Hi Thomas,
Thanks for all your feedback and I hope I will find time this weekend to check
if I can improve that script.
However, I can't see the relevance of the remark you made about monitoring.
The script certexpire is being executed on more than 1000 connections every 20
minutes for several years and on many occasions it gave me valuable info about
the state of these foreign services.
Its purpose was warning for expired certificates. Most of the time these
expired certificates were from other companies.
This is the first time it gave me a false positive (and in fact it wasn't
really a false positive as it wasn't able to get an SSL connection).
The information a program gives about its own state is completely different
than monitoring its behaviour.
Cheers and thanks.
If I find the exact reason I will post it here.
JP
-----Oorspronkelijk bericht-----
> Afzender:Thomas Eckardt <thomas.ecka...@thockar.com
> <mailto:thomas.ecka...@thockar.com> >
> Verstuurd: Vrijdag 23 Mei 2014 12:28
> Aan: ASSP development mailing list <assp-test@lists.sourceforge.net
> <mailto:assp-test@lists.sourceforge.net> >
> Onderwerp: Re: [Assp-test] My Zabbix server gets banned from using SSL
>
> >echo "" | openssl s_client -verify 3 -CAfile ${CAfile} -servername
> ${HOST} -connect ${IP}:${PORT} ${TLS} 2>/dev/null >${SCRATCH} &
>
> You don't define a SSL-protocol here. The default or the one defined in
> openssl.cfg is used. Check that assp has the same enabled in
> 'SSL_version'.
>
> You don't set a cipherlist here - so openssl will use the default or the
> cipherlist defined in the openssl.cfg. If a cipherlist is set in assp.cfg
> - check if they match.
> Check which openssl source was used for your openssl installation and the
> SSL Perl modules. If they are different, check the openssl change log if
> they are incompatible.
>
> You may also use the 'SSL....Configure' call backs to set different
> ssl-protocol/cipherlist for different interfaces in assp.
>
> >error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO
>
> This indicates a wrong protocol is used - possibly Zappix uses TLSv1 only,
> because of a newer openssl version? :-)
>
> >In fact there's nothing wrong, but only the IP of the Zabbix-server is
> blacklisted for doing TLS.
>
> Including your Zappix server's IP in to 'noBanFailedSSLIP' will prevent
> the SSL blocking by cache.
>
>
> FOR ALL !!!! - AND AGAIN - (to make a noice - that everyone can hear it)
>
> It is not recommended to monitor assp via SMTP or SMTPS ports. The result
> only says. that one worker is alive - it will tell you nothing about the
> state of assp.
> Use the STATS interface/port instead - there you'll get all information -
> STATS or simply 'healthy' or 'not healthy' - read the GUI 'webStatPort'.
> This could be also used to retrieve the SSL certificate if
> 'enableWebStatSSL' is set to ON.
>
> Thomas
>
>
>
>
>
> Von: Jean-Pierre van Melis <j...@mirmana.com <mailto:j...@mirmana.com> >
> An: assp-test@lists.sourceforge.net
> <mailto:assp-test@lists.sourceforge.net> <assp-test@lists.sourceforge.net
> <mailto:assp-test@lists.sourceforge.net> >
> Datum: 22.05.2014 08:30
> Betreff: [Assp-test] My Zabbix server gets banned from using SSL
>
>
>
> To check the expiration date of SSL-certificates I wrote a script 2 years
> ago that has been working fine all this time.
> It uses openssl to connect and extracts the date and calculates how many
> days that certificate is valid.
>
> If you merely supply the hostname it will connect to port 443, but if you
> supply a port number it will connect to another port.
> If the port is 25 or 587 it will connect with TLS (using the openssl
> option -crlf -starttls smtp)
>
> I call this script with Zabbix to test hundreds of servers every 20
> minutes.
> Zabbix is a monitoring system like Nagios.
> If a certificate is about to expire I will get a warning.
> I will also get a warning if it is unable to read the certificate.
>
> This week I migrated my Zabbix to a new server. This time it is CentOS 6
> Reading these certificates still work with all these hundreds of services,
> but the 3 ASSP proxies I'm checking sometimes stop doing SSL.
>
> If ASSP has an error with SSL it will add that IP to DB-SSL and all future
> connections with that IP will not be offered the option STARTTLS
> This means I will get the error message that there's something wrong with
> the certificate of that ASSP.
> In fact there's nothing wrong, but only the IP of the Zabbix-server is
> blacklisted for doing TLS.
>
> Do note that this has been working reliable for more than 2 years
> (everyand it is still reliable for all these other services.
