Nagios Support Forum

Hello,
We are using a script to test a website availability. This has been working quite well however we are adding servers to a new location and the infrastructure is changing and it's breaking our ability to connect to the website. There are multiple hosts behind the IP and our script is missing a value to get it directed correctly. What is required now is the inclusion of the SNI Hostname in the scripting. Is there a standard way to include this in the scripting? If additional detail is required, please let me know. Thank you in advance!

Which version of webinject is installed? I tested with 1.41 and SNI was included in the request. To find the version:

/usr/local/nagiosxi/etc/components/webinject/webinjet -V

I've attached a copy of the 1.41 script here as well if needed.

cdienger wrote:Which version of webinject is installed? I tested with 1.41 and SNI was included in the request. To find the version:

/usr/local/nagiosxi/etc/components/webinject/webinjet -V

I've attached a copy of the 1.41 script here as well if needed.

Hello, we are using v 1.41 and the webinject file appears to be the same one we have. During troubleshooting, I was sent a screenshot from the environment and it shows that SNI Hostname is not set. Is there a way which this needs to be set properly? In the script we have the url in the <baseurl>

When I connect from the Nagios server via Firefox, the connection is fine. I was told the following by the infrastructure host..

I just found your requests… As I mentioned previously we need proper SNI Hostname to allow this connection..
This is not Apache and it must be provided in requests to be compliant with RFC.

Can you share the screenshot? My test was really simple:

<testcases repeat="1">
<case
id="1"
description1="short description"
description2="long description"
method="get"
url="https://gosomethingsomething.com"
postbody="username=corey&password=welcome"
verifypositive="verify this string exists"
verifynegative="verify this string does not exist"
logrequest="yes"
logresponse="yes"
sleep="3"
/>
</testcases>

and the SNI is visable: I'm also running with OpenSSL 1.0.2k-fips - you may need to update openssl:

yum -y install openssl

Here's the screenshot which was sent to me. I had a look at my packet capture of the connection attempt and it is missing the Extension: server_name in the capture. It does successfully establish an ssl connection though (v 1.2). I also included a shot of my capture

What OS is XI on and what version of openssl is installed on the XI server?

cdienger wrote:What OS is XI on and what version of openssl is installed on the XI server?

XI is on RHEL 6.9 and has OpenSSL 1.0.1e-fips 11 Feb 2013

Edit: This is the latest from RHEL's repo.

I've been able to reproduce it on a centos 6 box as well. It looks like openssl has had support for SNI since 0.9.8 so it's some other package that needs an update. Possibly the perl libraries.

That said, a migration to a Redhat or CentOS 7 box is solution documented in https://assets.nagios.com/downloads/nag ... ios-XI.pdf.

cdienger wrote:I've been able to reproduce it on a centos 6 box as well. It looks like openssl has had support for SNI since 0.9.8 so it's some other package that needs an update. Possibly the perl libraries.

That said, a migration to a Redhat or CentOS 7 box is solution documented in https://assets.nagios.com/downloads/nag ... ios-XI.pdf.

I'm not clear on what you are saying here.. Were you able to replicate the issue I am having or replicate the successful call? What would migrating from RHEL to RHEL solve?

Yes, I was able to replicate the behavior of the webinject request not including SNI on a centos 6 machine. The Nagios process does not control how the request is made - this is dependent on the plugin and libraries the plugin uses. Migrating to a newer OS will include newer libraries that generate the request in a desired way to include SNI.