Using Nagios check_smtp -S without SSLv3 (sslv3 alert handshake failure)

Written by - 0 comments

Published on - Listed in Nagios Monitoring Security Internet Mail

The recently discovered CVE-2014-3566 (nicknamed Poodle) has generally caused a lot of configuration effort in the whole Internet. After 18 years in service (SSLv3 was published 1996!), suddenly SSLv3 needed to be disabled everywhere.

While on the HTTP side most browsers have been using TLS for a long time, the story is different on the smtp protocol. A typical example is the Nagios plugins check_smtp which can be used with the parameter "-S" to check the mail server with STARTTLS.

After disabling SSLv3 on the remote mail server, Nagios went wild and reported an alert (CRITICAL - Cannot make SSL connection).
When running the plugin manually, more information is shown:

./check_smtp -H -S
CRITICAL - Cannot make SSL connection.
140449663530656:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:732:
CRITICAL - Cannot create SSL context.

Looks like check_smtp wants to use sslv3, no matter what (hence sslv3 alert handshake failure).

Before you think "Oh! My Nagios plugins are old. That must be it!". BUZZ! Nope, it doesn't matter if you are using nagios-plugins 1.4.16 or the newest 2.0.3 (believe me, I've tried both).
The reason for this is the openssl command, which is used in the background by check_smtp:

openssl s_client -connect -starttls smtp
139976003229344:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:732:

The error looks familiar, doesn't it? So let's check out the openssl version:

openssl version
OpenSSL 1.0.1 14 Mar 2012

Ugh. That's quite old, given all the openssl hickups in the past year. Let's check out the OS:

cat /etc/
Ubuntu 12.04.5 LTS

OK. To be honest: I expected a more recent version on an Ubuntu LTS - although it's not the newest LTS.

Let's compare this to a Debian Wheezy.

cat /etc/
Debian GNU/Linux 7

openssl version
OpenSSL 1.0.1e 11 Feb 2013

That looks newer. Wow, Debian is newer! (insider joke :) )

Let's do the same tests as before:

./check_smtp --help
check_smtp v1.4.16 (nagios-plugins 1.4.16)

./check_smtp -H -S
SMTP OK - 0.360 sec. response time|time=0.359723s;;;0.000000

Here it works. Simply because openssl is able to connect to the remote mailserver without using sslv3:

openssl s_client -connect -starttls smtp
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate chain
 0 s:/serialNumber=XXXXXXXXXXXX/OU=GT12345678/OU=See (c)14/OU=Domain Control Validated - RapidSSL(R)/
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Server certificate

So before you blame your monitoring plugins, make sure your openssl version is able to handle TLS.

Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.