. I've tried using -I instead of -H and tried with and without the --sni option, always the same thing.

Connecting to the site without specifying -S returns OK.

Anyone run across this before? I can't imagine check_http completely doesn't support SSL3 as an encryption method.

My production Nagios server is 1.3G running on the VM appliance.

[rdedon]

This could possibly be a lack of port associated or also psa certificate.

[tonyyarusso]

Could you post the full command you're using?

[jtata]

I was using several variations on the following (running from command line, target address changed here):

Code: Select all

./check_http -H <HOSTADDRESS> -S -w 20 -c 40 -t 60

Also used with and without --sni, -f follow, and replacing -H with -I <IP>. Same result for all.

I've rolled back the changes on my LB to allow all versions of SSL, but that is just a temporary fix as SSL3/TLS is required for one of our security mandates.

[tonyyarusso]

Could you post what it says if you include -v ?