>echo "" | openssl s_client -verify 3 -CAfile ${CAfile} -servername
${HOST} -connect ${IP}:${PORT} ${TLS} 2>/dev/null >${SCRATCH} &
You don't define a SSL-protocol here. The default or the one defined in
openssl.cfg is used. Check that assp has the same enabled in
'SSL_version'.
You don't set a cipherlist here - so openssl will use the default or the
cipherlist defined in the openssl.cfg. If a cipherlist is set in assp.cfg
- check if they match.
Check which openssl source was used for your openssl installation and the
SSL Perl modules. If they are different, check the openssl change log if
they are incompatible.
You may also use the 'SSL....Configure' call backs to set different
ssl-protocol/cipherlist for different interfaces in assp.
>error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO
This indicates a wrong protocol is used - possibly Zappix uses TLSv1 only,
because of a newer openssl version? :-)
>In fact there's nothing wrong, but only the IP of the Zabbix-server is
blacklisted for doing TLS.
Including your Zappix server's IP in to 'noBanFailedSSLIP' will prevent
the SSL blocking by cache.
FOR ALL !!!! - AND AGAIN - (to make a noice - that everyone can hear it)
It is not recommended to monitor assp via SMTP or SMTPS ports. The result
only says. that one worker is alive - it will tell you nothing about the
state of assp.
Use the STATS interface/port instead - there you'll get all information -
STATS or simply 'healthy' or 'not healthy' - read the GUI 'webStatPort'.
This could be also used to retrieve the SSL certificate if
'enableWebStatSSL' is set to ON.
Thomas
Von: Jean-Pierre van Melis <j...@mirmana.com>
An: assp-test@lists.sourceforge.net <assp-test@lists.sourceforge.net>
Datum: 22.05.2014 08:30
Betreff: [Assp-test] My Zabbix server gets banned from using SSL
To check the expiration date of SSL-certificates I wrote a script 2 years
ago that has been working fine all this time.
It uses openssl to connect and extracts the date and calculates how many
days that certificate is valid.
If you merely supply the hostname it will connect to port 443, but if you
supply a port number it will connect to another port.
If the port is 25 or 587 it will connect with TLS (using the openssl
option -crlf -starttls smtp)
I call this script with Zabbix to test hundreds of servers every 20
minutes.
Zabbix is a monitoring system like Nagios.
If a certificate is about to expire I will get a warning.
I will also get a warning if it is unable to read the certificate.
This week I migrated my Zabbix to a new server. This time it is CentOS 6
Reading these certificates still work with all these hundreds of services,
but the 3 ASSP proxies I'm checking sometimes stop doing SSL.
If ASSP has an error with SSL it will add that IP to DB-SSL and all future
connections with that IP will not be offered the option STARTTLS
This means I will get the error message that there's something wrong with
the certificate of that ASSP.
In fact there's nothing wrong, but only the IP of the Zabbix-server is
blacklisted for doing TLS.
Do note that this has been working reliable for more than 2 years
(everyand it is still reliable for all these other services.
It's also working for ASSP until it suddenly bumps into an error
In ASSP (and in Zabbix of course) I can see when it happened and I get
these 2 lines in my log
#grep -B100 00:23:26 /opt/ASSP/logs/maillog.txt | grep 81.169.140.52
May-22-14 00:23:21 [Worker_2] Connected: session:7F5D74D678D0
81.169.140.52:55539 > 85.214.250.20:587 > 85.214.250.20:25
May-22-14 00:23:21 [Worker_2] 81.169.140.52 [SMTP Reply] 220
ns5.mr-wolf.nl ESMTP Postfix (Ubuntu)
May-22-14 00:23:21 [Worker_2] 81.169.140.52 [SMTP Reply] 250 DSN
May-22-14 00:23:21 [Worker_2] 81.169.140.52 info: got STARTTLS request
from 81.169.140.52
May-22-14 00:23:21 [Worker_2] 81.169.140.52 [SMTP Reply] 220 2.0.0 Ready
to start TLS
May-22-14 00:23:26 [Worker_2] 81.169.140.52 info: retry (3) SSL
negotiation - peer socket was not ready
May-22-14 00:23:26 [Worker_2] 81.169.140.52 error: Couldn't upgrade to TLS
for client 81.169.140.52: SSL accept attempt failed with unknown error
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
If I go to ASSP's webIF I can delete the IP 81.169.131.53 and it starts
working again.
Normally a session would look like this:
May-21-14 23:52:29 [Worker_2] Connected: session:10C08500
81.169.140.52:48680 > 85.214.250.20:587 > 85.214.250.20:25
May-21-14 23:52:29 [Worker_2] 81.169.140.52 [SMTP Reply] 220
ns5.mr-wolf.nl ESMTP Postfix (Ubuntu)
May-21-14 23:52:29 [Worker_2] 81.169.140.52 [SMTP Reply] 250 DSN
May-21-14 23:52:29 [Worker_2] 81.169.140.52 info: got STARTTLS request
from 81.169.141.63
May-21-14 23:52:29 [Worker_2] 81.169.140.52 [SMTP Reply] 220 2.0.0 Ready
to start TLS
May-21-14 23:52:29 [Worker_2] Disconnected: session:10C08500 81.169.140.52
- processing time 0 seconds
What could be the reason of this?
Here's the script I wrote to test the expiry date.
I have some more scripts for SSL connections and they were very valuable
for me to quickly check a connection.
I will post certexpire (the script that's also being called by Zabbix) and
certinfo. The latter I often use on the prompt to quickly get some info
about a certificate.
# cat /usr/local/sbin/certexpire
#!/bin/bash
# Author: JP van Melis
export PATH=${PATH}:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin
TIMEOUT=10
RETVAL=-0.5
# If called by zabbix, handle some things different
if echo "${BASH_SOURCE}" | grep -q "zabbix" ; then
# get rid of 1st parameter (on Zabbix 1.8x)
# shift 1
# Change TimeOut value to the one in /etc/zabbix/zabbix_server.conf
ZABBIX_TIMEOUT=`grep -i '^Timeout' /etc/zabbix/zabbix_server.conf
2>/dev/null | awk -F= '{print $2}' | tr -cd '0-9'`
if [ -z "${ZABBIX_TIMEOUT}" ] ; then
TIMEOUT=3
else
# Let's take 1 second less than the one in
/etc/zabbix/zabbix_server.conf and just hope to be in time
TIMEOUT=$(( ${ZABBIX_TIMEOUT} - 1 ))
fi
fi
# Zabbix 2.0 sends parameters quoted, where < 1.9 sends them unquoted
# This way it works on both
HOST=`echo "$*" | awk '{print $1}'`
PORT=`echo "$*" | awk '{print $2}'`
SCRATCH=`mktemp`
[ -z "${HOST}" ] && exit 1
[ -z "${PORT}" ] && PORT=443
# openssl is able to check plain smtp/pop3/ftp/imap connections
# that use TLS to setup a secure connection
TLS=
echo "${PORT}" | egrep -q '^(25|587)$' && TLS="-crlf -starttls smtp"
echo "${PORT}" | egrep -q '^110$' && TLS="-starttls pop3"
echo "${PORT}" | egrep -q '^21$' && TLS="-starttls ftp"
echo "${PORT}" | egrep -q '^143$' && TLS="-starttls imap"
# Retrieve Certificate in background because it doesn't support TimeOuts
# exec 2>/dev/null doesn't seem to be necessary if called this way....
echo "" | openssl s_client -servername ${HOST} -connect ${HOST}:${PORT}
${TLS} 2>/dev/null >${SCRATCH} &
sleep .1
# double the TIMEOUT and wait for half a second each time
let TIMEOUT*=2
# Wait for certificate
n=1
while [ ! -s ${SCRATCH} ] ; do
sleep .48
[ $n -ge ${TIMEOUT} ] && break
let n++
done
# If we have retrieved the certificate, we'll process it and retrieve the
expiration date
if [ -s ${SCRATCH} ] ; then
EXPIRE_DATE=`sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
${SCRATCH} | openssl x509 -enddate -noout 2>/dev/null | sed
's/notAfter\=//'`
if [ ! -z "${EXPIRE_DATE}" ]; then
EXPIRE_SECS=`date -d "${EXPIRE_DATE}" +%s`
EXPIRE_TIME=$(( ${EXPIRE_SECS} - `date +%s` ))
# We finally have it...
RETVAL=$(( ${EXPIRE_TIME} / 24 / 3600 ))
fi
else
# Too late you lazy bastard, I might as well kill you...
kill -9 %1 2>/dev/null
fi
rm -f ${SCRATCH} 2>/dev/null
echo ${RETVAL}
Here's certinfo:
# cat /usr/local/sbin/certinfo
#!/bin/bash
# Author: JP van Melis
export PATH=${PATH}:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin
TIMEOUT=10
RETVAL=3
# location on Debian based Linux, run "update-ca-certificates" if you
don't have them
CAfile=/etc/ssl/certs/ca-certificates.crt
# Try Redhat based
[ -e "${CAfile}" ] || CAfile=/etc/pki/tls/certs/ca-bundle.crt
if [ ! -e "${CAfile}" ] ; then
echo "No Certificate Authority Bundle found" >&2
exit 1
fi
# If called by zabbix, handle some things different
if echo "${BASH_SOURCE}" | grep -q "zabbix" ; then
# get rid of 1st parameter (on Zabbix 1.8x)
# shift 1
# Change TimeOut value to the one in /etc/zabbix/zabbix_server.conf
ZABBIX_TIMEOUT=`grep -i '^Timeout' /etc/zabbix/zabbix_server.conf
2>/dev/null | awk -F= '{print $2}' | tr -cd '0-9'`
if [ -z "${ZABBIX_TIMEOUT}" ] ; then
TIMEOUT=3
else
# Let's take 1 second less than the one in
/etc/zabbix/zabbix_server.conf and just hope to be in time
TIMEOUT=$(( ${ZABBIX_TIMEOUT} - 1 ))
fi
fi
# Zabbix 2.0 sends parameters quoted, where < 1.9 sends them unquoted
# This way it works on both
HOST=`echo "$*" | awk '{print $1}' | tr 'A-Z' 'a-z'`
PORT=`echo "$*" | awk '{print $2}' | tr -cd '0-9'`
SCRATCH=`mktemp`
TMP1=`mktemp`
TMP2=`mktemp`
esc="\033["
RED="31;40;1m"
GREEN="32;40;1m"
[ -z "${HOST}" ] && exit 1
[ -z "${PORT}" ] && PORT=443
HOSTWITHIP=${HOST}
IP=${HOST}
if [ "${HOST}" != "${HOST//[a-z]/}" ]; then
IP=`host -t A ${HOST} 2>/dev/null | egrep -o 'has address [0-9.]+' |
head -n1 | awk '{print $3}'`
HOSTWITHIP="${HOST} (${IP})"
if [ -z "${IP}" ] ; then
echo -e "${esc}${RED}Error resolving ${HOST}${esc}0m" >&2
exit 1
fi
fi
# openssl is able to check plain smtp/pop3/ftp/imap connections
# that use TLS to setup a secure connection
TLS=
case "${PORT}" in
21) TLS="-starttls ftp";;
25|587) TLS="-crlf -starttls smtp";;
110) TLS="-starttls pop3";;
143) TLS="-starttls imap";;
esac
# Retrieve Certificate in background because it doesn't support TimeOuts
# exec 2>/dev/null doesn't seem to be necessary if called this way....
echo "" | openssl s_client -verify 3 -CAfile ${CAfile} -servername ${HOST}
-connect ${IP}:${PORT} ${TLS} 2>/dev/null >${SCRATCH} &
sleep .1
# double the TIMEOUT and wait for half a second each time
let TIMEOUT*=2
# Wait for certificate
n=1
while [ ! -s ${SCRATCH} ] ; do
sleep .48
[ $n -ge ${TIMEOUT} ] && break
let n++
done
# If we have retrieved the certificate, we'll process it and retrieve the
domain names
if [ -s ${SCRATCH} ] ; then
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' ${SCRATCH} |
openssl x509 -text -noout 2>/dev/null >${TMP1}
#cat ${TMP1}
REMARK=
[ -z "${TLS}" ] || REMARK="(using TLS)"
echo -e "\nCertificate info for host ${esc}${GREEN}${HOSTWITHIP}${esc}0m
on port ${PORT} ${esc}${GREEN}${REMARK}${esc}0m\n"
CN=`grep -i "Subject:" ${TMP1} | egrep -o 'CN=[A-Za-z0-9=:/. @_-]+' |
awk -F= '{print $2}'`
echo " CN: ${CN}"
echo -e '\n Subject:'
grep -i "Subject:" ${TMP1} | egrep -o '[A-Z]+=[A-Za-z0-9=:/. @_-]+' |
sed 's/.*/ &/'
grep -i 'Verify return code' ${SCRATCH} | grep -qi '(ok)' || echo -e "
${esc}${RED}Not certified by an Authority!!${esc}0m"
echo ' Issuer:'
# grep -i "Issuer:" ${TMP1}
grep -i "Issuer:" ${TMP1} | egrep -o '[A-Z]+=[A-Za-z0-9=:/. @_-]+' |
sed 's/.*/ &/'
echo -e "\n Validity:"
FROM_DATE=`grep -io 'Not Before.*' ${TMP1} | head -n1 | awk -F: '{print
$2":"$3":"$4}'`
[ ! -z "${FROM_DATE}" ] && [ `date -d "${FROM_DATE}" +%s` -ge `date +%s`
] && echo -en "${esc}${RED}"
echo -e " Valid since: ${FROM_DATE}${esc}0m"
EXPIRE_DATE=`grep -io 'Not After.*' ${TMP1} | head -n1 | awk -F: '{print
$2":"$3":"$4}'`
if [ ! -z "${EXPIRE_DATE}" ] ; then
[ `date -d "${EXPIRE_DATE}" +%s` -lt `date -d "next month" +%s` ] &&
echo -en "${esc}${GREEN}"
[ `date -d "${EXPIRE_DATE}" +%s` -lt `date +%s` ] &&
echo -en "${esc}${RED}"
fi
echo -e " Expires on: ${EXPIRE_DATE}${esc}0m"
# Create a greplist with DNS names converted to regular expressions
egrep -o 'DNS:[*A-Za-z0-9.-]+' ${TMP1} | awk -F: '{print $2}' | sed
's/\./\\./g;s/*/.*/g;s/.*/^&$/g' >${TMP2}
echo -e "\nDNS names: "
if [ -s ${TMP2} ] ; then
echo "${HOST}" | grep -qif ${TMP2} || echo -e "
${esc}${RED}Name Mismatch!!${esc}0m no DNS name matches
${esc}${GREEN}${HOST}${esc}0m"
egrep -o 'DNS:[*a-zA-Z0-9.-]+' ${TMP1} | awk -F: '{print $2}' | sed
's/.*/ &/'
else
# There are NO DNS names, put CN in the greplist
echo -en "${CN}" | tr 'A-Z' 'a-z' | sed
's/\./\\./g;s/*/.*/g;s/.*/^&$/g' >${TMP2}
echo -e " ${esc}${RED}No DNS names in certificate${esc}0m\n"
if echo "${HOST}" | grep -qif ${TMP2} ; then
echo -e " ${esc}${GREEN}${HOST} matches CN${esc}0m"
else
echo -e " ${esc}${GREEN}${HOST} ${esc}${RED}does NOT match
CN ${CN}${esc}0m"
fi
fi
echo -e '\n'
else
# Too late you lazy bastard, I might as well kill you...
kill -9 %1 2>/dev/null
fi
rm -f ${SCRATCH} 2>/dev/null
rm -f ${TMP1} 2>/dev/null
rm -f ${TMP2} 2>/dev/null
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform
available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
