Skip to content

fix check_curl: OpenSSL SSL_read: error:0A000126:SSL routines::unexpe… #2022

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sni merged 1 commit into from
Oct 10, 2024
Merged

fix check_curl: OpenSSL SSL_read: error:0A000126:SSL routines::unexpe… #2022

sni merged 1 commit into from
Oct 10, 2024

Conversation

@sni
Copy link
Contributor

@sni sni commented Sep 30, 2024
edited
Loading

fix check_curl: OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0

using check_curl on a probably embedded device responding as 'Server: GoAhead-Webs'

%> check_curl -H ... -S -vvv

> GET / HTTP/1.1
Host: ...
User-Agent: check_curl/v2.4.0 (monitoring-plugins 2.4.0, libcurl/7.76.1 OpenSSL/3.0.7 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.10.4/openssl/zlib nghttp2/1.43.0)
Accept: */*
Connection: close

* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 302 Redirect
< Server: GoAhead-Webs
< Date: Tue Mar 26 17:57:16 2019
< Cache-Control: no-cache, no-store, must-revalidate,private
< Pragma: no-cache
< Expires: 0
< Content-Type: text/html
< X-Frame-Options: sameorigin
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Location: https://...
<
* OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0
* Closing connection 0

reading the discussion on openssl/openssl#22690 suggest to set the option SSL_OP_IGNORE_UNEXPECTED_EOF which makes check_curl behave like check_http at this point. Since this is a rather new flag, fencing it in ifdefs.
And since there can only be one ssl ctx function, we need to move both tasks into one function.

@sni sni force-pushed the fix_check_curl_ssl_eof branch from 70ba033 to d3e9a8e Compare September 30, 2024 12:45
@sni sni marked this pull request as draft September 30, 2024 13:04
@sni sni force-pushed the fix_check_curl_ssl_eof branch 2 times, most recently from de7e579 to 9b4e131 Compare September 30, 2024 13:23
@sni
Copy link
Contributor Author

sni commented Sep 30, 2024

Probably totally unrelated to my changes, will retry again tomorrow.

fedory rawhide is broken:

   File "/usr/lib64/python3.13/subprocess.py", line 1966, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/dnf-3'
+ cat /tmp/result-srcrpm/root.log /tmp/result-srcrpm/build.log
+ exit 1

Maybe we should handle rawhide like debian testing and keep it out of our required test suites but put them in a separate action which maybe runs once a month to make sure we get notified if futur release might break something.
But it should not prevent current development.

@sni sni force-pushed the fix_check_curl_ssl_eof branch 3 times, most recently from da9f09a to 52fd391 Compare October 2, 2024 09:25
@sni sni marked this pull request as ready for review October 2, 2024 09:59
@sni
Copy link
Contributor Author

sni commented Oct 2, 2024

waiting for #2023

@waja waja added this to the 2.4.1 milestone Oct 2, 2024
@sni sni force-pushed the fix_check_curl_ssl_eof branch 3 times, most recently from 749e505 to 302efa1 Compare October 9, 2024 07:51
@sni
fix check_curl: OpenSSL SSL_read: error:0A000126:SSL routines::unexpe…
528e92c 
…cted eof while reading, errno 0

using check_curl on a probably embedded device responding as 'Server: GoAhead-Webs'

    %> check_curl -H ... -S -vvv

    > GET / HTTP/1.1
    Host: ...
    User-Agent: check_curl/v2.4.0 (monitoring-plugins 2.4.0, libcurl/7.76.1 OpenSSL/3.0.7 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.10.4/openssl/zlib nghttp2/1.43.0)
    Accept: */*
    Connection: close

    * Mark bundle as not supporting multiuse
    * HTTP 1.0, assume close after body
    < HTTP/1.0 302 Redirect
    < Server: GoAhead-Webs
    < Date: Tue Mar 26 17:57:16 2019
    < Cache-Control: no-cache, no-store, must-revalidate,private
    < Pragma: no-cache
    < Expires: 0
    < Content-Type: text/html
    < X-Frame-Options: sameorigin
    < X-XSS-Protection: 1; mode=block
    < X-Content-Type-Options: nosniff
    < Location: https://...
    <
    * OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0
    * Closing connection 0

reading the discussion on openssl/openssl#22690 suggest to set the option SSL_OP_IGNORE_UNEXPECTED_EOF
which makes check_curl behave like check_http at this point.
Since this is a rather new flag, fencing it in ifdefs.
And since there can only be one ssl ctx function, we need to move both tasks into one function.
@sni sni force-pushed the fix_check_curl_ssl_eof branch from 302efa1 to 528e92c Compare October 9, 2024 07:54
@sni
Copy link
Contributor Author

sni commented Oct 9, 2024

finally all tests are green and i tested this patch on debian11/12 and rhel7/8/9. Looked good,
except on rhel7 but the certificate check did not work there before anyway because of too old libcurl in combination with libnss.

RincewindsHat
RincewindsHat reviewed Oct 10, 2024
View reviewed changes
RincewindsHat
RincewindsHat approved these changes Oct 10, 2024
View reviewed changes
Copy link
Member

@RincewindsHat RincewindsHat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, good enough for me.

@sni sni merged commit 3b96044 into monitoring-plugins:master Oct 10, 2024
@sni sni deleted the fix_check_curl_ssl_eof branch October 10, 2024 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andreasbaumann andreasbaumann andreasbaumann approved these changes

@RincewindsHat RincewindsHat RincewindsHat approved these changes

Assignees

No one assigned

Labels

check_curl debian

Projects

None yet

Milestone

2.4.1

Development

Successfully merging this pull request may close these issues.

4 participants

@sni @andreasbaumann @RincewindsHat @waja