Problem with actual version

[berndschneider5]

Hello,
we had a old version running in our Nagios 4.4.3. It was Version 1.84.0.
This Version works very well without any issues.
The nagios software is installed on a RHEL 7.9 with OpenSSL Version: OpenSSL 1.0.2k-fips 26 Jan 2017

Now we updated to version 2.10.2 because we want to use some new features off this script.

Now we have two problems:

1. We have some servers with RSA and EC certificates installed. so we use the options --ecdsa and --rsa.
   --ecdsa works as before, but when we use --rsa, than we get this errors message:
   SSL error: Error with command: "-sigalgs RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256:RSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA224:RSA+SHA1"

2. All our certificate checks yesterday evening run into critical stae. tests before were ok, and i have no idea why this happened.
   the checks ran into a time out 60.01. and a forcecheck to try again failed. the timestamp for the last check attribute has not changed. i was not able to check again.
   so i had to implement the old version of the script, and then everythink worked again.

kind Regards
Bernd

[matteocorti]

Dear Bernd, is there a host that I could use to reproduce the problem?

[berndschneider5]

Hi,
i have the problem with all host, where i use the option --rsa. several different software types as destination. (apache, tomcat, F5 loadbalancer, etc...). i will send you an example by mail.
i'm not able to reproduce the second problem. i have some checks configured with the new version of the script, and currently they are running fine. maybe i get the same problem after some time.

[matteocorti]

I'll try to check on a CentOS 7 machine ...

[matteocorti]

I was able to reproduce the problem on CentOS 7

[matteocorti]

OpenSSL 1.0.2k-fips 26 Jan 2017

It will take a while. On my machine the temporary file creation (without mkdir) is not working.

od -N4 -tu /dev/random | head -n 1

seems to hang ...

[matteocorti]

Fixed in 287be28

[matteocorti]

I'm puzzled:

[corti@localhost ~]$ openssl ciphers "RSA+SHA224"
Error in cipher list
139916821796752:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1383:

but the connection works

[corti@localhost ~]$ echo Q | openssl s_client -connect corti.li:443  -sigalgs "RSA+SHA224" > /dev/null ; echo $?
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
DONE
0

but

[corti@localhost ~]$ openssl ciphers RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256:RSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA224:RSA+SHA1
AES256-SHA256:AES128-SHA256:NULL-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:RC4-SHA:NULL-SHA

does not complain and the connection does not work

[corti@localhost ~]$ echo Q | openssl s_client -connect corti.li:443  -sigalgs RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256:RSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA224:RSA+SHA1
Error with command: "-sigalgs RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256:RSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA224:RSA+SHA1"
usage: s_client args

 -host host     - use -connect instead
 -port port     - use -connect instead
 -connect host:port - who to connect to (default is localhost:4433)
 -verify_hostname host - check peer certificate matches "host"
 -verify_email email - check peer certificate matches "email"
 -verify_ip ipaddr - check peer certificate matches "ipaddr"
...

[matteocorti]

Anywhay the problem is in all the ciphers with PSS (Probabilistic Signature Scheme (PSS))

[berndschneider5]

thanks for the quick fix. RSA is now working. but i still have the timeout problem.
i have installed the current version 2.10.4.
The first checks were ok (maybe 10-15), and then i got more and more errors for new checks:
Service check timed out after 61.01 seconds

[berndschneider5]

If i try to do the check on command line with the same arguments, then it is successfull.

[matteocorti]

Difficult to tell without additional information. With the debugging output we could see where the timeout is occurring. You can specify a file for the debugging output with the --debug-file option.

[berndschneider5]

i will try another test and collect the debugging information.

[berndschneider5]

Hello Matteo,
i have still the timeout problem. now it occurs during executing

/usr/bin/curl --silent --connect-timeout 120 hostname:port

mostly on ldaps ports, but also on https ports.
command was:

Command line arguments: -H --temp /apps/nagios-4.4.3/tmp --debug-file /apps/nagios-4.4.3/tmp/check_ssl_cert_debug --ignore-tls-renegotiation --ignore-connection-problems -P ldaps -p 636 -w 30 -c 7 --ignore-ocsp -A

the same without --ignore-connection-problems option works fine.

[berndschneider5]

But --ignore-connection-problems was the reason why i'm updating the script :-)