Failed to establish secure connection: sslv3 alert handshake

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
whittakerj
Posts: 1
Joined: Sun Sep 15, 2019 11:51 pm

Failed to establish secure connection: sslv3 alert handshake

Post by whittakerj »

I just recently installed NEMS on a raspberry pi to mess around with Nagios. I'm trying to setup windows server monitoring and I'm getting this error message. I see that it is quite common and I've tried all the fixes in the forum to no avail. Hoping someone can help me out.
error:c:\source\master\include\socket/connection.hpp:276: Failed to establish secure connection: sslv3 alert handshake failure: 1040
# If you want to fill this file with all available options run the following command:
# nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
# nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help


; in flight - TODO
[/settings/default]

; Undocumented key
password = password

; Undocumented key
allowed hosts = 127.0.0.1,172.16.105.0/24,192.168.3.0/24

; CACHE ALLOWED HOSTS - If host names (DNS entries) should be cached, improves speed and security somewhat but won't allow you to have dynamic IPs for your Nagios server.
cache allowed hosts = false

; TIMEOUT - Timeout when reading packets on incoming sockets. If the data has not arrived within this time we will bail out.
timeout = 30

; BIND TO ADDRESS - Allows you to bind server to a specific local address. This has to be a dotted ip address not a host name. Leaving this blank will bind to all available IP addresses.
;bind to = UNKNOWN


; in flight - TODO
[/settings/NRPE/server]


allow arguments = true
allow nasty characters = true

; Undocumented key
verify mode = none

; Undocumented key
insecure = true

; PORT NUMBER - Port to use for NRPE.
port = 5666

; EXTENDED RESPONSE - Send more then 1 return packet to allow response to go beyond payload size (requires modified client if legacy is true this defaults to false).
extended response = false

; ENABLE SSL ENCRYPTION - This option controls if SSL should be enabled.
use ssl = true
;ssl options =
ssl options = no-sslv2,no-sslv3
verify mode = peer-cert


; in flight - TODO
[/modules]

; Undocumented key
CheckHelpers = disabled

; Undocumented key
CheckNSCP = disabled

; Undocumented key
CheckDisk = disabled

; Undocumented key
WEBServer = enabled

; Undocumented key
CheckSystem = disabled

; Undocumented key
NSClientServer = enabled

; Undocumented key
CheckEventLog = disabled

; Undocumented key
NSCAClient = enabled

; Undocumented key
NRPEServer = enabled

; CheckExternalScripts - Module used to execute external scripts
CheckExternalScripts = enabled


; LOG SECTION - Configure log file properties.
[/settings/log/file]

; MAXIMUM FILE SIZE - When file size reaches this it will be truncated to 50% if set to 0 (default) truncation will be disabled
max size = -1


; LOG SETTINGS - Section for configuring the log handling.
[/settings/log]

; LOG LEVEL - Log level to use. Available levels are error,warning,info,debug,trace
level = info

; FILENAME - The file to write log data to. Set this to none to disable log to file.
file name = ${exe-path}/nsclient.log

; DATEMASK - The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve.
date format = %Y-%m-%d %H:%M:%S


; CRASH HANDLER - Section for configuring the crash handler.
[/settings/crash]

; RESTART SERVICE NAME - The url to submit crash reports to
restart target = NSCP

; CRASH ARCHIVE LOCATION - The folder to archive crash dumps in
archive folder = ${shared-path}/crash-dumps

; SUBMISSION URL - The url to submit crash reports to
submit url = https://crash.nsclient.org/post


;
[/settings/WEB/server/users/sample]

; ROLE - The role which will grant access to this user
role = UNKNOWN

; PASSWORD - The password to use.
password = UNKNOWN


; Roles - A list of roles and with coma separated list of access rights.
[/settings/WEB/server/roles]


; Users - Users which can access the REST API
[/settings/WEB/server/users]

; sample - To configure this create a section under: /settings/WEB/server/users/sample
sample = UNKNOWN


; TARGET - Target definition for: default
[/settings/NSCA/client/targets/default]

; VERIFY MODE -
verify mode = UNKNOWN

; TIMEOUT - Timeout when reading/writing packets to/from sockets.
timeout = 30

; RETRIES - Number of times to retry sending.
retries = 3

; ALLOWED CIPHERS - A better value is: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
allowed ciphers = UNKNOWN

; ENABLE SSL ENCRYPTION - This option controls if SSL should be enabled.
use ssl = UNKNOWN

