Thread: [mod-security-users] mlogc curl code 35 error
Brought to you by:
victorhora,
zimmerletw
From: roger m. <rog...@gm...> - 2009-01-28 19:48:20
|
I installed modsecurity and mlogc on a debian (sid) box. As part of the setup, I installed libcurl4-openssl-dev version 7.18.2-8. The problem is that mlogc can't send alerts to the sensor. mlogc-error.log has the following errors: [Tue Jan 13 01:01:01 2009] [2] [13556/8a09d90] Flagging server as errored after failure to submit entry SWwrd8CoAQoAADJ1GWEAAAAA (cURL code 35): error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message [Tue Jan 13 01:02:06 2009] [2] [13556/8a09de8] Flagging server as errored after failure to submit entry SWwrd8CoAQoAADJ1GWEAAAAA (cURL code 35): error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message I can access the console via openssl, so I think the problem is with libcurl. Any ideas which Debian package works with mlogc? Thanks, - RM |
From: Brian R. <Bri...@br...> - 2009-01-28 23:13:14
|
roger munk wrote: > I installed modsecurity and mlogc on a debian (sid) box. As part of > the setup, I installed libcurl4-openssl-dev version 7.18.2-8. The > problem is that mlogc can't send alerts to the sensor. mlogc-error.log > has the following errors: > > [Tue Jan 13 01:01:01 2009] [2] [13556/8a09d90] Flagging server as > errored after failure to submit entry SWwrd8CoAQoAADJ1GWEAAAAA (cURL > code 35): error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 > alert unexpected message > [Tue Jan 13 01:02:06 2009] [2] [13556/8a09de8] Flagging server as > errored after failure to submit entry SWwrd8CoAQoAADJ1GWEAAAAA (cURL > code 35): error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 > alert unexpected message > > I can access the console via openssl, so I think the problem is with > libcurl. Any ideas which Debian package works with mlogc? Verify that mlogc uses https in the URI and that the console is indeed running SSL on that port. I use the Debian and Ubuntu packages here without issues. -B -- Brian Rectanus Breach Security |
From: Roger M. <rog...@gm...> - 2009-01-29 11:11:22
|
On Thu, Jan 29, 2009 at 1:13 AM, Brian Rectanus <Bri...@br...> wrote: > > Verify that mlogc uses https in the URI and that the console is indeed > running SSL on that port. > > I use the Debian and Ubuntu packages here without issues. Hey Brian, I was just rereading your email to figure out what else I missed. When you said that you use the Debian package, were you referring to the Debian mod-security package or the associated support packages for mlogc (i.e. libapr1-dev, lib4curl-openssl-dev, libpcre3 and openssl)? I didn't think the latest mod0security Debian package included mlogc, thus I installed the mlogc stand alone version. Is there a Debian package that already includes mlogc? - Roger |
From: roger m. <rog...@gm...> - 2009-01-29 07:57:20
|
On Thu, Jan 29, 2009 at 1:13 AM, Brian Rectanus <Bri...@br...> wrote: >> I can access the console via openssl, so I think the problem is with >> libcurl. Any ideas which Debian package works with mlogc? > > Verify that mlogc uses https in the URI and that the console is indeed > running SSL on that port. Hey Brian, Thanks, I verified that mlogc uses HTTPS in the URI and was able to connect to the console using the openssl. The console is running on a WinXP box, if that matters. I noticed that I can connect to the console using openssl via sslv3 but not sslv2. Could mlogc be trying to connect via sslv2? Is that a configurable parameter? Thanks, - Roger |
From: Brian R. <Bri...@br...> - 2009-01-29 18:18:53
|
roger munk wrote: > On Thu, Jan 29, 2009 at 1:13 AM, Brian Rectanus > <Bri...@br...> wrote: > >>> I can access the console via openssl, so I think the problem is with >>> libcurl. Any ideas which Debian package works with mlogc? >> Verify that mlogc uses https in the URI and that the console is indeed >> running SSL on that port. > > Hey Brian, > > Thanks, I verified that mlogc uses HTTPS in the URI and was able to > connect to the console using the openssl. The console is running on a > WinXP box, if that matters. I noticed that I can connect to the > console using openssl via sslv3 but not sslv2. Could mlogc be trying > to connect via sslv2? Is that a configurable parameter? > > Thanks, > > - Roger It is a handshake problem, but not sslv2 related (at leat the error is an sslv3 error). This was a problem a while back with using gnutls (vs openssl). Verify that you are not using that version of curl. Here is the thread on that one: http://thread.gmane.org/gmane.comp.apache.mod-security.user/5637 There was a workaround in editing the mlogc source - try that if still having issues. If that does not fix it, then I'll take a closer look. thanks, -B -- Brian Rectanus Breach Security |
From: Roger M. <rog...@gm...> - 2009-01-29 18:40:47
|
On Thu, Jan 29, 2009 at 8:18 PM, Brian Rectanus <Bri...@br...> wrote: > It is a handshake problem, but not sslv2 related (at leat the error is > an sslv3 error). This was a problem a while back with using gnutls (vs > openssl). Verify that you are not using that version of curl. > > Here is the thread on that one: > > http://thread.gmane.org/gmane.comp.apache.mod-security.user/5637 Hi Brian, Yeah I saw that thread, tried the changes to the source, but no dice. I'm not using gnutls, so thats not the issue. In the meantime I worked around the problem by configuring mlogc to connect to htttp://localhost:81/... and then setup stunnel to listen on port 81 and forward the requests to the console. It works fine, but seems like an unneccesary hack. - Roger |
From: Brian R. <Bri...@br...> - 2009-01-29 19:06:02
|
Roger Munk wrote: > On Thu, Jan 29, 2009 at 8:18 PM, Brian Rectanus > <Bri...@br...> wrote: > >> It is a handshake problem, but not sslv2 related (at leat the error is >> an sslv3 error). This was a problem a while back with using gnutls (vs >> openssl). Verify that you are not using that version of curl. >> >> Here is the thread on that one: >> >> http://thread.gmane.org/gmane.comp.apache.mod-security.user/5637 > > Hi Brian, > > Yeah I saw that thread, tried the changes to the source, but no dice. > I'm not using gnutls, so thats not the issue. In the meantime I worked > around the problem by configuring mlogc to connect to > htttp://localhost:81/... and then setup stunnel to listen on port 81 > and forward the requests to the console. It works fine, but seems like > an unneccesary hack. > > - Roger I agree it is a hack. but, I have never seen that issue myself. Last I heard ModSecurity was to go back into Debian proper and Alberto said (I think) that mlogc would also be packaged. -B -- Brian Rectanus Breach Security |