The recently discovered CVE-2014-3566 (nicknamed Poodle) has generally caused a lot of configuration effort in the whole Internet. After 18 years in service (SSLv3 was published 1996!), suddenly SSLv3 needed to be disabled everywhere.
While on the HTTP side most browsers have been using TLS for a long time, the story is different on the smtp protocol. A typical example is the Nagios plugins check_smtp which can be used with the parameter "-S" to check the mail server with STARTTLS.
After disabling SSLv3 on the remote mail server, Nagios went wild and reported an alert (CRITICAL - Cannot make SSL connection).
When running the plugin manually, more information is shown:
./check_smtp -H mailserver.example.com -S
CRITICAL - Cannot make SSL connection.
140449663530656:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:732:
CRITICAL - Cannot create SSL context.
Looks like check_smtp wants to use sslv3, no matter what (hence sslv3 alert handshake failure).
Before you think "Oh! My Nagios plugins are old. That must be it!". BUZZ! Nope, it doesn't matter if you are using nagios-plugins 1.4.16 or the newest 2.0.3 (believe me, I've tried both).
The reason for this is the openssl command, which is used in the background by check_smtp:
openssl s_client -connect mailserver.example.com:25 -starttls smtp
CONNECTED(00000003)
139976003229344:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:732:
The error looks familiar, doesn't it? So let's check out the openssl version:
openssl version
OpenSSL 1.0.1 14 Mar 2012
Ugh. That's quite old, given all the openssl hickups in the past year. Let's check out the OS:
cat /etc/issue.net
Ubuntu 12.04.5 LTS
OK. To be honest: I expected a more recent version on an Ubuntu LTS - although it's not the newest LTS.
Let's compare this to a Debian Wheezy.
cat /etc/issue.net
Debian GNU/Linux 7
openssl version
OpenSSL 1.0.1e 11 Feb 2013
That looks newer. Wow, Debian is newer! (insider joke :) )
Let's do the same tests as before:
./check_smtp --help
check_smtp v1.4.16 (nagios-plugins 1.4.16)
./check_smtp -H mailserver.example.com -S
SMTP OK - 0.360 sec. response time|time=0.359723s;;;0.000000
Here it works. Simply because openssl is able to connect to the remote mailserver without using sslv3:
openssl s_client -connect mailserver.example.com:25 -starttls smtp
CONNECTED(00000003)
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/serialNumber=XXXXXXXXXXXX/OU=GT12345678/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=mailserver.example.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
So before you blame your monitoring plugins, make sure your openssl version is able to handle TLS.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder