From Georg.Hoesch at genua.de Fri Sep 3 14:21:48 2010 From: Georg.Hoesch at genua.de (Georg Hoesch) Date: Fri, 3 Sep 2010 14:21:48 +0200 Subject: [Nagiosplug-devel] Problem with check_ssh and RST Message-ID: <201009031421.49515.Georg.Hoesch@genua.de> Hi, I have a problem with check_ssh. check_ssh opens the connection, checks the SSH server version string, sends its own check_ssh client identifier and closes the socket. The server usually continues with the protocol and sends a key exchange packet. This packets hits the closed socket on the client side and triggers a 'RST' packet. This RST is an error condition and should be avoided. Instead check_ssh should assure that the connection is properly closed (FIN) from both sides. This can be achieved by half-closing the connection and waiting for close-confirmation from the other side. Alternatively check_ssh can stop the check after receiving the server identification string. If we close the connection in this state, the server can handle it well and won't send data which we don't handle. The client-identification is not sent but IMHO this is no problem. I have written a small patch for this alternative and I hope that someone is willing to test and integrate this. Georg -------------- next part -------------- A non-text attachment was scrubbed... Name: check_ssh_RST_bugfix.patch Type: text/x-diff Size: 911 bytes Desc: not available URL: From nagios at babar.us Fri Sep 3 14:56:03 2010 From: nagios at babar.us (Olivier 'Babar' Raginel) Date: Fri, 3 Sep 2010 14:56:03 +0200 Subject: [Nagiosplug-devel] Problem with check_ssh and RST In-Reply-To: <201009031421.49515.Georg.Hoesch@genua.de> References: <201009031421.49515.Georg.Hoesch@genua.de> Message-ID: <20100903125549.GA7081@mail.babar.us> On Fri, Sep 03, 2010 at 02:21:48PM +0200, Georg Hoesch wrote: > Instead check_ssh should assure that the connection is properly > closed (FIN) from both sides. This can be achieved by half-closing > the connection and waiting for close-confirmation from the other side. > > Alternatively check_ssh can stop the check after receiving the server > identification string. If we close the connection in this state, the > server can handle it well and won't send data which we don't handle. > The client-identification is not sent but IMHO this is no problem. > > I have written a small patch for this alternative and I hope that > someone is willing to test and integrate this. I haven't tried your patch, but maybe it would help remove the annoyance I find in check_ssh: the syslog is filled up with Connecion closed by your.nagios.server.ip Maybe some other people find it a feature though... Would be great if you could tell me if your patch removes this message. I guess it won't but... -- Babar. From noreply at sourceforge.net Tue Sep 14 21:27:31 2010 From: noreply at sourceforge.net (SourceForge.net) Date: Tue, 14 Sep 2010 19:27:31 +0000 Subject: [Nagiosplug-devel] [ nagiosplug-Bugs-3066166 ] check_http fails to connect to some SSL servers/devices Message-ID: Bugs item #3066166, was opened at 2010-09-14 15:27 Message generated for change (Tracker Item Submitted) made by rabinnh You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=397597&aid=3066166&group_id=29880 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: General plugin execution Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: rabinnh (rabinnh) Assigned to: Nobody/Anonymous (nobody) Summary: check_http fails to connect to some SSL servers/devices Initial Comment: Error is "CRITICAL - Cannot make SSL connection" This has repeatedly been reported an closed for different servers; i.e. Tomcat, Oracle AppServer, etc. I can still see the issue on some access points that I have. I debugged through the code and the problem and solution are simple;in "ssltuils.c" in the function "int np_net_ssl_init_with_hostname", is the following line of code: if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) { If this call fails, the error is returned. However, on systems that fail, falling back to TLS works fine, for example: if ((c = SSL_CTX_new (TLSv1_client_method ())) == NULL) { sslutil.c should attempt both methods ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=397597&aid=3066166&group_id=29880 From tyarusso at nagios.com Wed Sep 22 17:02:17 2010 From: tyarusso at nagios.com (Tony Yarusso) Date: Wed, 22 Sep 2010 10:02:17 -0500 Subject: [Nagiosplug-devel] Introduction Message-ID: <1285167737.9535.11.camel@ubuntu-desktop.SSG5-Serial> Hey everybody. I got to thinking a while ago and realized that while some of you may have noticed me in various places, I never actually introduced myself, so I figured I'd do that now. My name is Tony Yarusso and I've been working part-time at Nagios Enterprises since early spring. I'm one of three new people the company brought on this year to make up its "tech team". Since we're a relatively small company, we all dabble in a pretty wide range of things - my common tasks include customer support, writing documentation and tech tips, testing, and scripting. So for instance, some of those things that have appeared on the Nagios Library about integrating NagVis or DNX are largely my work. The documentation I write is geared towards an audience of Nagios XI customers, but frequently applies at least partially to Nagios Core as well (as is the case with both of the ones I just mentioned). You may have also crossed paths with me in the Ubuntu community, where I am a local community team contact and a core IRC channel operator. Another aspect of my job that I'm trying to find ways to do is community interfacing - improving our communication and relationships with you all, as well as with other projects we make use of like NagiosQL, NagVis, PNP4Nagios, etc. As part of that, you can find me regularly on the #nagios IRC channel on Freenode, get updates on the XI & company side of things through the @nagiosxi and @nagiosinc Identi.ca/Twitter feeds, and of course through the mailing lists. As you've probably noticed, Ethan doesn't have as much time as he used to to go through mailing lists regularly with his business-running tasks, so I'm trying to be another set of eyes looking for things that may warrant a reply from someone here (although that doesn't mean I'll understand the more technical posts). Anyway, just thought I'd say hey, and you'll hear some more stuff from me soon. -- Tony Yarusso Technical Team ___ Nagios Enterprises, LLC Email: tyarusso at nagios.com Web: www.nagios.com From noreply at sourceforge.net Mon Sep 27 14:27:14 2010 From: noreply at sourceforge.net (SourceForge.net) Date: Mon, 27 Sep 2010 12:27:14 +0000 Subject: [Nagiosplug-devel] [ nagiosplug-Bugs-3066166 ] check_http fails to connect to some SSL servers/devices Message-ID: Bugs item #3066166, was opened at 2010-09-14 15:27 Message generated for change (Comment added) made by dermoth You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=397597&aid=3066166&group_id=29880 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: General plugin execution Group: None >Status: Pending Resolution: None Priority: 5 Private: No Submitted By: rabinnh (rabinnh) Assigned to: Nobody/Anonymous (nobody) Summary: check_http fails to connect to some SSL servers/devices Initial Comment: Error is "CRITICAL - Cannot make SSL connection" This has repeatedly been reported an closed for different servers; i.e. Tomcat, Oracle AppServer, etc. I can still see the issue on some access points that I have. I debugged through the code and the problem and solution are simple;in "ssltuils.c" in the function "int np_net_ssl_init_with_hostname", is the following line of code: if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) { If this call fails, the error is returned. However, on systems that fail, falling back to TLS works fine, for example: if ((c = SSL_CTX_new (TLSv1_client_method ())) == NULL) { sslutil.c should attempt both methods ---------------------------------------------------------------------- >Comment By: Thomas Guyot-Sionnest (dermoth) Date: 2010-09-27 08:27 Message: Thanks for your bug report. Which version of the nagios-plugins are you using? I believe this has been fixed in 1.4.15. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=397597&aid=3066166&group_id=29880 From noreply at sourceforge.net Mon Sep 27 16:38:00 2010 From: noreply at sourceforge.net (SourceForge.net) Date: Mon, 27 Sep 2010 14:38:00 +0000 Subject: [Nagiosplug-devel] [ nagiosplug-Bugs-3066166 ] check_http fails to connect to some SSL servers/devices Message-ID: Bugs item #3066166, was opened at 2010-09-14 15:27 Message generated for change (Comment added) made by rabinnh You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=397597&aid=3066166&group_id=29880 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: General plugin execution Group: None >Status: Open Resolution: None Priority: 5 Private: No Submitted By: rabinnh (rabinnh) Assigned to: Nobody/Anonymous (nobody) Summary: check_http fails to connect to some SSL servers/devices Initial Comment: Error is "CRITICAL - Cannot make SSL connection" This has repeatedly been reported an closed for different servers; i.e. Tomcat, Oracle AppServer, etc. I can still see the issue on some access points that I have. I debugged through the code and the problem and solution are simple;in "ssltuils.c" in the function "int np_net_ssl_init_with_hostname", is the following line of code: if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) { If this call fails, the error is returned. However, on systems that fail, falling back to TLS works fine, for example: if ((c = SSL_CTX_new (TLSv1_client_method ())) == NULL) { sslutil.c should attempt both methods ---------------------------------------------------------------------- >Comment By: rabinnh (rabinnh) Date: 2010-09-27 10:37 Message: Version 1.4.15. Previous causes may have been fixed, but not the one that I identified. I have attached the patch to sslutils.c to fallback to TLS if SSL doesn't work. FWIW, in other cases, I changed the command configuration to use just the IP address instead of host headers. -I instead of -H ---------------------------------------------------------------------- Comment By: Thomas Guyot-Sionnest (dermoth) Date: 2010-09-27 08:27 Message: Thanks for your bug report. Which version of the nagios-plugins are you using? I believe this has been fixed in 1.4.15. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=397597&aid=3066166&group_id=29880 From noreply at sourceforge.net Tue Sep 28 11:23:51 2010 From: noreply at sourceforge.net (SourceForge.net) Date: Tue, 28 Sep 2010 09:23:51 +0000 Subject: [Nagiosplug-devel] [ nagiosplug-Bugs-3066166 ] check_http fails to connect to some SSL servers/devices Message-ID: Bugs item #3066166, was opened at 2010-09-14 22:27 Message generated for change (Comment added) made by You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=397597&aid=3066166&group_id=29880 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: General plugin execution Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: rabinnh (rabinnh) Assigned to: Nobody/Anonymous (nobody) Summary: check_http fails to connect to some SSL servers/devices Initial Comment: Error is "CRITICAL - Cannot make SSL connection" This has repeatedly been reported an closed for different servers; i.e. Tomcat, Oracle AppServer, etc. I can still see the issue on some access points that I have. I debugged through the code and the problem and solution are simple;in "ssltuils.c" in the function "int np_net_ssl_init_with_hostname", is the following line of code: if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) { If this call fails, the error is returned. However, on systems that fail, falling back to TLS works fine, for example: if ((c = SSL_CTX_new (TLSv1_client_method ())) == NULL) { sslutil.c should attempt both methods ---------------------------------------------------------------------- Comment By: https://www.google.com/accounts () Date: 2010-09-28 12:23 Message: no, it's not fixed: # /usr/lib/nagios/plugins/check_http -I x.x.x.x --ssl -v CRITICAL - Cannot make SSL connection 3078097176:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message:s23_clnt.c:674: GET / HTTP/1.0 User-Agent: check_http/v1.4.15 (nagios-plugins 1.4.15) Connection: close HTTP CRITICAL - Error on receive ---------------------------------------------------------------------- Comment By: rabinnh (rabinnh) Date: 2010-09-27 17:37 Message: Version 1.4.15. Previous causes may have been fixed, but not the one that I identified. I have attached the patch to sslutils.c to fallback to TLS if SSL doesn't work. FWIW, in other cases, I changed the command configuration to use just the IP address instead of host headers. -I instead of -H ---------------------------------------------------------------------- Comment By: Thomas Guyot-Sionnest (dermoth) Date: 2010-09-27 15:27 Message: Thanks for your bug report. Which version of the nagios-plugins are you using? I believe this has been fixed in 1.4.15. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=397597&aid=3066166&group_id=29880