> It's also working for ASSP until it suddenly bumps into an error
>
> In ASSP (and in Zabbix of course) I can see when it happened and I get
> these 2 lines in my log
>
> #grep -B100 00:23:26 /opt/ASSP/logs/maillog.txt | grep 81.169.140.52
> May-22-14 00:23:21 [Worker_2] Connected: session:7F5D74D678D0
> 81.169.140.52:55539 > 85.214.250.20:587 > 85.214.250.20:25
> May-22-14 00:23:21 [Worker_2] 81.169.140.52 [SMTP Reply] 220
> ns5.mr-wolf.nl ESMTP Postfix (Ubuntu)
> May-22-14 00:23:21 [Worker_2] 81.169.140.52 [SMTP Reply] 250 DSN
> May-22-14 00:23:21 [Worker_2] 81.169.140.52 info: got STARTTLS request
> from 81.169.140.52
> May-22-14 00:23:21 [Worker_2] 81.169.140.52 [SMTP Reply] 220 2.0.0 Ready
> to start TLS
> May-22-14 00:23:26 [Worker_2] 81.169.140.52 info: retry (3) SSL
> negotiation - peer socket was not ready
> May-22-14 00:23:26 [Worker_2] 81.169.140.52 error: Couldn't upgrade to TLS
> for client 81.169.140.52: SSL accept attempt failed with unknown error
> error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
>
>
> If I go to ASSP's webIF I can delete the IP 81.169.131.53 and it starts
> working again.
>
> Normally a session would look like this:
>
> May-21-14 23:52:29 [Worker_2] Connected: session:10C08500
> 81.169.140.52:48680 > 85.214.250.20:587 > 85.214.250.20:25
> May-21-14 23:52:29 [Worker_2] 81.169.140.52 [SMTP Reply] 220
> ns5.mr-wolf.nl ESMTP Postfix (Ubuntu)
> May-21-14 23:52:29 [Worker_2] 81.169.140.52 [SMTP Reply] 250 DSN
> May-21-14 23:52:29 [Worker_2] 81.169.140.52 info: got STARTTLS request
> from 81.169.141.63
> May-21-14 23:52:29 [Worker_2] 81.169.140.52 [SMTP Reply] 220 2.0.0 Ready
> to start TLS
> May-21-14 23:52:29 [Worker_2] Disconnected: session:10C08500 81.169.140.52
> - processing time 0 seconds
>
> What could be the reason of this?
>
>
>
> Here's the script I wrote to test the expiry date.
> I have some more scripts for SSL connections and they were very valuable
> for me to quickly check a connection.
> I will post certexpire (the script that's also being called by Zabbix) and
> certinfo. The latter I often use on the prompt to quickly get some info
> about a certificate.
>
> # cat /usr/local/sbin/certexpire
>
> #!/bin/bash
> # Author: JP van Melis
>
> export PATH=${PATH}:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin
>
> TIMEOUT=10
> RETVAL=-0.5
>
> # If called by zabbix, handle some things different
> if echo "${BASH_SOURCE}" | grep -q "zabbix" ; then
> # get rid of 1st parameter (on Zabbix 1.8x)
> # shift 1
>
> # Change TimeOut value to the one in /etc/zabbix/zabbix_server.conf
> ZABBIX_TIMEOUT=`grep -i 'ˆTimeout' /etc/zabbix/zabbix_server.conf
> 2>/dev/null | awk -F= '{print $2}' | tr -cd '0-9'`
> if [ -z "${ZABBIX_TIMEOUT}" ] ; then
> TIMEOUT=3
> else
> # Let's take 1 second less than the one in
> /etc/zabbix/zabbix_server.conf and just hope to be in time
> TIMEOUT=$(( ${ZABBIX_TIMEOUT} - 1 ))
> fi
> fi
>
> # Zabbix 2.0 sends parameters quoted, where < 1.9 sends them unquoted
> # This way it works on both
> HOST=`echo "$*" | awk '{print $1}'`
> PORT=`echo "$*" | awk '{print $2}'`
> SCRATCH=`mktemp`
>
> [ -z "${HOST}" ] && exit 1
> [ -z "${PORT}" ] && PORT=443
>
> # openssl is able to check plain smtp/pop3/ftp/imap connections
> # that use TLS to setup a secure connection
> TLS=
> echo "${PORT}" | egrep -q 'ˆ(25|587)$' && TLS="-crlf -starttls smtp"
> echo "${PORT}" | egrep -q 'ˆ110$' && TLS="-starttls pop3"
> echo "${PORT}" | egrep -q 'ˆ21$' && TLS="-starttls ftp"
> echo "${PORT}" | egrep -q 'ˆ143$' && TLS="-starttls imap"
>
> # Retrieve Certificate in background because it doesn't support TimeOuts
> # exec 2>/dev/null doesn't seem to be necessary if called this way....
