[BUG] HP ProLiant DL360 G7 | SSL connect attempt failed error:0A000152:SSL routines::unsafe legacy renegotiation disabled)

centreon / centreon-plugins

Collection of standard plugins to discover and gather cloud-to-edge metrics and status across your whole IT infrastructure.

https://www.centreon.com

Apache License 2.0

311 stars 274 forks source link

[BUG] HP ProLiant DL360 G7 | SSL connect attempt failed error:0A000152:SSL routines::unsafe legacy renegotiation disabled) #5142

Open OverStyleFR opened 3 months ago

OverStyleFR commented 3 months ago

Quick description

My bug is when i'm trying to use the plugin HP ILO (ResetAPI or XMLAPI) the SSL is to old (TLS 1.0)

How to reproduce

Environment: result of Linux Centreon 6.8.4-2-pve #1 SMP PREEMPT_DYNAMIC PMX 6.8.4-2 (2024-04-10T17:36Z) x86_64 GNU/Linux | 12.6.
Version of the plugin: 20240808-1~bookworm
Information about the monitored resource: HP ProLiant DL360 G7

Command line:

/usr/lib/centreon/plugins//centreon_hp_ilo_restapi.pl --plugin=hardware::server::hp::ilo::restapi::plugin --mode=hardware --hostname='192.168.1.30' --api-username='username' --api-password='password'  --component='.*' --verbose

Expected result

A result of the variable/sensors of ILO

Actual result

UNKNOWN: Login error [code: '500'] [message: 'Can't connect to 192.168.1.30:443 (SSL connect attempt failed error:0A000152:SSL routines::unsafe legacy renegotiation disabled)']

tomasfon commented 2 months ago

I resolved this same scenario by asking the AI. In my case, it works now, although it involves enabling an insecure protocol…

Edit the OpenSSL configuration file: Open the file /etc/ssl/openssl.cnf with a text editor, for example: sudo nano /etc/ssl/openssl.cnf

Add the configuration: Add the following lines at the end of the file: openssl_conf = openssl_init

[openssl_init] ssl_conf = ssl_sect

[ssl_sect] system_default = system_default_sect

[system_default_sect] Options = UnsafeLegacyRenegotiation

Save and close the file. Set the environment variable: Ensure that the OPENSSL_CONF environment variable is set to point to your customized openssl.cnf file. You can do this by adding the following line to your environment configuration file (e.g., .bashrc or .profile): export OPENSSL_CONF=/etc/ssl/openssl.cnf

Restart the services: After making these changes, restart the relevant services to apply the changes. For example, for Apache: sudo systemctl restart apache2

tomasfon commented 2 months ago

I used too this extra option:

--ssl-opt 'SSL_verify_mode => SSL_VERIFY_NONE, SSL_version => "TLSv1"' --ssl-opt='SSL_cipher_list => "DEFAULT:!DH"'

OverStyleFR commented 2 months ago

Don't work.

OverStyleFR commented 2 months ago

I don't have time to clarify, i will respond later.

lucie-dubrunfaut commented 2 months ago

Hello :)

Have you try the option --insecure ?

OverStyleFR commented 2 months ago

Hello :)

Have you try the option --insecure ?

Yes

lucie-dubrunfaut commented 2 weeks ago

Unfortunately, with the information we have, it's difficult to answer in this issue. The plugin's output seems to indicate that it is a SSL connection problem that is not directly caused by the plugin itself. Have you tried running the curl command by hand to check whether you also get a 500 return code? If possible, can you give us some data that will enable us to resimulate the context of your issue?