[openssl-dev] [openssl.org #4043] monitoring software depending onopenssl not working on cloudflare ssl websites
Horatiu N via RT
rt at openssl.org
Tue Sep 15 14:51:37 UTC 2015
Thank you very much.
Have a lovely day :)
On 15-Sep-15 5:49 PM, Rob Stradling via RT wrote:
> Hi Horatiu. To connect to a site that uses CloudFlare Universal SSL
> [1], you need to specify the SNI (Server Name Indication) header.
> Modern browsers do this by default, but for s_client you need to do this...
>
> openssl s_client -connect <target>:443 -servername <target>
>
> This isn't an OpenSSL bug, so I suggest closing this ticket.
>
>
> [1] https://blog.cloudflare.com/introducing-universal-ssl/
>
> On 15/09/15 15:33, Horatiu N via RT wrote:
>> Greetings,
>>
>> Using the nagios plugins (latest debian package for 8.1) to check
>> availability of https websites using cloudflare gives errors
>>> CRITICAL - Cannot make SSL connection.
>>> 139729452828304:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:
>>
>> same goes if i attempt to run
>>> openssl s_client -connect <target>:443
>>
>> This basically makes monitoring impossible at this time,
>> Any idea how to remedy this situation ?
>>
>> i attached a textfile with sample domains as extracted from the
>> certificate's "Certificate Subject alt name"
>> it's reproducible on any target as long as it's online
>>
>> openssl version
>>> OpenSSL 1.0.1k 8 Jan 2015
>>
>>
>> dpkg -l openssl
>>> ii openssl 1.0.1k-3+deb8u1 amd64 Secure Sockets Layer toolkit - cryptographic utility
>>
>> tried also to compile the newest one from openssl.org and use it, same
>> problem.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3709 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150915/e8b81be3/attachment-0001.bin>
More information about the openssl-dev
mailing list