> echo "" | openssl s_client -servername ${HOST} -connect ${HOST}:${PORT}
> ${TLS} 2>/dev/null >${SCRATCH} &
> sleep .1
>
> # double the TIMEOUT and wait for half a second each time
> let TIMEOUT*=2
>
> # Wait for certificate
> n=1
> while [ ! -s ${SCRATCH} ] ; do
> sleep .48
> [ $n -ge ${TIMEOUT} ] && break
> let n++
> done
>
> # If we have retrieved the certificate, we'll process it and retrieve the
> expiration date
> if [ -s ${SCRATCH} ] ; then
> EXPIRE_DATE=`sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
> ${SCRATCH} | openssl x509 -enddate -noout 2>/dev/null | sed
> 's/notAfter\=//'`
> if [ ! -z "${EXPIRE_DATE}" ]; then
> EXPIRE_SECS=`date -d "${EXPIRE_DATE}" +%s`
> EXPIRE_TIME=$(( ${EXPIRE_SECS} - `date +%s` ))
>
> # We finally have it...
> RETVAL=$(( ${EXPIRE_TIME} / 24 / 3600 ))
> fi
> else
> # Too late you lazy bastard, I might as well kill you...
> kill -9 %1 2>/dev/null
> fi
>
> rm -f ${SCRATCH} 2>/dev/null
> echo ${RETVAL}
>
> Here's certinfo:
>
> # cat /usr/local/sbin/certinfo
> #!/bin/bash
> # Author: JP van Melis
>
> export PATH=${PATH}:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin
>
> TIMEOUT=10
> RETVAL=3
>
> # location on Debian based Linux, run "update-ca-certificates" if you
> don't have them
> CAfile=/etc/ssl/certs/ca-certificates.crt
> # Try Redhat based
> [ -e "${CAfile}" ] || CAfile=/etc/pki/tls/certs/ca-bundle.crt
> if [ ! -e "${CAfile}" ] ; then
> echo "No Certificate Authority Bundle found" >&2
> exit 1
> fi
>
> # If called by zabbix, handle some things different
> if echo "${BASH_SOURCE}" | grep -q "zabbix" ; then
> # get rid of 1st parameter (on Zabbix 1.8x)
> # shift 1
>
> # Change TimeOut value to the one in /etc/zabbix/zabbix_server.conf
> ZABBIX_TIMEOUT=`grep -i 'ˆTimeout' /etc/zabbix/zabbix_server.conf
> 2>/dev/null | awk -F= '{print $2}' | tr -cd '0-9'`
> if [ -z "${ZABBIX_TIMEOUT}" ] ; then
> TIMEOUT=3
> else
> # Let's take 1 second less than the one in
> /etc/zabbix/zabbix_server.conf and just hope to be in time
> TIMEOUT=$(( ${ZABBIX_TIMEOUT} - 1 ))
> fi
> fi
>
> # Zabbix 2.0 sends parameters quoted, where < 1.9 sends them unquoted
> # This way it works on both
> HOST=`echo "$*" | awk '{print $1}' | tr 'A-Z' 'a-z'`
> PORT=`echo "$*" | awk '{print $2}' | tr -cd '0-9'`
>
> SCRATCH=`mktemp`
> TMP1=`mktemp`
> TMP2=`mktemp`
>
> esc="\033["
> RED="31;40;1m"
> GREEN="32;40;1m"
>
> [ -z "${HOST}" ] && exit 1
> [ -z "${PORT}" ] && PORT=443
> HOSTWITHIP=${HOST}
> IP=${HOST}
> if [ "${HOST}" != "${HOST//[a-z]/}" ]; then
> IP=`host -t A ${HOST} 2>/dev/null | egrep -o 'has address [0-9.]+' |
> head -n1 | awk '{print $3}'`
> HOSTWITHIP="${HOST} (${IP})"
> if [ -z "${IP}" ] ; then
> echo -e "${esc}${RED}Error resolving ${HOST}${esc}0m" >&2
> exit 1
> fi
> fi
>
> # openssl is able to check plain smtp/pop3/ftp/imap connections
> # that use TLS to setup a secure connection
> TLS=
> case "${PORT}" in
> 21) TLS="-starttls ftp";;
> 25|587) TLS="-crlf -starttls smtp";;
> 110) TLS="-starttls pop3";;
> 143) TLS="-starttls imap";;
> esac
>
> # Retrieve Certificate in background because it doesn't support TimeOuts
> # exec 2>/dev/null doesn't seem to be necessary if called this way....