; TARGET ADDRESS - Target host address
address = UNKNOWN

; ENCRYPTION - Name of encryption algorithm to use. Has to be the same as your server i using or it wont work at all.This is also independent of SSL and generally used instead of SSL. Available encryption algorithms are: none = No Encryption (not safe) xor = XOR des = DES 3des = DES-EDE3 cast128 = CAST-128 xtea = XTEA blowfish = Blowfish twofish = Twofish rc2 = RC2 aes128 = AES aes192 = AES aes = AES serpent = Serpent gost = GOST
encryption = aes

; SSL CERTIFICATE -
certificate = UNKNOWN


; CLIENT HANDLER SECTION -
[/settings/NSCA/client/handlers]


; NSCLIENT SERVER SECTION - Section for NSClient (NSClientServer.dll) (check_nt) protocol options.
[/settings/NSClient/server]

; ENABLE SSL ENCRYPTION - This option controls if SSL should be enabled.
use ssl = false

; PERFORMANCE DATA - Send performance data back to Nagios (set this to 0 to remove all performance data).
performance data = true

; PORT NUMBER - Port to use for check_nt.
port = 12489


; NSCA CLIENT SECTION - Section for NSCA passive check module.
[/settings/NSCA/client]

; HOSTNAME - The host name of the monitored computer. Set this to auto (default) to use the windows name of the computer. auto Hostname ${host} Hostname ${host_lc} Hostname in lowercase ${host_uc} Hostname in uppercase ${domain} Domainname ${domain_lc} Domainname in lowercase ${domain_uc} Domainname in uppercase
hostname = auto

; CHANNEL - The channel to listen to.
channel = NSCA


;
[/paths]

; Path for shared-path -
shared-path = C:\Program Files\NSClient++

; Path for certificate-path -
certificate-path = ${shared-path}/security

; Path for exe-path -
exe-path = C:\Program Files\NSClient++

; Path for module-path -
module-path = ${exe-path}/modules

; Path for base-path -
base-path = C:\Program Files\NSClient++

; Path for scripts -
scripts = ${exe-path}/scripts


; Web server - Section for WEB (WEBServer.dll) (check_WEB) protocol options.
[/settings/WEB/server]

; PORT NUMBER - Port to use for WEB server.
port = 8443

; CERTIFICATE - Ssl certificate to use for the ssl server
certificate = ${certificate-path}/certificate.pem

; NUMBER OF THREADS - The number of threads in the sever response pool.
threads = 10


; INCLUDED FILES - Files to be included in the configuration
[/includes]


; REMOTE TARGET DEFINITIONS -
[/settings/NSCA/client/targets]


; script: default - The configuration section for the default script.
[/settings/external scripts/scripts/default]

; IGNORE PERF DATA - Do not parse performance data from the output
ignore perfdata = UNKNOWN

; COMMAND - Command to execute
command = UNKNOWN


; External scripts - A list of scripts available to run from the CheckExternalScripts module. Syntax is: `command=script arguments`
[/settings/external scripts/scripts]


; Wrapped scripts - A list of wrapped scripts (ie. script using a template mechanism). The template used will be defined by the extension of the script. Thus a foo.ps1 will use the ps1 wrapping from the wrappings section.
[/settings/external scripts/wrapped scripts]


; Command aliases - A list of aliases for already defined commands (with arguments). An alias is an internal command that has been predefined to provide a single command without arguments. Be careful so you don't create loops (ie check_loop=check_a, check_a=check_loop)
[/settings/external scripts/alias]

; alias_volumes_loose - To configure this create a section under: /settings/external scripts/alias/alias_volumes_loose
alias_volumes_loose = UNKNOWN

; alias_volumes - To configure this create a section under: /settings/external scripts/alias/alias_volumes
alias_volumes = UNKNOWN

; alias_service_ex - To configure this create a section under: /settings/external scripts/alias/alias_service_ex
alias_service_ex = UNKNOWN

; alias_service - To configure this create a section under: /settings/external scripts/alias/alias_service
alias_service = UNKNOWN

; alias_sched_long - To configure this create a section under: /settings/external scripts/alias/alias_sched_long
alias_sched_long = UNKNOWN

; alias_sched_all - To configure this create a section under: /settings/external scripts/alias/alias_sched_all
alias_sched_all = UNKNOWN

; alias_process_hung - To configure this create a section under: /settings/external scripts/alias/alias_process_hung
alias_process_hung = UNKNOWN

; alias_process - To configure this create a section under: /settings/external scripts/alias/alias_process
alias_process = UNKNOWN

; alias_mem - To configure this create a section under: /settings/external scripts/alias/alias_mem
alias_mem = UNKNOWN

; alias_file_size - To configure this create a section under: /settings/external scripts/alias/alias_file_size
alias_file_size = UNKNOWN

; alias_event_log - To configure this create a section under: /settings/external scripts/alias/alias_event_log
alias_event_log = UNKNOWN

; alias_disk - To configure this create a section under: /settings/external scripts/alias/alias_disk
alias_disk = UNKNOWN

; alias_cpu - To configure this create a section under: /settings/external scripts/alias/alias_cpu
alias_cpu = UNKNOWN

; alias_process_count - To configure this create a section under: /settings/external scripts/alias/alias_process_count
alias_process_count = UNKNOWN

; alias_up - To configure this create a section under: /settings/external scripts/alias/alias_up
alias_up = UNKNOWN

; alias_process_stopped - To configure this create a section under: /settings/external scripts/alias/alias_process_stopped
alias_process_stopped = UNKNOWN

; alias_disk_loose - To configure this create a section under: /settings/external scripts/alias/alias_disk_loose
alias_disk_loose = UNKNOWN

; alias_sched_task - To configure this create a section under: /settings/external scripts/alias/alias_sched_task
alias_sched_task = UNKNOWN

; alias_file_age - To configure this create a section under: /settings/external scripts/alias/alias_file_age
alias_file_age = UNKNOWN

; alias_cpu_ex - To configure this create a section under: /settings/external scripts/alias/alias_cpu_ex
alias_cpu_ex = UNKNOWN


; Script wrappings - A list of templates for defining script commands. Enter any command line here and they will be expanded by scripts placed under the wrapped scripts section. %SCRIPT% will be replaced by the actual script an %ARGS% will be replaced by any given arguments.
[/settings/external scripts/wrappings]

; Batch file - Command used for executing wrapped batch files
bat = scripts\\%SCRIPT% %ARGS%

; Visual basic script - Command line used for wrapped vbs scripts
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%

; POWERSHELL WRAPPING - Command line used for executing wrapped ps1 (powershell) scripts
ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Host "UNKNOWN: Script `"%SCRIPT%`" not found."; exit(3) }; scripts\%SCRIPT% $ARGS$; exit($lastexitcode) | powershell.exe /noprofile -command -


; alias: default - The configuration section for the default alias
[/settings/external scripts/alias/default]

; COMMAND - Command to execute
command = UNKNOWN


;
[/settings/WEB/server/users/default]

; ROLE - The role which will grant access to this user
role = UNKNOWN

; PASSWORD - The password to use.
password = UNKNOWN


; External script settings - General settings for the external scripts module (CheckExternalScripts).
[/settings/external scripts]

; Command timeout - The maximum time in seconds that a command can execute. (if more then this execution will be aborted). NOTICE this only affects external commands not internal ones.
timeout = 60

; Script root folder - Root path where all scripts are contained (You can not upload/download scripts outside this folder).
script root = ${scripts}

; Load all scripts in a given folder - Load all scripts in a given directory and use them as commands.
script path = UNKNOWN

; Allow arguments when executing external scripts - This option determines whether or not the we will allow clients to specify arguments to commands that are executed.
allow arguments = true

; Allow certain potentially dangerous characters in arguments - This option determines whether or not the we will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
allow nasty characters = true
./check_nrpe -H 172.16.105.5
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 172.16.105.5: 1
User avatar
mbellerue
Posts: 1403
Joined: Fri Jul 12, 2019 11:10 am

Re: Failed to establish secure connection: sslv3 alert hands

Post by mbellerue »

Have you tried this one?

On your Raspberry Pi (or faster Linux machine)

Code: Select all

openssl dhparam -out nrpe_dh_512.pem 1024
We make that a 1024 bit key (or larger, if you like), even though we're calling it a 512 bit key in the file name. Then copy that file to your Windows host, and overwrite the key that comes with NSClient++. By default it's located at C:\Program Files\NSClient++\security\. Maybe create a backup of the existing key. Restart the NSClient service, and see if you're able to make a check of the host.

It should do anonymous DH first. You may need to add -d 1 or -d 2 to your command.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
Locked