nrpe DH Key mismatch
Posted: Tue Mar 17, 2020 8:54 am
Hi all,
Client: nrpe agent v2.15 running as a daemon on raspbian Jessie (8.0), SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required. DH Key Size 512
Nagios Server: check_nrpe v.3.2.1 on nagios core 4.4.5, DH Key 2048. Running under raspbian Buster (10.0)
On the nagios server side I am seeing this returned: CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake
On the nagios agent side I see this: nrpe[15655]: Error: Could not complete SSL handshake. 1
Using -2 top force version 2 on the check_nrpe side does not correct the behavior, but if I disable ssl on both the check_nrpe side and on the nrpe agent side, the two sides can talk.
It appears to be a mismatch between the nrpe agent ( v2.15 - 512 bit DH key) and the plugin (check_nrpe v3.2.1 - 2048 bit DH key)
Short of recompiling the nrpe agent with a higher DH key strength, is there any way to alter the behavior with a flag or option passed? I'm extremely doubtful, but figured I would ask.
Client: nrpe agent v2.15 running as a daemon on raspbian Jessie (8.0), SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required. DH Key Size 512
Nagios Server: check_nrpe v.3.2.1 on nagios core 4.4.5, DH Key 2048. Running under raspbian Buster (10.0)
On the nagios server side I am seeing this returned: CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake
On the nagios agent side I see this: nrpe[15655]: Error: Could not complete SSL handshake. 1
Using -2 top force version 2 on the check_nrpe side does not correct the behavior, but if I disable ssl on both the check_nrpe side and on the nrpe agent side, the two sides can talk.
It appears to be a mismatch between the nrpe agent ( v2.15 - 512 bit DH key) and the plugin (check_nrpe v3.2.1 - 2048 bit DH key)
Short of recompiling the nrpe agent with a higher DH key strength, is there any way to alter the behavior with a flag or option passed? I'm extremely doubtful, but figured I would ask.