omueller · March 2, 2022 19:34
diff --git a/check_nrpe_openssl098.txt b/check_nrpe_openssl098.txt
 Situation:  

 FreeBSD 12.3 upgraded host with nagios 4.4.6 and nrpe 3.2.1.  Checks to old NRPE2-based hosts (with SSL) are failing with:

 [nagios@nagios /usr/local/libexec/nagios]$ ./check_nrpe3 -H 1.2.3.4
 CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 1.2.3.4: 1

 Tried all possible variants of options, with -2, -D, etc, like "-L 'DEFAULT:!DH' -S SSLv3 -D 0", no luck.  
 Recompile nrpe3 or nrpe4 

 Syslog view:

 Mar  2 20:04:13 nagios check_nrpe2[77762]: Error: (!log_opts) Could not complete SSL handshake with xxx: dh key too small
 Mar  2 20:04:13 nagios check_nrpe2[77763]: Error: (!log_opts) Could not complete SSL handshake with xxx: dh key too small
 Mar  2 20:04:13 nagios check_nrpe2[77766]: Error: (!log_opts) Could not complete SSL handshake with xxx: dh key too small
 Mar  2 20:04:13 nagios check_nrpe2[77767]: Error: (!log_opts) Could not complete SSL handshake with xxx: dh key too small
 Mar  2 19:42:44 nagios check_nrpe[37219]: Error: (!log_opts) Could not complete SSL handshake with yyy: sslv3 alert handshake failure
 Mar  2 19:42:50 nagios check_nrpe[37228]: Error: (!log_opts) Could not complete SSL handshake with yyy: sslv3 alert handshake failure

 "Easy" fix would be to disable SSL on all legacy/outdated hosts.  Alternative way: 

 1) get and compile a very old openssl version:

 cd /usr/local/src
 wget https://www.openssl.org/source/old/0.9.x/openssl-0.9.8zf.tar.gz
 tar xzf openssl-0.9.8zf.tar.gz
 cd openssl-0.9.8zf
 ./config --prefix=/usr/local/openssl098
 make
 make install

 2) get and compile check_nrpe v2 client linked to this old openssl:

 cd /usr/local/src
 wget -O nrpe-2.15.tar.gz http://downloads.sourceforge.net/project/nagios/nrpe-2.x/nrpe-2.15/nrpe-2.15.tar.gz
 tar xzf nrpe-2.15.tar.gz
 cd nrpe-2.15
 LDFLAGS="-L/usr/local/openssl098/lib" ./configure --with-ssl=/usr/local/openssl098/ --with-ssl-lib=/usr/local/openssl098 --with-ssl-inc=/usr/local/openssl098 --enable-ssl
 LDFLAGS=-L/usr/local/openssl098/lib make

 (it also seems to work with https://github.com/NagiosEnterprises/nrpe/releases/download/nrpe-3.2.1/nrpe-3.2.1.tar.gz) 

 3) test:

 $ /usr/local/src/nrpe-2.15/src/check_nrpe -H 1.2.4.5
 NRPE v2.15

 $ /usr/local/src/nrpe-2.15/src/check_nrpe -h

 NRPE Plugin for Nagios
 Copyright (c) 1999-2008 Ethan Galstad ([email protected])
 Version: 2.15
 Last Modified: 09-06-2013
 License: GPL v2 with exemptions (-l for more info)
 SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required


 
 This should help keeping this secondary nagios alive for a few more years :)    
 (with a call to the original check_nrpe for recent hosts, and a call to check_nrpe_legacy, added to nagios/etc/checkcommands.cfg, for the old ones) 

 20220302/om
	Situation:

	FreeBSD 12.3 upgraded host with nagios 4.4.6 and nrpe 3.2.1. Checks to old NRPE2-based hosts (with SSL) are failing with:

	[nagios@nagios /usr/local/libexec/nagios]$ ./check_nrpe3 -H 1.2.3.4
	CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 1.2.3.4: 1

	Tried all possible variants of options, with -2, -D, etc, like "-L 'DEFAULT:!DH' -S SSLv3 -D 0", no luck.
	Recompile nrpe3 or nrpe4

	Syslog view:

	Mar 2 20:04:13 nagios check_nrpe2[77762]: Error: (!log_opts) Could not complete SSL handshake with xxx: dh key too small
	Mar 2 20:04:13 nagios check_nrpe2[77763]: Error: (!log_opts) Could not complete SSL handshake with xxx: dh key too small
	Mar 2 20:04:13 nagios check_nrpe2[77766]: Error: (!log_opts) Could not complete SSL handshake with xxx: dh key too small
	Mar 2 20:04:13 nagios check_nrpe2[77767]: Error: (!log_opts) Could not complete SSL handshake with xxx: dh key too small
	Mar 2 19:42:44 nagios check_nrpe[37219]: Error: (!log_opts) Could not complete SSL handshake with yyy: sslv3 alert handshake failure
	Mar 2 19:42:50 nagios check_nrpe[37228]: Error: (!log_opts) Could not complete SSL handshake with yyy: sslv3 alert handshake failure

	"Easy" fix would be to disable SSL on all legacy/outdated hosts. Alternative way:

	1) get and compile a very old openssl version:

	cd /usr/local/src
	wget https://www.openssl.org/source/old/0.9.x/openssl-0.9.8zf.tar.gz
	tar xzf openssl-0.9.8zf.tar.gz
	cd openssl-0.9.8zf
	./config --prefix=/usr/local/openssl098
	make
	make install

	2) get and compile check_nrpe v2 client linked to this old openssl:

	cd /usr/local/src
	wget -O nrpe-2.15.tar.gz http://downloads.sourceforge.net/project/nagios/nrpe-2.x/nrpe-2.15/nrpe-2.15.tar.gz
	tar xzf nrpe-2.15.tar.gz
	cd nrpe-2.15
	LDFLAGS="-L/usr/local/openssl098/lib" ./configure --with-ssl=/usr/local/openssl098/ --with-ssl-lib=/usr/local/openssl098 --with-ssl-inc=/usr/local/openssl098 --enable-ssl
	LDFLAGS=-L/usr/local/openssl098/lib make

	(it also seems to work with https://github.com/NagiosEnterprises/nrpe/releases/download/nrpe-3.2.1/nrpe-3.2.1.tar.gz)

	3) test:

	$ /usr/local/src/nrpe-2.15/src/check_nrpe -H 1.2.4.5
	NRPE v2.15

	$ /usr/local/src/nrpe-2.15/src/check_nrpe -h

	NRPE Plugin for Nagios
	Copyright (c) 1999-2008 Ethan Galstad ([email protected])
	Version: 2.15
	Last Modified: 09-06-2013
	License: GPL v2 with exemptions (-l for more info)
	SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required



	This should help keeping this secondary nagios alive for a few more years :)
	(with a call to the original check_nrpe for recent hosts, and a call to check_nrpe_legacy, added to nagios/etc/checkcommands.cfg, for the old ones)

	20220302/om