[hobbit] Problems with HTTPS Continue
Geoff Hallford
geoff.hallford at gmail.com
Tue Dec 19 17:13:57 CET 2006
Charles,
I switched over to testing a regular OWA 2003 implementation, so that it
wouldn't have any weird configuration the Webshield's (SCM) might have but I
can't get it to work and this one times out. I tried to mimic IE with the
browser= setting as well with no effect. I enabled debug on the bbnet-test
and collected the following information which doesn't give many hints as to
the issue. I can still use WGET though to get the webpage requested by
Hobbit, so I really feel the issue is somewhere in Hobbit. Any help from
anyone would be appreciated.
Logs:
###[ BB-NETWORK.LOG ]###
2006-12-19 10:43:02 Adding hostname 'webmail.uhn.on.ca' to resolver queue
2006-12-19 10:43:02 Got DNS result for host webmail.uhn.on.ca :
205.211.160.83
------------------------------------------------------
URL :
https://webmail.uhn.on.ca/exchweb/bin/auth/owalogon.asp
HTTP status : 0
HTTP headers
(NULL)
HTTP output
(NULL)
2006-12-19 11:00:17 Calc http color host WEBSHIELD-83 : 2006-12-19 11:00:17
https://webmail.uhn.on.ca/exchweb/bin/auth/owalogon.asp(red) 2006-12-19
11:00:17 --> red
###[ WGET OUTPUT ]###
bigbrother:/hobbit/server/etc # wget
https://webmail.uhn.on.ca/exchweb/bin/auth/owalogon.asp
--10:55:50-- https://webmail.uhn.on.ca/exchweb/bin/auth/owalogon.asp
=> `owalogon.asp'
Resolving webmail.uhn.on.ca... 205.211.160.83
Connecting to webmail.uhn.on.ca|205.211.160.83|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9,532 (9.3K) [text/html]
100%[===================================================================================================================================>]
9,532 8.34K/s
10:55:51 (8.33 KB/s) - `owalogon.asp' saved [9532/9532]
On 12/18/06, Charles Jones <jonescr at cisco.com> wrote:
>
> Geoff,
>
> Take my advice with a grain of salt, but my next steps would be:
>
> 1. Attempt using other SSL protocols (you can specify in bb-hosts). Your
> Webshield appliance may be expecting something other than the default method
> that Hobbit uses. Here is a snippet from the bb-hosts man page:
>
> Some SSL sites will only allow you to connect, if you use specific
> "dialects" of HTTP or SSL. Normally this is auto-negotiated, but experience
> shows that this fails on some systems.
>
> bbtest-net can be told to use specific dialects, by adding one or more
> "dialect names" to the URL scheme, i.e. the "http" or "https" in the URL:
>
> * "2", e.g. https2://www.sample.com/ : use only SSLv2
> * "3", e.g. https3://www.sample.com/ : use only SSLv3
> * "m", e.g. httpsm://www.sample.com/ : use only 128-bit ciphers
> * "h", e.g. httpsh://www.sample.com/ : use only >128-bit ciphers
> * "10", e.g. http10://www.sample.com/ : use HTTP 1.0
> * "11", e.g. http11://www.sample.com/ : use HTTP 1.1
>
> These can be combined where it makes sense, e.g to force SSLv2 and HTTP
> 1.0 you would use "https210".
> I suspect that one of the options above will fix your problem. My only
> other advice if none of that works would be to check the hobbit logs,
> especially bb-network.log. I would also consider editing the [bbnet]
> section of hobbitlaunch.cfg, adding the --debug flag to the CMD options,
> and then restarting hobbit and then watch stdout and/or the bb-network.logto see if it indicates what the problem is.
>
> -Charles
>
> Geoff Hallford wrote:
>
> Hi Charles,
>
> I just used wget w/ SSL to download the file fine but it did complain
> about the certificate name. Would an invalid certificate affect Hobbit use
> of HTTPS?:
>
> bigbrother:/hobbit/server/www # wget
> https://142.224.108.83/apps/SCMClientWin32.exe --no-check-certificate
> --15:27:35-- https://142.224.108.83/apps/SCMClientWin32.exe
> => `SCMClientWin32.exe'
> Connecting to 142.224.108.83:443... connected.
> WARNING: Certificate verification error for 142.224.108.83: self signed
> certificate
> WARNING: certificate common name `Webshield.uhn.ca' doesn't match
> requested host name `142.224.108.83'.
> HTTP request sent, awaiting response... 200 OK
> Length: 12,905,984 (12M) [application/octet-stream]
>
> 100%[===========================================================================================================>]
> 12,905,984 3.51M/s ETA 00:00
>
> 15:27:41 (3.48 MB/s) - `SCMClientWin32.exe' saved [12905984/12905984]
>
>
> On 12/18/06, Charles Jones < jonescr at cisco.com> wrote:
> >
> > Geoff,
> >
> > I guess the next thing to try would be another tool using HTTPs from the
> > hobbit server itself. Either elinks-ssl, curl, or wget w/ SSL support. The
> > goal being to narrow it down to definitely a problem with Hobbit.
> >
> > P.S. I noticed in the Apache banner it says it is on port 1443 instead
> > of the usual 443, so there may be some proxy server or vhost that Hobbit has
> > to go through, which could potentially be part of the problem.
> >
> > Good luck and let us know if you find the answer.
> >
> > -Charles
> >
> > Geoff Hallford wrote:
> >
> > Hi Charles,
> >
> > This is a McAfee Webshield appliance, so I can't go in and check the
> > Apache log. I know the URL is good though because I can access it via any
> > browser from my PC. It's only Hobbit that has an issue with it.
> >
> > Any other thoughts?
> >
> > Thanks.
> >
> > On 12/18/06, Charles Jones <jonescr at cisco.com > wrote:
> > >
> > > HTTPS is definitely working, or else you would not get the Apache
> > > banner at the end. It looks like you are simply checking an invalid URL.
> > > Check your apache error log and see if it indicates that
> > > SCMClientWin32.exe is being requested from an incorrect path or
> > > something.
> > >
> > > -Charles
> > >
> > > Geoff Hallford wrote:
> > >
> > > Hi Everyone,
> > >
> > > I still have problems getting Hobbit to check URL's that are HTTP*S*.
> > > I have compiled with SSL support and the testing does work on items such as
> > > LDAPS and SSH but it will not work for HTTPS. Does anyone have any thoughts?
> > > I get the following message:
> > >
> > > ---
> > >
> > > Mon Dec 18 14:01:59 2006:
> > >
> > > https://142.224.108.83/apps/SCMClientWin32.exe -
> > >
> > > Not Found
> > >
> > > The requested URL /error/HTTP_BAD_REQUEST.html.var was not found on this server.
> > >
> > >
> > >
> > >
> > > Additionally, a 404 Not Found
> > >
> > > error was encountered while trying to use an ErrorDocument to handle the request.
> > >
> > > ------------------------------
> > > Apache/2.0.55 (Unix) Server at localhost Port 1443
> > > Seconds: 0.00
> > >
> > >
> > >
> >
> >
> > --
> > 'If my answers frighten you then you should cease asking scary
> > questions.' --Sam Jackson from Pulp Fiction
> >
> >
> >
>
>
> --
> 'If my answers frighten you then you should cease asking scary questions.'
> --Sam Jackson from Pulp Fiction
>
>
>
--
'If my answers frighten you then you should cease asking scary questions.'
--Sam Jackson from Pulp Fiction
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20061219/14e306cd/attachment.html>
More information about the Xymon
mailing list