[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ssl version problem
From: |
Christian Hopp |
Subject: |
Re: ssl version problem |
Date: |
Fri, 31 Jan 2003 00:30:43 +0100 (CET) |
On Thu, 30 Jan 2003, Mark F. wrote:
Hi Mark,
> I have an ssl test that is not working, maybe a bug since this part of
> the code is so new.
Maybe.
> I have setup monit on a Red Hat 7.1 system. The openssl is the latest
> provided by RH on their eratta page (openssl-0.9.6-13 RPM).
> Here is the relevant part of my .monitrc file
> ==>
...
> <==
>
> Here the log output showing the test failing
> ==>
> [PST Jan 30 09:09:04] 'rrp' succeeded connecting to INET[localhost:648]
> [PST Jan 30 09:09:04] monit: Openssl syscall error during
> embed_ssl_socket(): Connection reset by peer!
That sounds strange to me. I don't know if you get a "Connection reset by
peer" if there is a protocol mismatch. I have never tried that... but I
can do one of these days.
> [PST Jan 30 09:09:04] 'rrp' failed establish SSL communication on socket
> at INET[localhost:648]
> <==
>
> To get right down to it, I think the problem has to do with what version
> of the ssl protocol is being used for the check.
> For example:
> openssl s_client -connect localhost:648 -bugs <--FAILS
> openssl s_client -connect localhost:648 -bugs -ssl2 <--FAILS
> openssl s_client -connect localhost:648 -bugs -ssl3 <--WORKS!
> openssl s_client -connect localhost:648 -bugs -tls1 <--FAILS
>
> So is there a way to force version 3 on the monit test? Maybe this can
> be controlled in the /usr/local/ssl/openssl.cnf file, but I didn't see
> it there.
Actually a SSLv23 client method is used when connecting to the service.
That means, SSLv3 is used but it can roll back to SSLv2.
Christian
--
Christian Hopp email: address@hidden
Institut für Elektrische Informationstechnik fon: +49-5323-72-2113
TU Clausthal, Leibnizstr. 28, 38678 Clausthal-Zellerf. fax: +49-5323-72-3197
pgpkey: https://www.iei.tu-clausthal.de/pgp-keys/