Michael Gallen | 17 Sep 22:40 2012

OpenSSL Errors for some https tests

Hi All

I need help resolving OpenSSL errors for some internal and some public https sites.

 

I am migrating from Hobbit 4.2.0 on CentOS 5.5 to Xymon 4.3.9 on CentOS 6.2

 

Everything works fine on CentOS 5.5 but on CentOS 6.2 we get SSL errors for some of our https sites.

Some https sites test ok, others always fail.

 

Hobbit uses openssl 0.9.8e-12.el5_5.7

Xymon uses openssl 1.0.0-25.el6_3.1

 

The error also displays when testing with wget and openssl –debug, please see below..

 

[xymon <at> xymon server]$ wget https://wiki.local.com

--2012-09-17 16:19:45--  https://wiki.local.com/

Resolving wiki.avotuscorp.com... 10.12.0.61

Connecting to wiki.local.com|10.12.0.61|:443... connected.

OpenSSL: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message

Unable to establish SSL connection.

 

 

[xymon <at> xymon server]$ openssl s_client -connect wiki.local.com:443 -state -debug

CONNECTED(00000003)

SSL_connect:before/connect initialization

write to 0x89dcab0 [0x8a13ac8] (113 bytes => 113 (0x71))

0000 - 16 03 01 00 6c 01 00 00-68 03 01 50 57 86 8f 01   ....l...h..PW...

0010 - 39 d7 67 bc af ad dd 03-01 44 c8 f7 ca 43 0e 69   9.g......D...C.i

0020 - bf dc 31 da 0b 44 c8 2f-5a 5c 57 00 00 3a 00 39   ..1..D./Z\W..:.9

0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a   .8.....5........

0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96   .3.2.....E.D./..

0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11   .A..............

0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23      ..............#

0071 - <SPACES/NULS>

SSL_connect:SSLv2/v3 write client hello A

read from 0x89dcab0 [0x8a19028] (7 bytes => 7 (0x7))

0000 - 15 03 01 00 02 02 0a                              .......

SSL3 alert read:fatal:unexpected_message

SSL_connect:error in SSLv2/v3 read server hello A

3077838572:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message:s23_clnt.c:674:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 113 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

---

 

 

Thanks for any help

Michael



Disclaimer: This email message and any attachments are for the sole use of the intended recipient(s) and may contain information that is confidential, legally privileged or otherwise exempt from disclosure under applicable law. If you are not the intended recipient(s) or have received this message in error, you are instructed to immediately notify the sender by return email and required to delete this message from your computer system. This communication does not form any contractual obligation on behalf of the sender, the sender's employer or such employer's parent company, affiliates or subsidiaries.

_______________________________________________
Xymon mailing list
Xymon@...
http://lists.xymon.com/mailman/listinfo/xymon
Henrik Størner | 17 Sep 23:19 2012
Picon

Re: OpenSSL Errors for some https tests

On 17-09-2012 22:40, Michael Gallen wrote:
> I am migrating from Hobbit 4.2.0 on CentOS 5.5 to Xymon 4.3.9 on CentOS 6.2
>
> Everything works fine on CentOS 5.5 but on CentOS 6.2 we get SSL errors
> for some of our https sites.
>
> Some https sites test ok, others always fail.
>
> Hobbit uses openssl 0.9.8e-12.el5_5.7
>
> Xymon uses openssl 1.0.0-25.el6_3.1
>
> The error also displays when testing with wget and openssl –debug,
> please see below..

OK, so you've narrowed it down to the change of openssl version, not the 
Hobbit/Xymon upgrade.

> OpenSSL: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> unexpected message
>
> Unable to establish SSL connection.

I don't know if CentOS did, but the Ubuntu version of OpenSSL - perhaps 
also Debian - disabled support for SSLv2 somewhere between 0.9.8 and 
1.0. Could this be the reason - that your failing site only supports the 
older SSLv2 protocol ?

You can also try forcing it to connect using only TLS or only SSLv3 
(there are some openssl options for that). Perhaps one of those work?

Regards,
Henrik

_______________________________________________
Xymon mailing list
Xymon@...
http://lists.xymon.com/mailman/listinfo/xymon

Michael Gallen | 19 Sep 02:04 2012

Re: OpenSSL Errors for some https tests

Problem solved,
Thanks Henrik for pointing me in the right direction

I used a Xymon option to force https tests to use SSLv3
When using auto or SSLv2 the SSL connections would fail to some systems.
In hosts.cfg the URL would be https3://wiki.local.com

Regards,
Michael

-----Original Message-----
From: xymon-bounces@...
[mailto:xymon-bounces@...] On Behalf Of Henrik Størner
Sent: September 17, 2012 5:20 PM
To: xymon@...
Subject: Re: [Xymon] OpenSSL Errors for some https tests

On 17-09-2012 22:40, Michael Gallen wrote:
> I am migrating from Hobbit 4.2.0 on CentOS 5.5 to Xymon 4.3.9 on CentOS 6.2
>
> Everything works fine on CentOS 5.5 but on CentOS 6.2 we get SSL errors
> for some of our https sites.
>
> Some https sites test ok, others always fail.
>
> Hobbit uses openssl 0.9.8e-12.el5_5.7
>
> Xymon uses openssl 1.0.0-25.el6_3.1
>
> The error also displays when testing with wget and openssl -debug,
> please see below..

