check_http sslv3 alert handshake failure

[aetebbe]

check_http is failing on all my webservers. It appears to be trying sslv3 no matter what parameters I specify. Since my webservers support only TLS, this is a problem. Even when I force check_http to use TLS, it fails as if it's still trying sslv3.

Here's what a manual check looks like:

# /usr/local/nagios/libexec/check_http -H XXXX -S --ssl=1 -vvv
CRITICAL - Cannot make SSL connection.
140076210550720:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.cSSL alert number 40

Here's an nmap scan of my webserver showing the ciphers supported:

# nmap --script ssl-enum-ciphers -p 443 XXXX

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-13 19:01 CST
Nmap scan report for XXXX (140.32.112.244)
Host is up (0.00095s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds


According to check_http help, the relevant parameters it expects are such:

-S, --ssl=VERSION
Connect via SSL. Port defaults to 443. VERSION is optional, and prevents
auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3).

This is on a fresh install of Nagios XI Version : 5.2.3, running on CentOS 7.

Any help would be much appreciated.

Thank you.

[rkennedy]

What version of check_http are you running? /usr/local/nagios/libexec/check_http -V

Also, what is the output if you run it without the -S? /usr/local/nagios/libexec/check_http -H XXXX --ssl=1 -vvv

[adinh808]

Hi,

I am facing similar issue where the URL which I use has certs that have TLS enabled. Following are the version details,

I am using Nagios on a ESX host.

[root@nagiosxi-64_1 libexec]# ./check_http -V
check_http v2.0.3 (nagios-plugins 2.0.3)

[root@nagiosxi-64_1 libexec]# ./check_http -H HOST --ssl=1 -vvv
CRITICAL - Cannot make SSL connection.
140097353590632:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.cSSL alert number 40

I tried all ways of debuggin and with Openssl commands also by providing CApath, CAfile entries but still the same error message.

[jolson]

I actually just opened a git issue about this:
https://github.com/nagios-plugins/nagio ... issues/140

Please track the status of this problem there, this is a known bug.

[adinh808]

Any update on this issue? I dont see any comments posted on GIT site.

Does Nagios support checking HTTPS URLs?

[rkennedy]

We do not have an update available currently. For the record, the best place to monitor this issue will be on the GitHub page as it's plugin related.

SSL is supported with check_http, however this version in specific is what the bug is for.

Code: Select all

[root@suse11 libexec]# ./check_http -H google.com --ssl=1 -f follow
HTTP OK: HTTP/1.1 200 OK - 19779 bytes in 0.434 second response time |time=0.434391s;;;0.000000 size=19779B;;;0

[adinh808]

Could you please let me know on which version this may work so that either we may upgrade or downgrade. Right now we are on Nagios 5.2.2, so if there is any update available, we would definitely need to go as we are struck in getting licenses due to this bug (to buy or not to buy).

[rkennedy]

The issue isn't with Nagios XI, but with our plugins. It also has to do with the SSL that your web server checks.

As the bug report has been filed, it's now in the developers hands.

What other versions of SSL does your web server support?

[adinh808]

Hi, Could you please let us know your inputs on this issue, as per your comments its currently handled by developers is this issue has been addressed,
we have already ordered 20 ip license 2 weeks ago and we are waiting for this issue to get fixed, please let us know your comments.

[rkennedy]

What input are you looking for? I'm confused with what you're asking at this point.

I do not have an update available. The best place to track this bug will be on our Github @ https://github.com/nagios-plugins/nagio ... issues/140