[openssl-dev] [openssl.org #4043] monitoring software depending on openssl not working on cloudflare ssl websites
Greetings, Using the nagios plugins (latest debian package for 8.1) to check availability of https websites using cloudflare gives errors > CRITICAL - Cannot make SSL connection. > 139729452828304:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 > alert internal error:s23_clnt.c:770: same goes if i attempt to run > openssl s_client -connect :443 This basically makes monitoring impossible at this time, Any idea how to remedy this situation ? i attached a textfile with sample domains as extracted from the certificate's "Certificate Subject alt name" it's reproducible on any target as long as it's online openssl version > OpenSSL 1.0.1k 8 Jan 2015 dpkg -l openssl > ii openssl 1.0.1k-3+deb8u1amd64 Secure > Sockets Layer toolkit - cryptographic utility tried also to compile the newest one from openssl.org and use it, same problem. *.bluusun.com *.coridonculturevoyages.com *.filelist.ro *.flro.org *.footsy.ml *.futurete.pt *.howtowork.ru *.indiviser.ru *.jungs.ru *.linica.ru *.metafront.ru *.mightytravels.com *.segabite.ru *.shrine.moe *.soundgreat.ru *.supersadovod.ru *.tactum.ru *.theonlyjoy.ru *.wakarimasenlol.com bluusun.com coridonculturevoyages.com filelist.ro flro.org footsy.ml futurete.pt howtowork.ru indiviser.ru jungs.ru linica.ru metafront.ru mightytravels.com segabite.ru shrine.moe soundgreat.ru supersadovod.ru tactum.ru theonlyjoy.ru wakarimasenlol.com *.alvimu.ga *.bellowusersyp10.cf *.blankorientalvr40.ga *.carterjk.com *.dualmountingbg66.ml *.improverespectedml51.gq *.lovableshooterfm10.gq *.mutesnoutedof56.ml *.muztube.com *.oberonrarean96.gq *.paristravelbook.net *.prospectusnebulamj12.ml *.quarkrollesyp10.ga *.travelstokyo.net *.triple.ph *.triple.site *.vomeratomzj61.ga *.waxmanassociates.com *.werremeyer.com alvimu.ga bellowusersyp10.cf blankorientalvr40.ga carterjk.com dualmountingbg66.ml improverespectedml51.gq lovableshooterfm10.gq mutesnoutedof56.ml muztube.com oberonrarean96.gq paristravelbook.net prospectusnebulamj12.ml quarkrollesyp10.ga travelstokyo.net triple.ph triple.site vomeratomzj61.ga waxmanassociates.com werremeyer.com smime.p7s Description: S/MIME cryptographic signature ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4043] monitoring software depending onopenssl not working on cloudflare ssl websites
Thank you very much. Have a lovely day :) On 15-Sep-15 5:49 PM, Rob Stradling via RT wrote: > Hi Horatiu. To connect to a site that uses CloudFlare Universal SSL > [1], you need to specify the SNI (Server Name Indication) header. > Modern browsers do this by default, but for s_client you need to do this... > > openssl s_client -connect :443 -servername > > This isn't an OpenSSL bug, so I suggest closing this ticket. > > > [1] https://blog.cloudflare.com/introducing-universal-ssl/ > > On 15/09/15 15:33, Horatiu N via RT wrote: >> Greetings, >> >> Using the nagios plugins (latest debian package for 8.1) to check >> availability of https websites using cloudflare gives errors >>> CRITICAL - Cannot make SSL connection. >>> 139729452828304:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 >>> alert internal error:s23_clnt.c:770: >> >> same goes if i attempt to run >>> openssl s_client -connect :443 >> >> This basically makes monitoring impossible at this time, >> Any idea how to remedy this situation ? >> >> i attached a textfile with sample domains as extracted from the >> certificate's "Certificate Subject alt name" >> it's reproducible on any target as long as it's online >> >> openssl version >>> OpenSSL 1.0.1k 8 Jan 2015 >> >> >> dpkg -l openssl >>> ii openssl 1.0.1k-3+deb8u1amd64 >>> Secure Sockets Layer toolkit - cryptographic utility >> >> tried also to compile the newest one from openssl.org and use it, same >> problem. > smime.p7s Description: S/MIME cryptographic signature ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev