View FAQ

[ Return To FAQ Index | Search The FAQs ]


FAQ Database : Addons : NRPE

Title:Debugging "CHECK_NRPE: Error - Could not complete SSL handshake" errors
FAQ ID:F0372
Submitted By:Jim Pirzyk 
Last Updated:03/14/2007

Description:When attempting to use the check_nrpe plugin, the following error message is printed: CHECK_NRPE: Error - Could not complete SSL handshake Further debugging may reveal this error: 657:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:../../../../common/openssl/ssl/t1_enc.c:449: 

Solution:The problem is that Solaris 10 only ships encryption modules that are 128-bit and lower because of export regulations. But, openssl believe that we still support the 256-bit encryption and so it tries to use this when connecting. But, it finds there isn't a 256-bit encryption library and throws an error. Download and install the SUNWcry and SUNWcryr packages, but they are export controled. (You are looking for the /usr/sfw/lib/libssl_extras.so.X.Y.Z library). The second solution is to change line 222 of src/nrpe.c like this: - SSL_CTX_set_cipher_list(ctx,"ADH"); + SSL_CTX_set_cipher_list(ctx,"ADH:-ADH-AES256-SHA"); and recompile.  

Keywords:check_nrpe ssl handshake solaris10 sun