TLS 1.2 support

[benoitjpnet]

If you have a website with TLS 1.2 support only, chexpire does not work.

Date: Sat, 07 Jul 2018 08:30:02 +0200
From: [redacted]
To: [redacted]
Subject: Recurrent failures in [redacted] SSL certificate expiry check


Hi,

We had recurrent failures while checking the SSL certificate for
[redacted]. As of today, we can no longer verify the certificate
expiry date.



If there is no more SSL endpoint for this domain, please disable
or delete the check by following this link:

https://chexpire.[redacted]/checks/[redacted]/edit






-- 
The Chexpire Team

[gcolpart]

examples of websites with TLS 1.2 only: benpro.fr mstdn.io

[gcolpart]

Hi Benoît and thank you for issue !

We use check_http command from https://github.com/monitoring-plugins/monitoring-plugins and there is support for TLS1.2 : monitoring-plugins/monitoring-plugins#1338

In fact, it works with "www.nist.gov" or "mstdn.io" (TLS 1.2-only websites) but not with "benpro.fr" :

~/GIT/monitoring-plugins$ ./plugins/check_http -C 0 --sni mstdn.io
OK - Certificate 'dspr.io' will expire on ven. 09 nov. 2018 21:04:42 GMT +0000.

~/GIT/monitoring-plugins$ ./plugins/check_http -C 0 --sni benpro.fr
CRITICAL - Cannot make SSL connection.
139651497318144:error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:../ssl/record/rec_layer_s3.c:1399:SSL alert number 112

If I try with openssl command, I have different result :

$ openssl s_client -connect benpro.fr:443
CONNECTED(00000003)
139776991241472:error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:../ssl/record/rec_layer_s3.c:1399:SSL alert number 112
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1535201820
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

and :

