RTRMON Failed SSL handshake

[JTnola]

Can someone please point me to a resource/reference I can look at to better understand what’s happening here and how to fix it? (…or if there’s even anything that needs fixing?) Thank you!!

SSL Handshake Test... [Failed] | nc -w3 8.8.8.8 443 && echo | openssl s_client -connect 8.8.8.8:443 | awk 'ha>

 

[dave14305]

RTRMON/rtrmon.sh at 79f4bb18336759a46bcf4dfc0cad7447195a0766 · ViktorJp/RTRMON

Asus-Merlin Router Health and Performance Monitor. Contribute to ViktorJp/RTRMON development by creating an account on GitHub.

github.com

It's running this command:

nc -w3 8.8.8.8 443 >/dev/null 2>&1 && echo | openssl s_client -connect 8.8.8.8:443 >/dev/null 2>&1 |  awk 'handshake && $1 == "Verification" { if ($2=="OK") exit; exit 1 } 1 $2 == "SSLhandshake" { handshake = 1 }'

I don't know what it's intended to do, since the ncat never seems to return control.

 

[ColinTaylor]

The gist of it appears to be:

echo | openssl s_client -connect 8.8.8.8:443

And failing when it doesn't see "OK" for the "Verification":

---
SSL handshake has read 2616 bytes and written 373 bytes
Verification error: unable to get local issuer certificate
---

Works OK on my Ubuntu box, so a router certificate problem?

---
SSL handshake has read 4646 bytes and written 373 bytes
Verification: OK
---

 

[dave14305]

The gist of it appears to be:

echo | openssl s_client -connect 8.8.8.8:443

And failing when it doesn't see "OK" for the "Verification":

---
SSL handshake has read 2616 bytes and written 373 bytes
Verification error: unable to get local issuer certificate
---

Works OK on my Ubuntu box, so a router certificate problem?

---
SSL handshake has read 4646 bytes and written 373 bytes
Verification: OK
---

I guess I don't understand yet how the awk works when the openssl output is redirected to null.

 

[ColinTaylor]

I guess I don't understand yet how the awk works when the openssl output is redirected to null.

It's because it's not interested in the STDOUT output, only the STDERR output. Which why there's a 2>&1 . At least I think that's' what it's doing.
You're right, it makes no sense.

 

[ColinTaylor]

Looks like it was broken when first implemented, then fixed with commit 9b0e30e, and then broken again in commit c91a2ab. So I'm guessing this hasn't worked for years and nobody noticed or cared about it.

 

[scootertramp]

Works fine on both my main router and all mesh nodes.

 

[Viktor Jaep]

Looks like it was broken when first implemented, then fixed with commit 9b0e30e, and then broken again in commit c91a2ab. So I'm guessing this hasn't worked for years and nobody noticed or cared about it.

What seems broken about it?

Nevermind... I'll work on some repairs to this statement. But you're right. Never noticed it was doing something wrong.

 

[JTnola]

Aw yall made me feel better.

What seems broken about it?

Nevermind... I'll work on some repairs to this statement. But you're right. Never noticed it was doing something wrong.

 

[Viktor Jaep]

Aw yall made me feel better.

Your fix has made it into new RTRMON and VPNMON-R3 releases this evening. Please let me know if your test passed with flying colors now!