Header RSS Feed
 
If you only want to see the articles of a certain category, please click on the desired category below:
ALL Android Backup BSD Database Hacks Hardware Internet Linux Mail MySQL Monitoring Network Personal PHP Proxy Shell Solaris Unix Virtualization VMware Windows Wyse

Using Nagios check_smtp -S without SSLv3 (sslv3 alert handshake failure)
Tuesday - Oct 21st 2014 - by - (0 comments)

The recently discovered CVE-2014-3566 (nicknamed Poodle) has generally caused a lot of configuration effort in the whole Internet. After 18 years in service (SSLv3 was published 1996!), suddenly SSLv3 needed to be disabled everywhere.

While on the HTTP side most browsers have been using TLS for a long time, the story is different on the smtp protocol. A typical example is the Nagios plugins check_smtp which can be used with the parameter "-S" to check the mail server with STARTTLS.

After disabling SSLv3 on the remote mail server, Nagios went wild and reported an alert (CRITICAL - Cannot make SSL connection).
When running the plugin manually, more information is shown:

./check_smtp -H mailserver.example.com -S
CRITICAL - Cannot make SSL connection.
140449663530656:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:732:
CRITICAL - Cannot create SSL context.

Looks like check_smtp wants to use sslv3, no matter what (hence sslv3 alert handshake failure).

Before you think "Oh! My Nagios plugins are old. That must be it!". BUZZ! Nope, it doesn't matter if you are using nagios-plugins 1.4.16 or the newest 2.0.3 (believe me, I've tried both).
The reason for this is the openssl command, which is used in the background by check_smtp:

openssl s_client -connect mailserver.example.com:25 -starttls smtp
CONNECTED(00000003)
139976003229344:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:732:

The error looks familiar, doesn't it? So let's check out the openssl version:

openssl version
OpenSSL 1.0.1 14 Mar 2012

Ugh. That's quite old, given all the openssl hickups in the past year. Let's check out the OS:

cat /etc/issue.net
Ubuntu 12.04.5 LTS

OK. To be honest: I expected a more recent version on an Ubuntu LTS - although it's not the newest LTS.

Let's compare this to a Debian Wheezy.

cat /etc/issue.net
Debian GNU/Linux 7

openssl version
OpenSSL 1.0.1e 11 Feb 2013

That looks newer. Wow, Debian is newer! (insider joke :) )

Let's do the same tests as before:

./check_smtp --help
check_smtp v1.4.16 (nagios-plugins 1.4.16)

./check_smtp -H mailserver.example.com -S
SMTP OK - 0.360 sec. response time|time=0.359723s;;;0.000000

Here it works. Simply because openssl is able to connect to the remote mailserver without using sslv3:

openssl s_client -connect mailserver.example.com:25 -starttls smtp
CONNECTED(00000003)
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/serialNumber=XXXXXXXXXXXX/OU=GT12345678/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=mailserver.example.com
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]

So before you blame your monitoring plugins, make sure your openssl version is able to handle TLS.

 

Add a comment

Show form to leave a comment

Comments (newest first):

No comments yet.

Go to Homepage home
Linux Howtos how to's
Monitoring Plugins monitoring plugins
Links links

Valid HTML 4.01 Transitional
Valid CSS!
[Valid RSS]

6937 Days
until Death of Computers
Why?