OK, so you've narrowed it down to the change of openssl version, not the
Hobbit/Xymon upgrade.

> OpenSSL: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> unexpected message
>
> Unable to establish SSL connection.

I don't know if CentOS did, but the Ubuntu version of OpenSSL - perhaps
also Debian - disabled support for SSLv2 somewhere between 0.9.8 and
1.0. Could this be the reason - that your failing site only supports the
older SSLv2 protocol ?

You can also try forcing it to connect using only TLS or only SSLv3
(there are some openssl options for that). Perhaps one of those work?

Regards,
Henrik

_______________________________________________
Xymon mailing list
Xymon@...
http://lists.xymon.com/mailman/listinfo/xymon

________________________________

Disclaimer: This email message and any attachments are for the sole use of the intended recipient(s) and
may contain information that is confidential, legally privileged or otherwise exempt from disclosure
under applicable law. If you are not the intended recipient(s) or have received this message in error, you
are instructed to immediately notify the sender by return email and required to delete this message from
your computer system. This communication does not form any contractual obligation on behalf of the
sender, the sender's employer or such employer's parent company, affiliates or subsidiaries.

_______________________________________________
Xymon mailing list
Xymon@...
http://lists.xymon.com/mailman/listinfo/xymon

Ralph Mitchell | 18 Sep 03:14 2012
Picon

Re: OpenSSL Errors for some https tests

Just a thought: Do you have all your CA certs in the right place??


Ralph Mitchell


On Mon, Sep 17, 2012 at 4:40 PM, Michael Gallen <Michael.Gallen <at> avotus.com> wrote:

Hi All

I need help resolving OpenSSL errors for some internal and some public https sites.

 

I am migrating from Hobbit 4.2.0 on CentOS 5.5 to Xymon 4.3.9 on CentOS 6.2

 

Everything works fine on CentOS 5.5 but on CentOS 6.2 we get SSL errors for some of our https sites.

Some https sites test ok, others always fail.

 

Hobbit uses openssl 0.9.8e-12.el5_5.7

Xymon uses openssl 1.0.0-25.el6_3.1

 

The error also displays when testing with wget and openssl –debug, please see below..

 

[xymon <at> xymon server]$ wget https://wiki.local.com

--2012-09-17 16:19:45--  https://wiki.local.com/

Resolving wiki.avotuscorp.com... 10.12.0.61

Connecting to wiki.local.com|10.12.0.61|:443... connected.

OpenSSL: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message

Unable to establish SSL connection.

 

 

[xymon <at> xymon server]$ openssl s_client -connect wiki.local.com:443 -state -debug

CONNECTED(00000003)

SSL_connect:before/connect initialization

write to 0x89dcab0 [0x8a13ac8] (113 bytes => 113 (0x71))

0000 - 16 03 01 00 6c 01 00 00-68 03 01 50 57 86 8f 01   ....l...h..PW...

0010 - 39 d7 67 bc af ad dd 03-01 44 c8 f7 ca 43 0e 69   9.g......D...C.i

0020 - bf dc 31 da 0b 44 c8 2f-5a 5c 57 00 00 3a 00 39   ..1..D./Z\W..:.9

0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a   .8.....5........

0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96   .3.2.....E.D./..

0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11   .A..............

0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23      ..............#

0071 - <SPACES/NULS>

SSL_connect:SSLv2/v3 write client hello A

read from 0x89dcab0 [0x8a19028] (7 bytes => 7 (0x7))

0000 - 15 03 01 00 02 02 0a                              .......

SSL3 alert read:fatal:unexpected_message

SSL_connect:error in SSLv2/v3 read server hello A

3077838572:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message:s23_clnt.c:674:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 113 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

---

 

 

Thanks for any help

Michael



Disclaimer: This email message and any attachments are for the sole use of the intended recipient(s) and may contain information that is confidential, legally privileged or otherwise exempt from disclosure under applicable law. If you are not the intended recipient(s) or have received this message in error, you are instructed to immediately notify the sender by return email and required to delete this message from your computer system. This communication does not form any contractual obligation on behalf of the sender, the sender's employer or such employer's parent company, affiliates or subsidiaries.


_______________________________________________
Xymon mailing list
Xymon-aAyed+W7HEYAvxtiuMwx3w@public.gmane.org
http://lists.xymon.com/mailman/listinfo/xymon


_______________________________________________
Xymon mailing list
Xymon@...
http://lists.xymon.com/mailman/listinfo/xymon

Gmane