$ openssl s_client -connect www.nist.gov :443 
s_client: Use -help for summary.
gcolpart@jpp:~$ openssl s_client -connect www.nist.gov:443 
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = Maryland, L = Gaithersburg, O = National Institute of Standards and Technology, OU = OISM, CN = *.nist.gov
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Maryland/L=Gaithersburg/O=National Institute of Standards and Technology/OU=OISM/CN=*.nist.gov
   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHFzCCBf+gAwIBAgIQDz8WKja4Ywk4DJvL5il3TjANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwMzEzMDAwMDAwWhcN
MTkwMzE0MTIwMDAwWjCBlDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1hcnlsYW5k
MRUwEwYDVQQHEwxHYWl0aGVyc2J1cmcxNzA1BgNVBAoTLk5hdGlvbmFsIEluc3Rp
dHV0ZSBvZiBTdGFuZGFyZHMgYW5kIFRlY2hub2xvZ3kxDTALBgNVBAsTBE9JU00x
EzARBgNVBAMMCioubmlzdC5nb3YwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCnBBPALsJrskmNBzeHmp9X7nAJ0ca3oUr2mvdhiFXPqqo/gnfd0pYjojno
OoNW26ZqmXZChy68Vkc9AD5GxXJJXWqEh0BSHm9Qk+Ff9MBUfHcumDK3vG/hl332
+OxvEdruIq8IK1aFLo2XrKuV/3hVZh00ChyCnZzuV8Chzda/0ocgBShC0JWsNdP4
jutx0AOLM6Wr/edtd4j2D6ZTDilXE2J7qn5hv2F1GmqYu48JfWG2nIFaFY9eCqCI
7XO4rzUxTdssUG/hTXMW4+v3d223rVOhHWlrLnJVW52j3X+WBe4gt1shdkI04qU3
Ioth48HUcrsZEgG9SN46riR3y6lvAgMBAAGjggOpMIIDpTAfBgNVHSMEGDAWgBQP
gGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUTP++a0Qpt+VXaK0U6qPA/qD4
JeAwgecGA1UdEQSB3zCB3IIRd3d3LmFudGQubmlzdC5nb3aCFXd3dy5iYWxkcmln
ZS5uaXN0LmdvdoIRd3d3LmJmcmwubmlzdC5nb3aCE3d3dy5jZnJlZHMubmlzdC5n
b3aCEXd3dy5jZnR0Lm5pc3QuZ292ghB3d3cuaG1sLm5pc3QuZ292ghB3d3cubWVs
Lm5pc3QuZ292ghF3d3cubXNlbC5uaXN0LmdvdoIRd3d3Lm5zcmwubmlzdC5nb3aC
DHd3dy5wc2NyLmdvdoIKKi5uaXN0LmdvdoIRY2lrcy5jYnQubmlzdC5nb3YwDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNV
HR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEy
LWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hh
Mi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYc
aHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUH
AQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYI
KwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNI
QTJTZWN1cmVTZXJ2ZXJDQS5jcnQwCQYDVR0TBAIwADCCAQQGCisGAQQB1nkCBAIE
gfUEgfIA8AB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABYiGH
gfYAAAQDAEcwRQIgfX9OQpESXPyMnj0sJ6Jz+rDGr+sh43sneO+moHcwbu8CIQDM
maNcPAtfa5IHw4ZfDRTJ9mYX2EeVV7QGzRCIwg/txQB2AG9Tdqwx8DEZ2JkApFEV
/3cVHBHZAsEAKQaNsgiaN9kTAAABYiGHg1wAAAQDAEcwRQIgV83MVilk+4DKu6FX
RVDtIa8CqiOt/MR3m5Mk++0L5icCIQCcsyKrfe9sspJcwMQmO0JZtMs3VnsX7unL
usVVBLor8zANBgkqhkiG9w0BAQsFAAOCAQEALKGQaS0A/mS9YZ0rIAPXFU/Lyizg
kewFF+gSTWs0UkOYXOkun4Ry4AydVj0CnfewMrjfWa+dDgHMhTH2gymQlsouNCU0
OUPu0I6L+lxPCYFfx9S7kvKbeASZro+fKiTY9tNhCXJtK2KyIn1YHp477O7f4S0w
KB8dV3PqTzU/5W0rQ3pk6wjXXcK+CwB5ebtVM5GTBesyHWKUec3AFhmAblwniUS3
0pDZ7tgdE4ZfiZcYPoCzqUBDtsUzhBDwUgHo50cUPWfFC4KzJVhNVaWGLU51HAAk
b6icx4+7pQGbB6mbrNqIFJyoUSZ5po/DeoknZ1ghYpPK3AY/5wpKp0htmw==
-----END CERTIFICATE-----
subject=/C=US/ST=Maryland/L=Gaithersburg/O=National Institute of Standards and Technology/OU=OISM/CN=*.nist.gov
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3505 bytes and written 302 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: B5FDE39D74A64F8D1F37B3736DCFB77141A7BC27649A09F146E5850E58C1F5A3
    Session-ID-ctx: 
    Master-Key: C4F123DC359DF5C0E730F4BE2F606AE41CBA2098442009D2CEE9A8F7DF073DD7E570E463CC77E68782255F73052E7C10
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1535202080
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Then I guess it depends on your https server configuration.

Can you check your server configuration?
Can you give others TLS 1.2-only websites with failure?

[benoitjpnet]

The main difference is that my server (HAProxy with strict-sni option) accept only SNI. So you must use SNI for openssl commands (and other like check_http).

$ openssl s_client -connect benpro.fr:443 -servername benpro.fr
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = *.benpro.fr
verify return:1
---
Certificate chain
 0 s:/CN=*.benpro.fr
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGDTCCBPWgAwIBAgISA2sbeR1ZcD1fZpRi8yY0VzoEMA0GCSqGSIb3DQEBCwUA
[truncated]
-----END CERTIFICATE-----
subject=/CN=*.benpro.fr
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3206 bytes and written 287 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: FA40D72A72C1A051B17BC092ABBBA2F453ACC3EF93D52014B029EB5958830CB2
    Session-ID-ctx: 
    Master-Key: 31EB17CC24945EDC2A5731082531601D76B911EE7F7DE5BBE124DB6DB90B6A51E4224A021E472CA9DDDEC2CE7C91F534
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1535202988
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
DONE