What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Some HTTP sensors show an SSL error after a PRTG update. What can I do?

Votes:

0

After updating to PRTG version 16.3.24.4979/4980, some of my HTTP sensors and other sensors which are based on HTTP requests show a down status because they fail to establish a secure connection.

The complete error message is:

Failed to establish secure connection [Step 0] Error connecting with SSL. Error connecting with SSL. error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small [Step 1] Error connecting with SSL. Error connecting with SSL. error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small [Step 2] Error connecting with SSL. Error connecting with SSL. error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small [Step 3] Error connecting with SSL. Error connecting with SSL. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number [Step 4] Error connecting with SSL. Error connecting with SSL. error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol [Unsecure] IOHandler value is not valid

This error affects only some of the target servers which I monitor with PRTG. Why does establishing a secure connection fail after the PRTG update? Did you change the security level of SSL encrypted connections? What can I do to solve this “error connecting with SSL”?

error error-messages http https prtg security ssl update

Created on Jul 21, 2016 4:49:11 PM by Gerald Schoch [Paessler Support]

Last change on Sep 29, 2016 1:47:50 PM by Martina Wittmann [Paessler Support]



3 Replies

Accepted Answer

Votes:

1

This article applies to PRTG Network Monitor 16.3.24.4979/4980 or later

Establishing Secure Connections with HTTP Sensors

PRTG version 16.3.24.4979/4980 comes with several security fixes as described in the release notes for this version. These fixes also include an update of the underlying OpenSSL library to version 1.0.1t to improve security.

This OpenSSL version rejects handshakes with Diffie-Hellman (D–H) parameters shorter than 768 bits to protect TLS clients against potential man-in-the-middle attacks (the Logjam vulnerability in this case). Please see OpenSSL Security Advisory [11 Jun 2015] (CVE-2015-4000) for details.

If the security of a server that you monitor is outdated and it does not support the requried D–H key length, establishing a secure connection will fail after the PRTG update to version 16.3.24.4979/4980 or later. Your HTTP sensors will show an SSL connection error on this target server.

We strongly recommend that you upgrade affected servers to protect them against potential vulnerabilities!

This is also the only way to solve issues with SSL connections of sensors based on HTTP requests. Although we always try to avoid such incompatibilities, this is necessary to keep the high security standard of PRTG.

Created on Jul 21, 2016 4:55:21 PM by Gerald Schoch [Paessler Support]



Votes:

0

this is not an acceptable answer. we have some servers that cannot be updated (running 3rd party software).

Created on Sep 14, 2016 8:45:02 AM



Votes:

0

In case you have exactly this "key too small error" mentioned above, then I'm afraid your only option is to downgrade PRTG to a version before 16.3.24.4979/4980. You find the installer of the last version before upgrading in <prtg_install_directory>\PRTG Installer Archive.

Kind regards,

Erhard

Created on Sep 15, 2016 10:42:23 AM by Erhard Mikulik [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.