New release of check_esxi_hardware introduces new parameters to define SSL/TLS protocol and ignore chassis intrusion alerts

Written by - 0 comments

Published on - Listed in Hardware Monitoring Virtualization VMware

A new version of the widely used monitoring plugin check_esxi_hardware, to monitor the hardware of VMware ESXi servers, is available!

The newest release with version 20200605 contains two new features. See below for more details.

Ignore chassis intrusion elements

A new parameter --no-intrusion was added to add a couple of elements to the ignore list. These elements are related to chassis intrusion alerts and can sometimes be irrelevant, depending on hardware. See issue #42 on GitHub for more information.

Thanks to Luca Berra for the contribution!

Define SSL/TLS protocol version

Newer Linux distribution versions have increased default security settings. On a new Debian 10 Buster, the default openssl settings won't allow to communicate with any host with a lower TLS version than 1.2. This causes problems when (for whatever reason) older ESXi servers need to be monitored. These older versions run with TLS versions older than 1.2 and the following error message would be shown:

root@buster:~# ./ -H myesxi5server -U root -P secret
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/pywbem/", line 655, in connect
    return self.sock.connect((, self.port))
  File "/usr/lib/python3.7/", line 1150, in connect
    self._real_connect(addr, False)
  File "/usr/lib/python3.7/", line 1141, in _real_connect
  File "/usr/lib/python3.7/", line 1117, in do_handshake
ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1056)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./", line 720, in <module>
    instance_list = wbemclient.EnumerateInstances(classe)
  File "/usr/local/lib/python3.7/dist-packages/pywbem/", line 2494, in EnumerateInstances
  File "/usr/local/lib/python3.7/dist-packages/pywbem/", line 1763, in _imethodcall
  File "/usr/local/lib/python3.7/dist-packages/pywbem/", line 824, in wbem_request
  File "/usr/lib/python3.7/http/", line 1239, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.7/http/", line 1026, in _send_output
  File "/usr/local/lib/python3.7/dist-packages/pywbem/", line 483, in send
    self.connect()  # pylint: disable=no-member
  File "/usr/local/lib/python3.7/dist-packages/pywbem/", line 661, in connect
pywbem._exceptions.ConnectionError: SSL error <class 'ssl.SSLError'>: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1056); OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019

To circumvent this, a new parameter -S / --sslproto was added in By using this new parameter, a lower SSL/TLS version can be defined:

root@buster:~# ./ -H myesxi5server -U root -P secret -S TLSv1.0
OK - Server: No Enclosure VMware Virtual Platform s/n: VMware-56 4d 2d 03 ea d4 41 97-89 af 93 78 33 7d 9e 32 System BIOS: 6.00 2017-05-19

When the -S / --sslproto parameter is used, the plugin creates a dedicated openssl config file in /tmp for this particular ESXi target. It uses the OpenSSL MinProtocol configuration option, which was introduced (probably) in OpenSSL 1.1.0. The OpenSSL changelog mentions the new MinProtocol option as "changes between 1.0.2h and 1.1.0":

Add support for setting the minimum and maximum supported protocol. It can bet set via the SSL_set_min_proto_version() and SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and MaxProtocol.

By using a dedicated OpenSSL config for a particular ESXi server, the OpenSSL system settings are overwritten and the plugin is able to communicate via python and openssl using a lower protocol version with the ESXi server.

If the plugin is unable to communicate with an old ESXi server, it will now inform with an UNKNOWN error:

root@buster:~# ./ -H myesxi5server -U root -P secret
UNKNOWN: SSL error <class 'ssl.SSLError'>: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1056); OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019

In such a case, an older TLS or SSL protocol version needs to be set.

Additional information can be found in issue #45 on GitHub.

Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.