search

Napsty / check_esxi_hardware

Monitoring Plugin to check the hardware of VMware ESXi servers.
https://www.claudiokuenzler.com/monitoring-plugins/check_esxi_hardware.php
70 stars 18 forks source link

SSL problems with older ESXi #51

Closed AndyBCN closed 3 years ago

AndyBCN commented 3 years ago

Hi, Im an end user so apologies if this is only meant for contributors, but I saw there was a previous issue https://github.com/Napsty/check_esxi_hardware/issues/45 that was addressed, but I am still seeing this issue on Ubuntu 20.04 LTS connecting to ESXi 5.1. I've installed pyhton3 via apt and pywbem via pip. I'm running:

check_esxi_hardware.py" --host=192.168.1.17 --user=root --pass=1234566 --sslproto=TLSv1.0 --vendor=ibm

And getting the same error as previously reported

`Traceback (most recent call last): File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 485, in wrap_socket cnx.do_handshake() File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1915, in do_handshake self._raise_ssl_error(self._ssl, result) File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1647, in _raise_ssl_error _raise_current_error() File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue raise exception_type(errors) OpenSSL.SSL.Error: [('SSL routines', 'ssl_choose_client_version', 'unsupported protocol')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen httplib_response = self._make_request( File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 376, in _make_request self._validate_conn(conn) File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 996, in _validate_conn conn.connect() File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 366, in connect self.sock = ssl_wrapsocket( File "/usr/lib/python3/dist-packages/urllib3/util/ssl.py", line 383, in ssl_wrap_socket return context.wrap_socket(sock) File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 491, in wrap_socket raise ssl.SSLError("bad handshake: %r" % e) ssl.SSLError: ("bad handshake: Error([('SSL routines', 'ssl_choose_client_version', 'unsupported protocol')])",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send resp = conn.urlopen( File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 747, in urlopen return self.urlopen( File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 747, in urlopen return self.urlopen( File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 719, in urlopen retries = retries.increment( File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 436, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='192.168.1.17', port=5989): Max retries exceeded with url: /cimom (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl_choose_client_version', 'unsupported protocol')])")))

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/pywbem/_cim_http.py", line 315, in wbem_request resp = conn.session.post( File "/usr/lib/python3/dist-packages/requests/sessions.py", line 581, in post return self.request('POST', url, data=data, json=json, kwargs) File "/usr/lib/python3/dist-packages/requests/sessions.py", line 533, in request resp = self.send(prep, send_kwargs) File "/usr/lib/python3/dist-packages/requests/sessions.py", line 646, in send r = adapter.send(request, **kwargs) File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.1.17', port=5989): Max retries exceeded with url: /cimom (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl_choose_client_version', 'unsupported protocol')])")))

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/usr/lib/nagios/plugins//check_esxi_hardware.py", line 775, in instance_list = wbemclient.EnumerateInstances(classe) File "/usr/local/lib/python3.8/dist-packages/pywbem/_cim_operations.py", line 2628, in EnumerateInstances result = self._imethodcall( File "/usr/local/lib/python3.8/dist-packages/pywbem/_cim_operations.py", line 1746, in _imethodcall reply_data, self._last_server_response_time = wbem_request( File "/usr/local/lib/python3.8/dist-packages/pywbem/_cim_http.py", line 320, in wbem_request raise ConnectionError(msg, conn_id=conn.conn_id) pywbem._exceptions.ConnectionError: ("bad handshake: Error([('SSL routines', 'ssl_choose_client_version', 'unsupported protocol')])",); OpenSSL version used: OpenSSL 1.1.1f 31 Mar 2020

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/usr/lib/nagios/plugins//check_esxi_hardware.py", line 776, in except pywbem.cim_operations.CIMError as args: AttributeError: module 'pywbem' has no attribute 'cim_operations'`

Possibly I'm doing something wrong? Or is this issue not fixed given my configuration?

TIA, Andy.

Napsty commented 3 years ago

Is it possible, that the OpenSSL python module (https://packages.ubuntu.com/focal/python3-openssl) removed support for EOL TLS protocols such as TLS 1.0 ?

Additional info for research: https://stackoverflow.com/questions/59408646/ssl-sslerror-ssl-unsupported-protocol-unsupported-protocol-ssl-c852-in-d https://stackoverflow.com/questions/53058362/openssl-v1-1-1-ssl-choose-client-version-unsupported-protocol/53065682#53065682

Napsty commented 3 years ago

Looking at https://www.openssl.org/docs/man1.1.0/man3/SSL_CONF_cmd.html, it might actually be a bug in check_esxi_hardware. According to that documentation, the correct protocol versions are:

Currently supported protocol values are SSLv3, TLSv1, TLSv1.1, TLSv1.2, DTLSv1 and DTLSv1.2.

@AndyBCN can you try it with https://raw.githubusercontent.com/Napsty/check_esxi_hardware/issue-51/check_esxi_hardware.py and the parameter --sslproto=TLSv1 ?

