CHECK_NRPE: Error - could not complete SSL handshake on Sola


#1

Hi,
I get the SSL handshake not complete error (on Solaris 9) when testing the check_nrpe commang from my nagios server. I think I am missing the command line switches for ssl support needed (The nagios.org page mentions them but does not give any further information). I believe that I compiled npre with ssl support but am not sure how to verity that.
Any help will be appreciated - Thanks
Ken
Edited ]


#2

I had the same problem.In my case, I simply forgot to create the certificates and have them signed (from my qwn CA).
To test, you can verify your certificate (openssl> verify …)

Hope it helps.
Fred


#3

generated the certificate but how does one tell nrpe where to look to find the certificate?


#4

Per the README.SSL that came with nrpe.
"NRPE With SSL/TLS

NRPE now has the option for Encrypting Network traffic using
SSL/TLS from openssl.

The Encryption is done using a set encryption routine of
AES-256 Bit Encryption using SHA and Anon-DH. This encrypts
all traffic using the NRPE sockets from the client to the server.

Since we are using Anon-DH this allows for an encrypted
SSL/TLS Connection without using pre-generated keys or
certificates. The key generation information used by the
program to dynaically create keys on daemon startup can be found
in the dh.h file in the nrpe src directory. This file was created
using the command:

openssl dhparam -C 512

which outputs the C code in dh.h. For your own security you can replace
that file with your own dhparam generated code.

As of this time you will need to have the latest greatest version of
OpenSSL (tested against version 0.9.7a) since not all versions have
the AES algorythm in them.

I am not aware that at this time this code is restricted under export
restrictions but I leave that verification process up to you.

Thoughts and suggestions are welcome and I can be reached on the
Nagios and NagiosPlug Mailing Lists.

    - Derrick"

So it looks like you do this part “For your own security you can replace
that file with your own dhparam generated code.”