I started downgrading openssl until I got the ./check_nrpe to work. It was after erasing crypto-policies-scripts and libssh-config that I was able to get it to work. After upgrading openssl back to current, I focused on the crypto-policies-scripts, and log story short, it is stricter policies on RHEL8 (see below links.) After setting to LEGACY, the scripts worked. The strange thing is, I had initially attempted the --ssl-version=VERSION TLSv1.2+ TLS v1.2 or above flag on check_nrpe, which should have worked on the DEFAULT setting, but for some reason it does not. Need to figure this one out so as not to be forced to use the LEGACY setting for one script.
https://access.redhat.com/articles/3666211
https://access.redhat.com/articles/3642912
What policies are provided?
Four policies are provided under the names “LEGACY”, “DEFAULT”, “FUTURE” and “FIPS”. They are summarized and described in the table below.
Policy name Description
LEGACY: This policy ensures maximum compatibility with legacy systems; it is less secure and it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits.
DEFAULT: The DEFAULT policy is a reasonable default policy for today's standards, aimed for a balance between usability and security. It allows the TLS 1.2 and 1.3 protocols, as well as IKEv2 and SSH2. The RSA and Diffie-Hellman parameters are accepted if larger than 2047-bits.
[root@rhel8 ~]# update-crypto-policies --show
DEFAULT
[root@rhel8 plugins]# update-crypto-policies --set LEGACY
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
[root@rhel8 ~]# update-crypto-policies --show
LEGACY
After setting to LEGACY, the scripts work
[root@rhel8 plugins]# ./check_nrpe -H 127.0.0.1
5.10.0_build.992-20200923090945
root@rhel8 plugins]# ./check_sd5_storage_health
13 physical disk(s) in the system.
Intel Corporation C600/X79 series chipset 6-Port SATA AHCI Controller
-- 2 physical disk(s)
-- The status is normal.
AVAGO 3108 MegaRAID Controller
-- 11 physical disk(s)
-- The status of RAID is normal.
[root@rhel8 plugins]# ./check_sd5_health_all
Checked: 38, OK: 38.|
CPU1_Temp=36C;0;0;0;87 CPU2_Temp=44C;0;0;0;87 System_Temp=34C;0;0;0;85 Peripheral_Temp=42C;0;0;0;85 PCH_Temp=43C;0;0;0;95 P1-DIMMA1_TEMP=35C;0;0;0;85 P1-DIMMB1_TEMP=34C;0;0;0;85 P1-DIMMC1_TEMP=33C;0;0;0;85 P1-DIMMD1_TEMP=33C;0;0;0;85 P2-DIMME1_TEMP=39C;0;0;0;85 P2-DIMMF1_TEMP=39C;0;0;0;85 P2-DIMMG1_TEMP=42C;0;0;0;85 P2-DIMMH1_TEMP=44C;0;0;0;85 FAN1=3750RPM;0;0;450;13000 FAN2=3675RPM;0;0;450;13000 FAN3=3525RPM;0;0;450;13000 FAN4=3600RPM;0;0;450;13000 FAN5=3450RPM;0;0;450;13000 FANA=3825RPM;0;0;450;13000 FANB=3825RPM;0;0;450;13000 VTT=0.992V;0;0;0.864;1.392 CPU1_Vcore=0.784V;0;0;0.512;1.52 CPU2_Vcore=0.768V;0;0;0.512;1.52 VDIMM_AB=1.328V;0;0;1.152;1.696 VDIMM_CD=1.328V;0;0;1.152;1.696 VDIMM_EF=1.328V;0;0;1.152;1.696 VDIMM_GH=1.328V;0;0;1.152;1.696 +1.1_V=1.088V;0;0;0.928;1.264 +1.5_V=1.472V;0;0;1.296;1.696 3.3V=3.312V;0;0;2.784;3.792 +3.3VSB=3.36V;0;0;2.784;3.792 5V=4.992V;0;0;4.288;5.696 +5VSB=4.928V;0;0;4.288;5.696 12V=12.084V;0;0;10.494;13.568 VBAT=3.168V;0;0;2.544;3.456 Chassis_Intru=
-S, --ssl-version=VERSION The SSL/TLS version to use. Can be any one of:
SSLv3 SSL v3 only
SSLv3+ SSL v3 or above
TLSv1 TLS v1 only
TLSv1+ TLS v1 or above (DEFAULT)
TLSv1.1 TLS v1.1 only
TLSv1.1+ TLS v1.1 or above
TLSv1.2 TLS v1.2 only
TLSv1.2+ TLS v1.2 or above
[root@rhel8 plugins]# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
[root@rhel8 plugins]# ./check_nrpe -H 127.0.0.1 --ssl-version=TLSv1.2+
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 127.0.0.1: 1