[openssl-dev] [openssl.org #4043] monitoring software depending onopenssl not working on cloudflare ssl websites
Rob Stradling via RT
rt at openssl.org
Tue Sep 15 14:49:03 UTC 2015
Hi Horatiu. To connect to a site that uses CloudFlare Universal SSL
[1], you need to specify the SNI (Server Name Indication) header.
Modern browsers do this by default, but for s_client you need to do this...
openssl s_client -connect <target>:443 -servername <target>
This isn't an OpenSSL bug, so I suggest closing this ticket.
[1] https://blog.cloudflare.com/introducing-universal-ssl/
On 15/09/15 15:33, Horatiu N via RT wrote:
> Greetings,
>
> Using the nagios plugins (latest debian package for 8.1) to check
> availability of https websites using cloudflare gives errors
>> CRITICAL - Cannot make SSL connection.
>> 139729452828304:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:
>
> same goes if i attempt to run
>> openssl s_client -connect <target>:443
>
> This basically makes monitoring impossible at this time,
> Any idea how to remedy this situation ?
>
> i attached a textfile with sample domains as extracted from the
> certificate's "Certificate Subject alt name"
> it's reproducible on any target as long as it's online
>
> openssl version
>> OpenSSL 1.0.1k 8 Jan 2015
>
>
> dpkg -l openssl
>> ii openssl 1.0.1k-3+deb8u1 amd64 Secure Sockets Layer toolkit - cryptographic utility
>
> tried also to compile the newest one from openssl.org and use it, same
> problem.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the openssl-dev
mailing list