[Nagios-devel] NRPE SSL_shutdown patch

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Guest

[Nagios-devel] NRPE SSL_shutdown patch

Post by Guest »

--f46d042c6b970dc9c404bc5dd992
Content-Type: text/plain; charset=ISO-8859-1

Hello,

I came across the same TCP RST issue as reported in
http://tracker.nagios.org/view.php?id=305. I've attached a patch for
nrpe.c, and also check_nrpe.c as pointed out by dnsmichi.

The problem is that when we call SSL_shutdown() only once, the server
sends an SSL shutdown message to the client. The client then responds
with it's own SSL shutdown message, and this ends up in the server's
socket receive buffer. However, since we never consume this message,
the kernel will send a RST to the client when the server process
exits. This pollutes our firewall logs and makes it harder to detect
more serious TCP errors in our monitoring.

The solution is to call SSL_shutdown() at least twice, and up to 4
times to be safe (usually SSL_shutdown() will return 1 after two
calls). There's a good explanation of this behaviour in the links I
provided within the bug report. I won't take up too much space
explaining it here.

Please apply the attached patch. Thanks!

Jari

--f46d042c6b970dc9c404bc5dd992
Content-Type: text/x-patch; charset=US-ASCII; name="nrpe-ssl_shutdown-2.patch"
Content-Disposition: attachment; filename="nrpe-ssl_shutdown-2.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_h0dk5y8o0

ZGlmZiAtcnVOIG5ycGUtMi4xMy5vcmlnL3NyYy9jaGVja19ucnBlLmMgbnJwZS0yLjEzL3NyYy9j
aGVja19ucnBlLmMKLS0tIG5ycGUtMi4xMy5vcmlnL3NyYy9jaGVja19ucnBlLmMJMjAxMS0xMS0x
MSAxODo0NTo0OS4wMDAwMDAwMDAgKzAwMDAKKysrIG5ycGUtMi4xMy9zcmMvY2hlY2tfbnJwZS5j
CTIwMTItMDMtMjkgMDk6Mzc6MjMuNzc3NTY5MTg1ICswMTAwCkBAIC01OSw2ICs1OSw5IEBACiAg
ICAgICAgIHVfaW50MzJfdCBjYWxjdWxhdGVkX2NyYzMyOw0KIAlpbnQxNl90IHJlc3VsdDsNCiAJ
aW50IHJjOw0KKyNpZmRlZiBIQVZFX1NTTA0KKwlpbnQgeDsNCisjZW5kaWYNCiAJcGFja2V0IHNl
bmRfcGFja2V0Ow0KIAlwYWNrZXQgcmVjZWl2ZV9wYWNrZXQ7DQogCWludCBieXRlc190b19zZW5k
Ow0KQEAgLTIzNiw3ICsyMzksOSBAQAogCQkvKiBjbG9zZSB0aGUgY29ubmVjdGlvbiAqLw0KICNp
ZmRlZiBIQVZFX1NTTA0KIAkJaWYodXNlX3NzbD09VFJVRSl7DQotCQkJU1NMX3NodXRkb3duKHNz
bCk7DQorCQkJZm9yKHg9MDt4PDQ7eCsrKQ0KKwkJCQlpZihTU0xfc2h1dGRvd24oc3NsKSkNCisJ
CQkJCWJyZWFrOw0KIAkJCVNTTF9mcmVlKHNzbCk7DQogCQkJU1NMX0NUWF9mcmVlKGN0eCk7DQog
CSAgICAgICAgICAgICAgICB9DQpkaWZmIC1ydU4gbnJwZS0yLjEzLm9yaWcvc3JjL25ycGUuYyBu
cnBlLTIuMTMvc3JjL25ycGUuYwotLS0gbnJwZS0yLjEzLm9yaWcvc3JjL25ycGUuYwkyMDExLTEx
LTExIDE4OjQ1OjQ5LjAwMDAwMDAwMCArMDAwMAorKysgbnJwZS0yLjEzL3NyYy9ucnBlLmMJMjAx
Mi0wMy0yOSAwOToxODozOC4xNjEwMTk1MjcgKzAxMDAKQEAgLTEwNDMsNyArMTA0MywxMCBAQAog
DQogI2lmZGVmIEhBVkVfU1NMDQogCQlpZihzc2wpew0KLQkJCVNTTF9zaHV0ZG93bihzc2wpOw0K
KwkJCWZvcih4PTA7eDw0O3grKykNCisJCQkJaWYoU1NMX3NodXRkb3duKHNzbCkpDQorCQkJCQli
cmVhazsNCisNCiAJCQlTU0xfZnJlZShzc2wpOw0KIAkJCXN5c2xvZyhMT0dfSU5GTywiSU5GTzog
U1NMIFNvY2tldCBTaHV0ZG93bi5cbiIpOw0KIAkJCX0NCkBAIC0xMDYwLDcgKzEwNjMsOSBAQAog
DQogI2lmZGVmIEhBVkVfU1NMDQogCQlpZihzc2wpew0KLQkJCVNTTF9zaHV0ZG93bihzc2wpOw0K
KwkJCWZvcih4PTA7eDw0O3grKykNCisJCQkJaWYoU1NMX3NodXRkb3duKHNzbCkpDQorCQkJCQli
cmVhazsNCiAJCQlTU0xfZnJlZShzc2wpOw0KIAkJCX0NCiAjZW5kaWYNCkBAIC0xMDkyLDcgKzEw
OTcsOSBAQAogDQogI2lmZGVmIEhBVkVfU1NMDQogCQlpZihzc2wpew0KLQkJCVNTTF9zaHV0ZG93
bihzc2wpOw0KKwkJCWZvcih4PTA7eDw0O3grKykNCisJCQkJaWYoU1NMX3NodXRkb3duKHNzbCkp
DQorCQkJCQlicmVhazsNCiAJCQlTU0xfZnJlZShzc2wpOw0KIAkJCX0NCiAjZW5kaWYNCkBAIC0x
MjIxLDcgKzEyMjgsOSBAQAogDQogI2lmZGVmIEhBVkVfU1NMDQogCWlmKHNzbCl7DQotCQlTU0xf
c2h1dGRvd24oc3NsKTsNCisJCWZvcih4PTA7eDw0O3grKykNCisJCQlpZihTU0xfc2h1dGRvd24o
c3NsKSkNCisJCQkJYnJlYWs7DQogCQlTU0xfZnJlZShzc2wpOw0KIAkJfQ0KICNlbmRpZg0K
--f46d042c6b970dc9c404bc5dd992--





This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Top
Locked

Return to “Open Source Nagios Projects”