[openssl-dev] [openssl.org #4043] monitoring software depending on openssl not working on cloudflare ssl websites

2015-09-15 Thread Horatiu N via RT
Greetings,

Using the nagios plugins (latest debian package for 8.1) to check
availability of https websites using cloudflare gives errors
> CRITICAL - Cannot make SSL connection.
> 139729452828304:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 
> alert internal error:s23_clnt.c:770:

same goes if i attempt to run
> openssl s_client -connect :443 

This basically makes monitoring impossible at this time,
Any idea how to remedy this situation ?

i attached a textfile with sample domains as extracted from the
certificate's "Certificate Subject alt name"
it's reproducible on any target as long as it's online

openssl version
> OpenSSL 1.0.1k 8 Jan 2015


dpkg -l openssl
> ii  openssl 1.0.1k-3+deb8u1amd64  Secure 
> Sockets Layer toolkit - cryptographic utility

tried also to compile the newest one from openssl.org and use it, same
problem.




*.bluusun.com
*.coridonculturevoyages.com
*.filelist.ro
*.flro.org
*.footsy.ml
*.futurete.pt
*.howtowork.ru
*.indiviser.ru
*.jungs.ru
*.linica.ru
*.metafront.ru
*.mightytravels.com
*.segabite.ru
*.shrine.moe
*.soundgreat.ru
*.supersadovod.ru
*.tactum.ru
*.theonlyjoy.ru
*.wakarimasenlol.com
bluusun.com
coridonculturevoyages.com
filelist.ro
flro.org
footsy.ml
futurete.pt
howtowork.ru
indiviser.ru
jungs.ru
linica.ru
metafront.ru
mightytravels.com
segabite.ru
shrine.moe
soundgreat.ru
supersadovod.ru
tactum.ru
theonlyjoy.ru
wakarimasenlol.com
*.alvimu.ga
*.bellowusersyp10.cf
*.blankorientalvr40.ga
*.carterjk.com
*.dualmountingbg66.ml
*.improverespectedml51.gq
*.lovableshooterfm10.gq
*.mutesnoutedof56.ml
*.muztube.com
*.oberonrarean96.gq
*.paristravelbook.net
*.prospectusnebulamj12.ml
*.quarkrollesyp10.ga
*.travelstokyo.net
*.triple.ph
*.triple.site
*.vomeratomzj61.ga
*.waxmanassociates.com
*.werremeyer.com
alvimu.ga
bellowusersyp10.cf
blankorientalvr40.ga
carterjk.com
dualmountingbg66.ml
improverespectedml51.gq
lovableshooterfm10.gq
mutesnoutedof56.ml
muztube.com
oberonrarean96.gq
paristravelbook.net
prospectusnebulamj12.ml
quarkrollesyp10.ga
travelstokyo.net
triple.ph
triple.site
vomeratomzj61.ga
waxmanassociates.com
werremeyer.com


smime.p7s
Description: S/MIME cryptographic signature
___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] [openssl.org #4043] monitoring software depending onopenssl not working on cloudflare ssl websites

2015-09-15 Thread Horatiu N via RT
Thank you very much.

Have a lovely day :)

On 15-Sep-15 5:49 PM, Rob Stradling via RT wrote:
> Hi Horatiu.  To connect to a site that uses CloudFlare Universal SSL
> [1], you need to specify the SNI (Server Name Indication) header.
> Modern browsers do this by default, but for s_client you need to do this...
> 
> openssl s_client -connect :443 -servername 
> 
> This isn't an OpenSSL bug, so I suggest closing this ticket.
> 
> 
> [1] https://blog.cloudflare.com/introducing-universal-ssl/
> 
> On 15/09/15 15:33, Horatiu N via RT wrote:
>> Greetings,
>>
>> Using the nagios plugins (latest debian package for 8.1) to check
>> availability of https websites using cloudflare gives errors
>>> CRITICAL - Cannot make SSL connection.
>>> 139729452828304:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 
>>> alert internal error:s23_clnt.c:770:
>>
>> same goes if i attempt to run
>>> openssl s_client -connect :443 
>>
>> This basically makes monitoring impossible at this time,
>> Any idea how to remedy this situation ?
>>
>> i attached a textfile with sample domains as extracted from the
>> certificate's "Certificate Subject alt name"
>> it's reproducible on any target as long as it's online
>>
>> openssl version
>>> OpenSSL 1.0.1k 8 Jan 2015
>>
>>
>> dpkg -l openssl
>>> ii  openssl 1.0.1k-3+deb8u1amd64  
>>> Secure Sockets Layer toolkit - cryptographic utility
>>
>> tried also to compile the newest one from openssl.org and use it, same
>> problem.
> 




smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev