check_http is failing on all my webservers. It appears to be trying sslv3 no matter what parameters I specify. Since my webservers support only TLS, this is a problem. Even when I force check_http to use TLS, it fails as if it's still trying sslv3.
Here's what a manual check looks like:
# /usr/local/nagios/libexec/check_http -H XXXX -S --ssl=1 -vvv
CRITICAL - Cannot make SSL connection.
140076210550720:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.cSSL alert number 40
Here's an nmap scan of my webserver showing the ciphers supported:
# nmap --script ssl-enum-ciphers -p 443 XXXX
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-13 19:01 CST
Nmap scan report for XXXX (140.32.112.244)
Host is up (0.00095s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds
According to check_http help, the relevant parameters it expects are such:
-S, --ssl=VERSION
Connect via SSL. Port defaults to 443. VERSION is optional, and prevents
auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3).
This is on a fresh install of Nagios XI Version : 5.2.3, running on CentOS 7.
Any help would be much appreciated.
Thank you.
check_http sslv3 alert handshake failure
Re: check_http sslv3 alert handshake failure
What version of check_http are you running? /usr/local/nagios/libexec/check_http -V
Also, what is the output if you run it without the -S? /usr/local/nagios/libexec/check_http -H XXXX --ssl=1 -vvv
Also, what is the output if you run it without the -S? /usr/local/nagios/libexec/check_http -H XXXX --ssl=1 -vvv
Former Nagios Employee
Re: check_http sslv3 alert handshake failure
Hi,
I am facing similar issue where the URL which I use has certs that have TLS enabled. Following are the version details,
I am using Nagios on a ESX host.
[root@nagiosxi-64_1 libexec]# ./check_http -V
check_http v2.0.3 (nagios-plugins 2.0.3)
[root@nagiosxi-64_1 libexec]# ./check_http -H HOST --ssl=1 -vvv
CRITICAL - Cannot make SSL connection.
140097353590632:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.cSSL alert number 40
I tried all ways of debuggin and with Openssl commands also by providing CApath, CAfile entries but still the same error message.
I am facing similar issue where the URL which I use has certs that have TLS enabled. Following are the version details,
I am using Nagios on a ESX host.
[root@nagiosxi-64_1 libexec]# ./check_http -V
check_http v2.0.3 (nagios-plugins 2.0.3)
[root@nagiosxi-64_1 libexec]# ./check_http -H HOST --ssl=1 -vvv
CRITICAL - Cannot make SSL connection.
140097353590632:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.cSSL alert number 40
I tried all ways of debuggin and with Openssl commands also by providing CApath, CAfile entries but still the same error message.
Re: check_http sslv3 alert handshake failure
I actually just opened a git issue about this:
https://github.com/nagios-plugins/nagio ... issues/140
Please track the status of this problem there, this is a known bug.
https://github.com/nagios-plugins/nagio ... issues/140
Please track the status of this problem there, this is a known bug.
Re: check_http sslv3 alert handshake failure
Any update on this issue? I dont see any comments posted on GIT site.
Does Nagios support checking HTTPS URLs?
Does Nagios support checking HTTPS URLs?
Re: check_http sslv3 alert handshake failure
We do not have an update available currently. For the record, the best place to monitor this issue will be on the GitHub page as it's plugin related.
SSL is supported with check_http, however this version in specific is what the bug is for.
SSL is supported with check_http, however this version in specific is what the bug is for.
Code: Select all
[root@suse11 libexec]# ./check_http -H google.com --ssl=1 -f follow
HTTP OK: HTTP/1.1 200 OK - 19779 bytes in 0.434 second response time |time=0.434391s;;;0.000000 size=19779B;;;0
Former Nagios Employee
Re: check_http sslv3 alert handshake failure
Could you please let me know on which version this may work so that either we may upgrade or downgrade. Right now we are on Nagios 5.2.2, so if there is any update available, we would definitely need to go as we are struck in getting licenses due to this bug (to buy or not to buy).
Re: check_http sslv3 alert handshake failure
The issue isn't with Nagios XI, but with our plugins. It also has to do with the SSL that your web server checks.
As the bug report has been filed, it's now in the developers hands.
What other versions of SSL does your web server support?
As the bug report has been filed, it's now in the developers hands.
What other versions of SSL does your web server support?
Former Nagios Employee
Re: check_http sslv3 alert handshake failure
Hi, Could you please let us know your inputs on this issue, as per your comments its currently handled by developers is this issue has been addressed,
we have already ordered 20 ip license 2 weeks ago and we are waiting for this issue to get fixed, please let us know your comments.
we have already ordered 20 ip license 2 weeks ago and we are waiting for this issue to get fixed, please let us know your comments.
Re: check_http sslv3 alert handshake failure
What input are you looking for? I'm confused with what you're asking at this point.
I do not have an update available. The best place to track this bug will be on our Github @ https://github.com/nagios-plugins/nagio ... issues/140
I do not have an update available. The best place to track this bug will be on our Github @ https://github.com/nagios-plugins/nagio ... issues/140
Former Nagios Employee