Ubuntu
nagios-plugins package

nagios Plugin check_imap fails with SSL3

Bug #155699 reported by buliwyf
6
Affects Status Importance Assigned to Milestone
nagios-plugins (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

Binary package hint: nagios-plugins-basic

After upgrading to Gutsy checking an
imaps service on an Gutsy Server fails with CRITICAL - Cannot make SSL connection
Checking imaps on a Debian Sarge still works.

Both running courier-imap-ssl with SSL3
Verbose Output

Using service IMAP
Port: 143
flags: 0x7
CRITICAL - Cannot make SSL connection
26820:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:

Perhaps its a Bug if courier-imap-ssl

Revision history for this message
buliwyf (dominik-sennfelder) wrote :

sorry forgot an option:
corrected output:

root@nagios:/home/buliwyf# /usr/lib/nagios/plugins/check_imap -H ######### -S -v -p 993
Using service IMAP
Port: 993
flags: 0x7
CRITICAL - Cannot make SSL connection
root@nagios:/home/buliwyf#

Revision history for this message
Julius Bloch (jbloch) wrote :

Hi,
does that also happens if you are using:
/usr/lib/nagios/plugins/check_simap -p 993 -H ######
or
/usr/lib/nagios/plugins/check_simap -p 993 -H ###### -S -4

I have no problem to check a courier-imap server with SSL.

Revision history for this message
Julius Bloch (jbloch) wrote :

another question, can provide a test server?
I check juliux.de on port 993 without any problems.

Julius Bloch (jbloch)
Changed in nagios-plugins:
status: New → Incomplete
Revision history for this message
Mackenzie Morgan (maco.m) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in nagios-plugins:
status: Incomplete → Invalid
Revision history for this message
Christian (christian-in-hamburg) wrote :

Hi,

found the same problem.

The imap-server expect a ssl-connect SSLv3 (TLS_PROTOCOL=SSL3) and the check_imap try to connect with SSLv2.

After changing the imap-server to SSLv2, everything works fine with nagios, but the most clients cannot connect due to recommended security-settings (no SSLv2-use) anymore.

Best way would be a new parameter to select the protocol-version (SSLv2, SSLv3, TLSv1).

Kind Regards
Christian

Christian (christian-in-hamburg)
Changed in nagios-plugins:
status: Invalid → New
Daniel T Chen (crimsun)
Changed in nagios-plugins:
importance: Undecided → High
status: New → Confirmed
importance: High → Low
Revision history for this message
Matthias Eble (psychotrahe) wrote :

This is rather an issue of the IMAP daemon IMO.

from http://openssl.org/docs/ssl/SSL_CTX_new.html:
SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)

    A TLS/SSL connection established with these methods will understand the SSLv2, SSLv3, and TLSv1 protocol. A client will send out SSLv2 client hello messages and will indicate that it also understands SSLv3 and TLSv1. A server will understand SSLv2, SSLv3, and TLSv1 client hello messages. This is the best choice when compatibility is a concern.

So I'd say the server should accept v2 Hellos and end the connection if v2 is the only protocol the client can talk.
However maybe adding "--dont-use-sslvX" arguments would be a nice feature enhancement for nagios plugins.

Matthias

Revision history for this message
Jan Wagner (waja) wrote :

Upstream this bug is https://github.com/monitoring-plugins/monitoring-plugins/issues/993

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.