monit-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ssl version problem


From: Christian Hopp
Subject: Re: ssl version problem
Date: Fri, 31 Jan 2003 00:30:43 +0100 (CET)

On Thu, 30 Jan 2003, Mark F. wrote:

Hi Mark,

> I have an ssl test that is not working, maybe a bug since this part of
> the code is so new.

Maybe.

> I have setup monit on a Red Hat 7.1 system. The openssl is the latest
> provided by RH on their eratta page (openssl-0.9.6-13 RPM).
> Here is the relevant part of my .monitrc file
> ==>

...

> <==
>
> Here the log output showing the test failing
> ==>
> [PST Jan 30 09:09:04] 'rrp' succeeded connecting to INET[localhost:648]
> [PST Jan 30 09:09:04] monit: Openssl syscall error during
> embed_ssl_socket(): Connection reset by peer!

That sounds strange to me.  I don't know if you get a "Connection reset by
peer" if there is a protocol mismatch.  I have never tried that... but I
can do one of these days.

> [PST Jan 30 09:09:04] 'rrp' failed establish SSL communication on socket
> at INET[localhost:648]
> <==
>
> To get right down to it, I think the problem has to do with what version
> of the ssl protocol is being used for the check.
> For example:
> openssl s_client -connect localhost:648 -bugs         <--FAILS
> openssl s_client -connect localhost:648 -bugs -ssl2   <--FAILS
> openssl s_client -connect localhost:648 -bugs -ssl3   <--WORKS!
> openssl s_client -connect localhost:648 -bugs -tls1   <--FAILS
>
> So is there a way to force version 3 on the monit test? Maybe this can
> be controlled in the /usr/local/ssl/openssl.cnf file, but I didn't see
> it there.

Actually a SSLv23 client method is used when connecting to the service.
That means, SSLv3 is used but it can roll back to SSLv2.

Christian

-- 
Christian Hopp                                email: address@hidden
Institut für Elektrische Informationstechnik             fon: +49-5323-72-2113
TU Clausthal, Leibnizstr. 28, 38678 Clausthal-Zellerf.   fax: +49-5323-72-3197
                             pgpkey: https://www.iei.tu-clausthal.de/pgp-keys/





reply via email to

[Prev in Thread] Current Thread [Next in Thread]