>>> We've found out that openssl shipped with CentOS 5 (old, I know) won't >>> talk TLS by default. >> >> This depends on the application using OpenSSL. >> >>> So, once we cut off SSLv3, our Nagios scripts begin to fail, because >>> they are not able to handshake with the monitored server. >> >> Which programs do your Nagios scripts use to probe your servers? >> This is likely the place to look for solutions.
> Another potential problem is that you may have disabled processing of > SSL-2.0-compatible Client Hellos in the servers. This is different > from full SSL 2.0 support (or SSL 3.0), and can lead to > interoperability issues as well. Indeed, that seems to be my problem as I'm using Apache 2.4. This thread[1] goes through the issue. Apache's mod_ssl has dropped SSLv2Hello support for TLS-only servers sometime ago. I couldn't actualy test it, because I am and will be out of work in the next days, but as I soon as I can put my hands on it again, I tell you what I have found. Thank you, very much. [1] http://serverfault.com/questions/637880/disabling-sslv3-but-still-supporting-sslv2hello-in-apache On Tue, Oct 28, 2014 at 4:23 PM, Edson Marquezani Filho <edsonmarquez...@gmail.com> wrote: > Hello. > > I work for a major Internet company in my country, and we are starting > to disable SSLv3 on our critical webservers, because of Poodle. But, > we're experiencing some side-effects as well. > > We've found out that openssl shipped with CentOS 5 (old, I know) won't > talk TLS by default. So, once we cut off SSLv3, our Nagios scripts > begin to fail, because they are not able to handshake with the > monitored server. Forcing TLS on client-side solves it, but not every > script has such an option. Even Curl won't work unless you set the > proper option (-1). So, it seems pretty clear too me that this is a > openssl client-side behaviour. On CentOS 6, for example, it doesn't > happen. > > Since upgrading every CentOS 5 box would be impossible, I was > wondering if there was some kind of magic (compilation option, patch, > global runtime configuration, anything) we could do on OpenSSL 0.9.8 > so that it will try TLS 1.0 by default, or at least do it when SSLv23 > doesn't work. I didn't find any configure option for it, though. > > Does anyone know how to do it? > > Thanks. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
