Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Cannot make SSL connection

https://support.nagios.com/forum/viewtopic.php?t=33655

Page 1 of 2

Cannot make SSL connection

Posted: Mon Jul 06, 2015 11:00 am
by tthomas
Hi

I am getting the below error in Nagios server

FIRST NAGIOS SERVER>$ ./check_http -S -H "HOSTNAME" -p 7010 -C 60
CRITICAL - Cannot make SSL connection
139725209868136:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
CRITICAL - Cannot retrieve server certificate.

Openssl version on the server is

openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013


The same command works from another Nagios server.

SECOND NAGIOS SERVER>$ ./check_http -S -H "HOSTNAME" -p 7010 -C 60
OK - Certificate will expire on 09/15/2015 09:41.

# openssl version
OpenSSL 1.0.0-fips 29 Mar 2010


In problematic server I get proper response if I use ssl3
openssl s_client -connect HOSTNAME:7010 -ssl3

But openssl s_client -connect HOSTNAME:7010 is giving following error.

CONNECTED(00000003)
139687424456520:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
---
no peer certificate available


Could you please help here.

Regards

Re: Cannot make SSL connection

Posted: Mon Jul 06, 2015 11:11 am
by jolson
Is there any difference in the version between your check_http plugins?

Code: Select all

/usr/local/nagios/libexec/check_http -V

Re: Cannot make SSL connection

Posted: Wed Jul 08, 2015 3:25 am
by tthomas
Hi jolson,

Both are same.

Nagios server 1:~$ /usr/local/nagios/libexec/check_http -V
check_http v2053 (nagios-plugins 1.4.13)

Nagios server 2:~$ /usr/local/nagios/libexec/check_http -V
check_http v2053 (nagios-plugins 1.4.13)

Regards
Tino

Re: Cannot make SSL connection

Posted: Wed Jul 08, 2015 7:58 am
by tthomas
Hi All,

How can I make sure that check_http uses ssl version SSLv3 instead of the default ssl version which is not working.

I do not find a method to pass ssl version in command.

plugins]$ ./check_http --ssl=3 -H "HOSTNAME" -p 7010 -C 60
./check_http: option '--ssl' doesn't allow an argument

Regards
Tino

Re: Cannot make SSL connection

Posted: Wed Jul 08, 2015 9:44 am
by tgriep
To set the SSL version, you will have to upgrade to a newer version of the plugin. Here is the link to where it can be downloaded from.
https://www.nagios.org/download/plugins/

Re: Cannot make SSL connection

Posted: Wed Jul 08, 2015 9:45 am
by ssax
tgriep is correct, the latest version of the plugins supports it, you may want to update your plugins:

Code: Select all

check_http v2.0.3 (nagios-plugins 2.0.3)

-S, --ssl=VERSION
    Connect via SSL. Port defaults to 443. VERSION is optional, and prevents
    auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3).

Re: Cannot make SSL connection

Posted: Wed Jul 08, 2015 9:52 am
by abrist
First of all, SSLv3 has a vulnerability and should be disabled:
https://www.linode.com/docs/security/se ... for-poodle
http://disablessl3.com/
You need to upgrade nagios-plugins to get support:

Code: Select all

 -S, --ssl=VERSION
    Connect via SSL. Port defaults to 443. VERSION is optional, and prevents
    auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3).
I believe nagios-plugins 1.4.16 was the earliest you will find SSLv3 support.

Re: Cannot make SSL connection

Posted: Wed Jul 08, 2015 10:30 am
by tthomas
Hi All,

Thanks for the updates.

There is no intention to use SSLv3. I was troubleshooting the actual issue.

The issue is that I am getting the below error in Nagios server

FIRST NAGIOS SERVER>$ ./check_http -S -H "HOSTNAME" -p 7010 -C 60
CRITICAL - Cannot make SSL connection
139725209868136:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
CRITICAL - Cannot retrieve server certificate.

Openssl version on the server is

openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013


The same command works from another Nagios server.

SECOND NAGIOS SERVER>$ ./check_http -S -H "HOSTNAME" -p 7010 -C 60
OK - Certificate will expire on 09/15/2015 09:41.

openssl version on that server

# openssl version
OpenSSL 1.0.0-fips 29 Mar 2010


Regards
Tino

Re: Cannot make SSL connection

Posted: Wed Jul 08, 2015 10:47 am
by abrist
There is a good chance that all of these servers are effected by the heartbleed vulnerability due to their SSL versions: https://www.us-cert.gov/ncas/alerts/TA14-098A
Furthermore, there may be issues with compatibility between the versions of SSL. Could you run these checks again with the "very very verbose" flag (-vvv)?

Code: Select all

FIRST NAGIOS SERVER>$ ./check_http -S -H "HOSTNAME" -p 7010 -C 60 -vvv
SECOND NAGIOS SERVER>$ ./check_http -S -H "HOSTNAME" -p 7010 -C 60 -vvv

Re: Cannot make SSL connection

Posted: Wed Jul 08, 2015 10:57 am
by tthomas
Hi abrist,

Thank you for the help.

Looks like verbose mode is not working as expected.

First server]$ ./check_http -S -H HOSTNAME -p 7010 -C 60 -vvv

CRITICAL - Cannot make SSL connection
140101398648680:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
CRITICAL - Cannot retrieve server certificate.



Second Server]$ ./check_http -S -H HOSTNAME -p 7010 -C 60 -vvv

OK - Certificate will expire on 09/15/2015 09:41.


Regards
Tino
All times are UTC-05:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited