[Xymon] Patch for xymonnet: Fails to detect closed ports on SSL-enabled services

J.C. Cleaver cleaver at terabithia.org
Fri Dec 11 19:07:29 CET 2015



On Fri, December 11, 2015 3:05 am, Henrik Størner wrote:
> Hi,
>
> I ran into a weird issue this morning.
>
> When testing an SSL-enabled service (amqps), the status showed up as
> green even though there was no service listening on the port.
>
> It may be related to the fairly old OpenSSL version installed (0.9.8j +
> SUSE patches), because I have never seen it before - and it sounds like
> the kind of bug that ought to pop up fairly quickly.
>
> Debug shows:
> 38969 2015-12-11 12:02:01.466947 TCP tests completed normally
> Address=10.0.0.1:5671, open=1, res=0, err=5, connecttime=0.001542,
> totaltime=0.001542,
> 38969 2015-12-11 12:02:01.467163 Sending results for service amqps
> 38969 2015-12-11 12:02:01.467205 Adding to combo msg: status+30
> foo,example,com.amqps green <!-- [flags:OrdastLe] --> Fri Dec 11
> 12:02:01 2015 amqps ok
>
> The "open=1" is what triggers the green status, but it doesn't match
> the "err=5" which means the openssl-functions returned an error.
>
> This patch should fix it - against 4.3.24.
>

This is an odd one. It really does seem like this should have been run
into somehow before...

How would you feel about expanding the parsing in
xymonnet.c:decide_color() to catch for errors even on an open port?
Something like the attached (untested)...

-jc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl-connstrange.patch
Type: text/x-patch
Size: 1187 bytes
Desc: not available
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20151211/c427cf7b/attachment.bin>


More information about the Xymon mailing list