New release of check_esxi_hardware introduces new parameters to define SSL/TLS protocol and ignore chassis intrusion alerts

Written by - 0 comments

Published on June 5th 2020 - Listed in Hardware Monitoring Virtualization VMware


A new version of the widely used monitoring plugin check_esxi_hardware, to monitor the hardware of VMware ESXi servers, is available!

The newest release with version 20200605 contains two new features. See below for more details.

Ignore chassis intrusion elements

A new parameter --no-intrusion was added to add a couple of elements to the ignore list. These elements are related to chassis intrusion alerts and can sometimes be irrelevant, depending on hardware. See issue #42 on GitHub for more information.

Thanks to Luca Berra for the contribution!

Define SSL/TLS protocol version

Newer Linux distribution versions have increased default security settings. On a new Debian 10 Buster, the default openssl settings won't allow to communicate with any host with a lower TLS version than 1.2. This causes problems when (for whatever reason) older ESXi servers need to be monitored. These older versions run with TLS versions older than 1.2 and the following error message would be shown:

root@buster:~# ./check_esxi_hardware.py -H myesxi5server -U root -P secret
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/pywbem/_cim_http.py", line 655, in connect
    return self.sock.connect((self.host, self.port))
  File "/usr/lib/python3.7/ssl.py", line 1150, in connect
    self._real_connect(addr, False)
  File "/usr/lib/python3.7/ssl.py", line 1141, in _real_connect
    self.do_handshake()
  File "/usr/lib/python3.7/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1056)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./check_esxi_hardware.py", line 720, in <module>
    instance_list = wbemclient.EnumerateInstances(classe)
  File "/usr/local/lib/python3.7/dist-packages/pywbem/_cim_operations.py", line 2494, in EnumerateInstances
    **extra)
  File "/usr/local/lib/python3.7/dist-packages/pywbem/_cim_operations.py", line 1763, in _imethodcall
    conn_id=self.conn_id)
  File "/usr/local/lib/python3.7/dist-packages/pywbem/_cim_http.py", line 824, in wbem_request
    client.endheaders()
  File "/usr/lib/python3.7/http/client.py", line 1239, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.7/http/client.py", line 1026, in _send_output
    self.send(msg)
  File "/usr/local/lib/python3.7/dist-packages/pywbem/_cim_http.py", line 483, in send
    self.connect()  # pylint: disable=no-member
  File "/usr/local/lib/python3.7/dist-packages/pywbem/_cim_http.py", line 661, in connect
    conn_id=conn_id)
pywbem._exceptions.ConnectionError: SSL error <class 'ssl.SSLError'>: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1056); OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019

To circumvent this, a new parameter -S / --sslproto was added in check_esxi_hardware.py. By using this new parameter, a lower SSL/TLS version can be defined:

root@buster:~# ./check_esxi_hardware.py -H myesxi5server -U root -P secret -S TLSv1.0
OK - Server: No Enclosure VMware Virtual Platform s/n: VMware-56 4d 2d 03 ea d4 41 97-89 af 93 78 33 7d 9e 32 System BIOS: 6.00 2017-05-19

When the -S / --sslproto parameter is used, the plugin creates a dedicated openssl config file in /tmp for this particular ESXi target. It uses the OpenSSL MinProtocol configuration option, which was introduced (probably) in OpenSSL 1.1.0. The OpenSSL changelog mentions the new MinProtocol option as "changes between 1.0.2h and 1.1.0":

Add support for setting the minimum and maximum supported protocol. It can bet set via the SSL_set_min_proto_version() and SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and MaxProtocol.

By using a dedicated OpenSSL config for a particular ESXi server, the OpenSSL system settings are overwritten and the plugin is able to communicate via python and openssl using a lower protocol version with the ESXi server.

If the plugin is unable to communicate with an old ESXi server, it will now inform with an UNKNOWN error:

root@buster:~# ./check_esxi_hardware.py -H myesxi5server -U root -P secret
UNKNOWN: SSL error <class 'ssl.SSLError'>: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1056); OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019

In such a case, an older TLS or SSL protocol version needs to be set.

Additional information can be found in issue #45 on GitHub.


More recent articles: