omueller/check_nrpe_openssl098.txt

## check_nrpe_openssl098.txt
Situation:

FreeBSD 12.3 upgraded host with nagios 4.4.6 and nrpe 3.2.1.  Checks to old NRPE2-based hosts (with SSL) are failing with:

[nagios@nagios /usr/local/libexec/nagios]$ ./check_nrpe3 -H 1.2.3.4
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 1.2.3.4: 1

Tried all possible variants of options, with -2, -D, etc, like "-L 'DEFAULT:!DH' -S SSLv3 -D 0", no luck.
Recompile nrpe3 or nrpe4

Syslog view:

Mar  2 20:04:13 nagios check_nrpe2[77762]: Error: (!log_opts) Could not complete SSL handshake with xxx: dh key too small
Mar  2 20:04:13 nagios check_nrpe2[77763]: Error: (!log_opts) Could not complete SSL handshake with xxx: dh key too small
Mar  2 20:04:13 nagios check_nrpe2[77766]: Error: (!log_opts) Could not complete SSL handshake with xxx: dh key too small
Mar  2 20:04:13 nagios check_nrpe2[77767]: Error: (!log_opts) Could not complete SSL handshake with xxx: dh key too small
Mar  2 19:42:44 nagios check_nrpe[37219]: Error: (!log_opts) Could not complete SSL handshake with yyy: sslv3 alert handshake failure
Mar  2 19:42:50 nagios check_nrpe[37228]: Error: (!log_opts) Could not complete SSL handshake with yyy: sslv3 alert handshake failure

"Easy" fix would be to disable SSL on all legacy/outdated hosts.  Alternative way:

1) get and compile a very old openssl version:

cd /usr/local/src
wget https://www.openssl.org/source/old/0.9.x/openssl-0.9.8zf.tar.gz
tar xzf openssl-0.9.8zf.tar.gz
cd openssl-0.9.8zf
./config --prefix=/usr/local/openssl098
make
make install

2) get and compile check_nrpe v2 client linked to this old openssl:

cd /usr/local/src
wget -O nrpe-2.15.tar.gz http://downloads.sourceforge.net/project/nagios/nrpe-2.x/nrpe-2.15/nrpe-2.15.tar.gz
tar xzf nrpe-2.15.tar.gz
cd nrpe-2.15
LDFLAGS="-L/usr/local/openssl098/lib" ./configure --with-ssl=/usr/local/openssl098/ --with-ssl-lib=/usr/local/openssl098 --with-ssl-inc=/usr/local/openssl098 --enable-ssl
LDFLAGS=-L/usr/local/openssl098/lib make

(it also seems to work with https://github.com/NagiosEnterprises/nrpe/releases/download/nrpe-3.2.1/nrpe-3.2.1.tar.gz)

3) test:

$ /usr/local/src/nrpe-2.15/src/check_nrpe -H 1.2.4.5
NRPE v2.15

$ /usr/local/src/nrpe-2.15/src/check_nrpe -h

NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required


This should help keeping this secondary nagios alive for a few more years :)
(with a call to the original check_nrpe for recent hosts, and a call to check_nrpe_legacy, added to nagios/etc/checkcommands.cfg, for the old ones)

20220302/om
	Situation:

	FreeBSD 12.3 upgraded host with nagios 4.4.6 and nrpe 3.2.1. Checks to old NRPE2-based hosts (with SSL) are failing with:

	[nagios@nagios /usr/local/libexec/nagios]$ ./check_nrpe3 -H 1.2.3.4
	CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 1.2.3.4: 1

	Tried all possible variants of options, with -2, -D, etc, like "-L 'DEFAULT:!DH' -S SSLv3 -D 0", no luck.
	Recompile nrpe3 or nrpe4

	Syslog view:

	Mar 2 20:04:13 nagios check_nrpe2[77762]: Error: (!log_opts) Could not complete SSL handshake with xxx: dh key too small
	Mar 2 20:04:13 nagios check_nrpe2[77763]: Error: (!log_opts) Could not complete SSL handshake with xxx: dh key too small
	Mar 2 20:04:13 nagios check_nrpe2[77766]: Error: (!log_opts) Could not complete SSL handshake with xxx: dh key too small
	Mar 2 20:04:13 nagios check_nrpe2[77767]: Error: (!log_opts) Could not complete SSL handshake with xxx: dh key too small
	Mar 2 19:42:44 nagios check_nrpe[37219]: Error: (!log_opts) Could not complete SSL handshake with yyy: sslv3 alert handshake failure
	Mar 2 19:42:50 nagios check_nrpe[37228]: Error: (!log_opts) Could not complete SSL handshake with yyy: sslv3 alert handshake failure

	"Easy" fix would be to disable SSL on all legacy/outdated hosts. Alternative way:

	1) get and compile a very old openssl version:

	cd /usr/local/src
	wget https://www.openssl.org/source/old/0.9.x/openssl-0.9.8zf.tar.gz
	tar xzf openssl-0.9.8zf.tar.gz
	cd openssl-0.9.8zf
	./config --prefix=/usr/local/openssl098
	make
	make install

	2) get and compile check_nrpe v2 client linked to this old openssl:

	cd /usr/local/src
	wget -O nrpe-2.15.tar.gz http://downloads.sourceforge.net/project/nagios/nrpe-2.x/nrpe-2.15/nrpe-2.15.tar.gz
	tar xzf nrpe-2.15.tar.gz
	cd nrpe-2.15
	LDFLAGS="-L/usr/local/openssl098/lib" ./configure --with-ssl=/usr/local/openssl098/ --with-ssl-lib=/usr/local/openssl098 --with-ssl-inc=/usr/local/openssl098 --enable-ssl
	LDFLAGS=-L/usr/local/openssl098/lib make

	(it also seems to work with https://github.com/NagiosEnterprises/nrpe/releases/download/nrpe-3.2.1/nrpe-3.2.1.tar.gz)

	3) test:

	$ /usr/local/src/nrpe-2.15/src/check_nrpe -H 1.2.4.5
	NRPE v2.15

	$ /usr/local/src/nrpe-2.15/src/check_nrpe -h

	NRPE Plugin for Nagios
	Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
	Version: 2.15
	Last Modified: 09-06-2013
	License: GPL v2 with exemptions (-l for more info)
	SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required



	This should help keeping this secondary nagios alive for a few more years :)
	(with a call to the original check_nrpe for recent hosts, and a call to check_nrpe_legacy, added to nagios/etc/checkcommands.cfg, for the old ones)

	20220302/om