AndyBCN commented 3 years ago

With the most recent script and TLSv1 I get the following output:

20210118 12:51:22 Using non-default SSL protocol: TLSv1
20210118 12:51:22 Creating OpenSSL config file: /tmp/192.168.1.17_openssl.conf
20210118 12:51:22 LCD Status: True
20210118 12:51:22 Chassis Intrusion Status: True
20210118 12:51:22 Connection to https://192.168.1.17
20210118 12:51:22 Found pywbem version 1.1.2
20210118 12:51:22 Check classe OMC_SMASHFirmwareIdentity
Traceback (most recent call last):
  File "./check_esxi_hardware.py", line 776, in <module>
    except pywbem.cim_operations.CIMError as args:
AttributeError: 'module' object has no attribute 'cim_operations'
Napsty commented 3 years ago

I was able to reproduce this with an ESXi 5.0. However I am currently stumped with work and don't have time to investigate. I will pick up as soon as I have time again. In the meantime I suggest to try with an older version of the plugin and/or an older version of pywbem.

Napsty commented 3 years ago

Interesting, I cannot reproduce this anymore. Using a virtual ESXi 5.0.0.

Using curl to verify that the CIM server only responds with TLSv1:

$ curl --tlsv1 https://192.168.15.112:5989 -k -I
HTTP/1.1 501 Not Implemented
Server: sfcHttpd
Content-Length: 0

$ curl --tlsv1.1 https://192.168.15.112:5989 -k -I
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

$ curl --tlsv1.2 https://192.168.15.112:5989 -k -I
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

And then use check_esxi_hardware.py with -S TLSv1:

$ python3 ./check_esxi_hardware.py -H 192.168.15.112 -U root -P Secret123. -S TLSv1 -v
/usr/lib/python3/dist-packages/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (1.26.4) or chardet (3.0.4) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
20210602 11:39:58 Using non-default SSL protocol: TLSv1
20210602 11:39:58 Creating OpenSSL config file: /tmp/192.168.15.112_openssl.conf
20210602 11:39:58 LCD Status: True
20210602 11:39:58 Chassis Intrusion Status: True
20210602 11:39:58 Connection to https://192.168.15.112
20210602 11:39:58 Found pywbem version 1.2.0
20210602 11:39:58 Check classe OMC_SMASHFirmwareIdentity
20210602 11:39:59   Element Name = System BIOS
20210602 11:39:59     VersionString = 6.00
20210602 11:39:59 Check classe CIM_Chassis
20210602 11:39:59   Element Name = Chassis
20210602 11:39:59     Manufacturer = No Enclosure
20210602 11:39:59     SerialNumber = VMware-56 4d b8 66 f3 c9 b8 a8-ab cb f3 76 3d d3 e4 82
20210602 11:39:59     Model = VMware Virtual Platform
20210602 11:39:59     Element Op Status = 0
20210602 11:39:59 Check classe CIM_Card
20210602 11:39:59   Element Name = Other
20210602 11:39:59     Element Op Status = 0
20210602 11:39:59 Check classe CIM_ComputerSystem
20210602 11:39:59   Element Name = localhost
20210602 11:39:59 Check classe CIM_NumericSensor
20210602 11:39:59 Check classe CIM_Memory
20210602 11:39:59   Element Name = CPU #000 Level-1 Cache
20210602 11:39:59     Element Op Status = 0
20210602 11:39:59   Element Name = CPU #000 Level-2 Cache
20210602 11:39:59     Element Op Status = 0
20210602 11:39:59   Element Name = CPU #001 Level-1 Cache
20210602 11:39:59     Element Op Status = 0
20210602 11:39:59   Element Name = CPU #001 Level-2 Cache
20210602 11:39:59     Element Op Status = 0
20210602 11:39:59   Element Name = Memory
20210602 11:39:59 Check classe CIM_Processor
20210602 11:39:59   Element Name = CPU #000
20210602 11:39:59     Family = 2
20210602 11:39:59     CurrentClockSpeed = 3600MHz
20210602 11:39:59     Element Op Status = 2
20210602 11:39:59   Element Name = CPU #001
20210602 11:39:59     Family = 2
20210602 11:39:59     CurrentClockSpeed = 3600MHz
20210602 11:39:59     Element Op Status = 2
20210602 11:39:59 Check classe CIM_RecordLog
20210602 11:40:00 Check classe OMC_DiscreteSensor
20210602 11:40:00 Check classe OMC_Fan
20210602 11:40:00 Check classe OMC_PowerSupply
20210602 11:40:00 Check classe VMware_StorageExtent
20210602 11:40:00 Check classe VMware_Controller
20210602 11:40:00 Check classe VMware_StorageVolume
20210602 11:40:00 Check classe VMware_Battery
20210602 11:40:01 Check classe VMware_SASSATAPort
OK - Server: No Enclosure VMware Virtual Platform s/n: VMware-56 4d b8 66 f3 c9 b8 a8-ab cb f3 76 3d d3 e4 82 System BIOS: 6.00 2020-07-22

Specs:

Maybe the upgrade to pywbem 1.2.0 solves it? Can you check @AndyBCN ?