[hobbit] Problems with HTTPS Continue

Charles Jones jonescr at cisco.com
Tue Dec 19 00:41:24 CET 2006


Geoff,

Take my advice with a grain of salt, but my next steps would be:

1. Attempt using other SSL protocols (you can specify in bb-hosts). Your 
Webshield appliance may be expecting something other than the default 
method that Hobbit uses.  Here is a snippet from the bb-hosts man page:

Some SSL sites will only allow you to connect, if you use specific 
"dialects" of HTTP or SSL. Normally this is auto-negotiated, but 
experience shows that this fails on some systems.

bbtest-net can be told to use specific dialects, by adding one or more 
"dialect names" to the URL scheme, i.e. the "http" or "https" in the URL:

* "2", e.g. https2://www.sample.com <http://www.sample.com>/ : use only 
SSLv2
* "3", e.g. https3://www.sample.com <http://www.sample.com>/ : use only 
SSLv3
* "m", e.g. httpsm://www.sample.com/ : use only 128-bit ciphers
* "h", e.g. httpsh://www.sample.com/ : use only >128-bit ciphers
* "10", e.g. http10://www.sample.com <http://www.sample.com>/ : use HTTP 
1.0
* "11", e.g. http11://www.sample.com <http://www.sample.com>/ : use HTTP 
1.1

These can be combined where it makes sense, e.g to force SSLv2 and HTTP 
1.0 you would use "https210".

I suspect that one of the options above will fix your problem. My only 
other advice if none of that works would be to check the hobbit logs, 
especially bb-network.log. I would also consider editing the [bbnet] 
section of hobbitlaunch.cfg, adding the --debug flag to the CMD options, 
and then restarting hobbit and then watch stdout and/or the 
bb-network.log to see if it indicates what the problem is.

-Charles

Geoff Hallford wrote:
> Hi Charles,
>
> I just used wget w/ SSL to download the file fine but it did complain 
> about the certificate name. Would an invalid certificate affect Hobbit 
> use of HTTPS?:
>
> bigbrother:/hobbit/server/www # wget 
> https://142.224.108.83/apps/SCMClientWin32.exe --no-check-certificate
> --15:27:35--  https://142.224.108.83/apps/SCMClientWin32.exe
>            => `SCMClientWin32.exe'
> Connecting to 142.224.108.83:443 <http://142.224.108.83:443>... connected.
> WARNING: Certificate verification error for 142.224.108.83 
> <http://142.224.108.83>: self signed certificate
> WARNING: certificate common name `Webshield.uhn.ca' doesn't match 
> requested host name `142.224.108.83'.
> HTTP request sent, awaiting response... 200 OK
> Length: 12,905,984 (12M) [application/octet-stream]
>
> 100%[===========================================================================================================>] 
> 12,905,984     3.51M/s    ETA 00:00
>
> 15:27:41 (3.48 MB/s) - `SCMClientWin32.exe' saved [12905984/12905984]
>
>
> On 12/18/06, *Charles Jones* < jonescr at cisco.com 
> <mailto:jonescr at cisco.com>> wrote:
>
>     Geoff,
>
>     I guess the next thing to try would be another tool using HTTPs
>     from the hobbit server itself. Either elinks-ssl, curl, or wget w/
>     SSL support.  The goal being to narrow it down to definitely a
>     problem with Hobbit. 
>
>     P.S. I noticed in the Apache banner it says it is on port 1443
>     instead of the usual 443, so there may be some proxy server or
>     vhost that Hobbit has to go through, which could potentially be
>     part of the problem.
>
>     Good luck and let us know if you find the answer.
>
>     -Charles
>
>     Geoff Hallford wrote:
>>     Hi Charles,
>>
>>     This is a McAfee Webshield appliance, so I can't go in and check
>>     the Apache log. I know the URL is good though because I can
>>     access it via any browser from my PC. It's only Hobbit that has
>>     an issue with it.
>>
>>     Any other thoughts?
>>
>>     Thanks.
>>
>>     On 12/18/06, *Charles Jones* <jonescr at cisco.com
>>     <mailto:jonescr at cisco.com> > wrote:
>>
>>         HTTPS is definitely working, or else you would not get the
>>         Apache banner at the end. It looks like you are simply
>>         checking an invalid URL. Check your apache error log and see
>>         if it indicates that SCMClientWin32.exe is being requested
>>         from an incorrect path or something.
>>
>>         -Charles
>>
>>
>>         Geoff Hallford wrote:
>>>         Hi Everyone,
>>>
>>>         I still have problems getting Hobbit to check URL's that are
>>>         HTTP*S*. I have compiled with SSL support and the testing
>>>         does work on items such as LDAPS and SSH but it will not
>>>         work for HTTPS. Does anyone have any thoughts? I get the
>>>         following message:
>>>
>>>         ---
>>>
>>>         Mon Dec 18 14:01:59 2006:
>>>         https://142.224.108.83/apps/SCMClientWin32.exe - 
>>>
>>>         Not Found
>>>
>>>         The requested URL /error/HTTP_BAD_REQUEST.html.var was not found on this server.
>>>
>>>
>>>
>>>
>>>         Additionally, a 404 Not Found
>>>
>>>         error was encountered while trying to use an ErrorDocument
>>>         to handle the request.
>>>
>>>         ------------------------------------------------------------------------
>>>         Apache/2.0.55 (Unix) Server at localhost Port 1443
>>>
>>>
>>>         Seconds:     
>>>         0.00
>>>
>>>           
>>
>>
>>
>>
>>     -- 
>>     'If my answers frighten you then you should cease asking scary
>>     questions.' --Sam Jackson from Pulp Fiction 
>
>
>
>
> -- 
> 'If my answers frighten you then you should cease asking scary 
> questions.' --Sam Jackson from Pulp Fiction 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20061218/da7b60c2/attachment.html>


More information about the Xymon mailing list