[Nagiosplug-devel] [ nagiosplug-Bugs-3066166 ] check_http fails to connect to some SSL servers/devices

SourceForge.net noreply at sourceforge.net
Mon May 28 17:29:17 CEST 2012


Bugs item #3066166, was opened at 2010-09-14 12:27
Message generated for change (Comment added) made by hweiss
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=3066166&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: General plugin execution
Group: None
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: rabinnh (rabinnh)
Assigned to: Holger Weiss (hweiss)
Summary: check_http fails to connect to some SSL servers/devices

Initial Comment:
Error is "CRITICAL - Cannot make SSL connection"

This has repeatedly been reported an closed for different servers; i.e. Tomcat, Oracle AppServer, etc.  I can still see the issue on some access points that I have.

I debugged through the code and the problem and solution are simple;in "ssltuils.c" in the function "int np_net_ssl_init_with_hostname", is the following line of code:

if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) {

If this call fails, the error is returned.  However, on systems that fail, falling back to TLS works fine, for example:

if ((c = SSL_CTX_new (TLSv1_client_method ())) == NULL) {

sslutil.c should attempt both methods




----------------------------------------------------------------------

>Comment By: Holger Weiss (hweiss)
Date: 2012-05-28 08:29

Message:
The patch committed by Jason A. Lunn in #3285367 will be included in the
next release.  Thank you for your report!

----------------------------------------------------------------------

Comment By: Jason A. Lunn (omnipotus)
Date: 2011-04-12 09:00

Message:
Today I submitted a patch (3285367) that implements a more general solution
to this problem, by allowing check_http to take a value for the -S/--ssl
argument that allows you to specify the protocol version. Supports TLSv1,
SSLv2 and SSLv3.

----------------------------------------------------------------------

Comment By: https://www.google.com/accounts ()
Date: 2010-09-28 02:23

Message:
no, it's not fixed:

# /usr/lib/nagios/plugins/check_http -I x.x.x.x --ssl -v
CRITICAL - Cannot make SSL connection
3078097176:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
unexpected message:s23_clnt.c:674:
GET / HTTP/1.0
User-Agent: check_http/v1.4.15 (nagios-plugins 1.4.15)
Connection: close
HTTP CRITICAL - Error on receive


----------------------------------------------------------------------

Comment By: rabinnh (rabinnh)
Date: 2010-09-27 07:37

Message:
Version 1.4.15.  Previous causes may have been fixed, but not the one that
I identified.  I have attached the patch to sslutils.c to fallback to TLS
if SSL doesn't work.

FWIW, in other cases, I changed the command configuration to use just the
IP address instead of host headers.
-I 
instead of
-H 

----------------------------------------------------------------------

Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2010-09-27 05:27

Message:
Thanks for your bug report. Which version of the nagios-plugins are you
using? I believe this has been fixed in 1.4.15.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=3066166&group_id=29880




More information about the Devel mailing list