> echo "" | openssl s_client -verify 3 -CAfile ${CAfile} -servername ${HOST}
> -connect ${IP}:${PORT} ${TLS} 2>/dev/null >${SCRATCH} &
> sleep .1
>
> # double the TIMEOUT and wait for half a second each time
> let TIMEOUT*=2
>
> # Wait for certificate
> n=1
> while [ ! -s ${SCRATCH} ] ; do
> sleep .48
> [ $n -ge ${TIMEOUT} ] && break
> let n++
> done
>
> # If we have retrieved the certificate, we'll process it and retrieve the
> domain names
> if [ -s ${SCRATCH} ] ; then
> sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' ${SCRATCH} |
> openssl x509 -text -noout 2>/dev/null >${TMP1}
>
> #cat ${TMP1}
> REMARK=
> [ -z "${TLS}" ] || REMARK="(using TLS)"
> echo -e "\nCertificate info for host ${esc}${GREEN}${HOSTWITHIP}${esc}0m
> on port ${PORT} ${esc}${GREEN}${REMARK}${esc}0m\n"
> CN=`grep -i "Subject:" ${TMP1} | egrep -o 'CN=[A-Za-z0-9=:/. @_-]+' |
> awk -F= '{print $2}'`
> echo " CN: ${CN}"
> echo -e '\n Subject:'
> grep -i "Subject:" ${TMP1} | egrep -o '[A-Z]+=[A-Za-z0-9=:/. @_-]+' |
> sed 's/.*/ &/'
>
> grep -i 'Verify return code' ${SCRATCH} | grep -qi '(ok)' || echo -e "
> ${esc}${RED}Not certified by an Authority!!${esc}0m"
>
> echo ' Issuer:'
> # grep -i "Issuer:" ${TMP1}
> grep -i "Issuer:" ${TMP1} | egrep -o '[A-Z]+=[A-Za-z0-9=:/. @_-]+' |
> sed 's/.*/ &/'
>
> echo -e "\n Validity:"
> FROM_DATE=`grep -io 'Not Before.*' ${TMP1} | head -n1 | awk -F: '{print
> $2":"$3":"$4}'`
> [ ! -z "${FROM_DATE}" ] && [ `date -d "${FROM_DATE}" +%s` -ge `date +%s`
> ] && echo -en "${esc}${RED}"
> echo -e " Valid since: ${FROM_DATE}${esc}0m"
> EXPIRE_DATE=`grep -io 'Not After.*' ${TMP1} | head -n1 | awk -F: '{print
> $2":"$3":"$4}'`
> if [ ! -z "${EXPIRE_DATE}" ] ; then
> [ `date -d "${EXPIRE_DATE}" +%s` -lt `date -d "next month" +%s` ] &&
> echo -en "${esc}${GREEN}"
> [ `date -d "${EXPIRE_DATE}" +%s` -lt `date +%s` ] &&
> echo -en "${esc}${RED}"
> fi
>
> echo -e " Expires on: ${EXPIRE_DATE}${esc}0m"
>
> # Create a greplist with DNS names converted to regular expressions
> egrep -o 'DNS:[*A-Za-z0-9.-]+' ${TMP1} | awk -F: '{print $2}' | sed
> 's/\./\\./g;s/*/.*/g;s/.*/ˆ&$/g' >${TMP2}
>
> echo -e "\nDNS names: "
> if [ -s ${TMP2} ] ; then
> echo "${HOST}" | grep -qif ${TMP2} || echo -e "
> ${esc}${RED}Name Mismatch!!${esc}0m no DNS name matches
> ${esc}${GREEN}${HOST}${esc}0m"
> egrep -o 'DNS:[*a-zA-Z0-9.-]+' ${TMP1} | awk -F: '{print $2}' | sed
> 's/.*/ &/'
> else
> # There are NO DNS names, put CN in the greplist
> echo -en "${CN}" | tr 'A-Z' 'a-z' | sed
> 's/\./\\./g;s/*/.*/g;s/.*/ˆ&$/g' >${TMP2}
> echo -e " ${esc}${RED}No DNS names in certificate${esc}0m\n"
> if echo "${HOST}" | grep -qif ${TMP2} ; then
> echo -e " ${esc}${GREEN}${HOST} matches CN${esc}0m"
> else
> echo -e " ${esc}${GREEN}${HOST} ${esc}${RED}does NOT match
> CN ${CN}${esc}0m"
> fi
> fi
> echo -e '\n'
> else
> # Too late you lazy bastard, I might as well kill you...
> kill -9 %1 2>/dev/null
> fi
>
> rm -f ${SCRATCH} 2>/dev/null
> rm -f ${TMP1} 2>/dev/null
> rm -f ${TMP2} 2>/dev/null
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs <http://p.sf.net/sfu/SauceLabs>
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net <mailto:Assp-test@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs_______________________________________________
> <http://p.sf.net/sfu/SauceLabs_______________________________________________>
>
> Assp-test mailing list
> Assp-test@lists.sourceforge.net <mailto:Assp-test@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
