nrpe DH Key mismatch

[gwakem]

Hi all,

Client: nrpe agent v2.15 running as a daemon on raspbian Jessie (8.0), SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required. DH Key Size 512

Nagios Server: check_nrpe v.3.2.1 on nagios core 4.4.5, DH Key 2048. Running under raspbian Buster (10.0)

On the nagios server side I am seeing this returned: CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake

On the nagios agent side I see this: nrpe[15655]: Error: Could not complete SSL handshake. 1

Using -2 top force version 2 on the check_nrpe side does not correct the behavior, but if I disable ssl on both the check_nrpe side and on the nrpe agent side, the two sides can talk.

It appears to be a mismatch between the nrpe agent ( v2.15 - 512 bit DH key) and the plugin (check_nrpe v3.2.1 - 2048 bit DH key)

Short of recompiling the nrpe agent with a higher DH key strength, is there any way to alter the behavior with a flag or option passed? I'm extremely doubtful, but figured I would ask.

[jdunitz]

It seemed to me that you could just generate new keys and/upgrade openssl and it should do the right thing, but that apparently is not the case.

https://support.nagios.com/kb/article/n ... t-750.html

Recompiling appears to be your only option, other than switching over to NCPA, which is the recommended direction for the future.

NCPA on the Pi may involve a fair bit of work also, according to this post from a couple years ago:

https://github.com/NagiosEnterprises/ncpa/issues/477

Let us know how this goes!

--Jeffrey

[benjaminsmith]

Hi,

We have instructions for compiling the lastest NRPE from source on Raspbian on our knowledge-base as well.

https://support.nagios.com/kb/article/n ... l#Raspbian