New release of check_esxi_hardware introduces new parameters to define SSL/TLS protocol and ignore chassis intrusion alerts

Written by - 0 comments

Published on - Listed in Hardware Monitoring Virtualization VMware

A new version of the widely used monitoring plugin check_esxi_hardware, to monitor the hardware of VMware ESXi servers, is available!

The newest release with version 20200605 contains two new features. See below for more details.

Ignore chassis intrusion elements

A new parameter --no-intrusion was added to add a couple of elements to the ignore list. These elements are related to chassis intrusion alerts and can sometimes be irrelevant, depending on hardware. See issue #42 on GitHub for more information.

Thanks to Luca Berra for the contribution!

Define SSL/TLS protocol version

Newer Linux distribution versions have increased default security settings. On a new Debian 10 Buster, the default openssl settings won't allow to communicate with any host with a lower TLS version than 1.2. This causes problems when (for whatever reason) older ESXi servers need to be monitored. These older versions run with TLS versions older than 1.2 and the following error message would be shown:

root@buster:~# ./check_esxi_hardware.py -H myesxi5server -U root -P secret
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/pywbem/_cim_http.py", line 655, in connect
    return self.sock.connect((self.host, self.port))
  File "/usr/lib/python3.7/ssl.py", line 1150, in connect
    self._real_connect(addr, False)
  File "/usr/lib/python3.7/ssl.py", line 1141, in _real_connect
    self.do_handshake()
  File "/usr/lib/python3.7/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1056)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./check_esxi_hardware.py", line 720, in <module>
    instance_list = wbemclient.EnumerateInstances(classe)
  File "/usr/local/lib/python3.7/dist-packages/pywbem/_cim_operations.py", line 2494, in EnumerateInstances
    **extra)
  File "/usr/local/lib/python3.7/dist-packages/pywbem/_cim_operations.py", line 1763, in _imethodcall
    conn_id=self.conn_id)
  File "/usr/local/lib/python3.7/dist-packages/pywbem/_cim_http.py", line 824, in wbem_request
    client.endheaders()
  File "/usr/lib/python3.7/http/client.py", line 1239, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.7/http/client.py", line 1026, in _send_output
    self.send(msg)
  File "/usr/local/lib/python3.7/dist-packages/pywbem/_cim_http.py", line 483, in send
    self.connect()  # pylint: disable=no-member
  File "/usr/local/lib/python3.7/dist-packages/pywbem/_cim_http.py", line 661, in connect
    conn_id=conn_id)
pywbem._exceptions.ConnectionError: SSL error <class 'ssl.SSLError'>: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1056); OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019

To circumvent this, a new parameter -S / --sslproto was added in check_esxi_hardware.py. By using this new parameter, a lower SSL/TLS version can be defined:

root@buster:~# ./check_esxi_hardware.py -H myesxi5server -U root -P secret -S TLSv1.0
OK - Server: No Enclosure VMware Virtual Platform s/n: VMware-56 4d 2d 03 ea d4 41 97-89 af 93 78 33 7d 9e 32 System BIOS: 6.00 2017-05-19

When the -S / --sslproto parameter is used, the plugin creates a dedicated openssl config file in /tmp for this particular ESXi target. It uses the OpenSSL MinProtocol configuration option, which was introduced (probably) in OpenSSL 1.1.0. The OpenSSL changelog mentions the new MinProtocol option as "changes between 1.0.2h and 1.1.0":

Add support for setting the minimum and maximum supported protocol. It can bet set via the SSL_set_min_proto_version() and SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and MaxProtocol.

By using a dedicated OpenSSL config for a particular ESXi server, the OpenSSL system settings are overwritten and the plugin is able to communicate via python and openssl using a lower protocol version with the ESXi server.

If the plugin is unable to communicate with an old ESXi server, it will now inform with an UNKNOWN error:

root@buster:~# ./check_esxi_hardware.py -H myesxi5server -U root -P secret
UNKNOWN: SSL error <class 'ssl.SSLError'>: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1056); OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019

In such a case, an older TLS or SSL protocol version needs to be set.

Additional information can be found in issue #45 on GitHub.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder