The changes made to nrpe.c made in NRPE 2.4 appear to break SSL on Solaris, causing SSL handshake to fail:
nrpe[25972]: [ID 813741 daemon.error] Error: Could not complete SSL handshake. 2
I’m running NRPE daemon on Solaris 7 and Solaris 8 boxes with ANDIrand and/or Solaris’s /dev/urandom. I compiled NRPE 2.4 on Solaris 7 (egcs-2.91.66) and Solaris 8 (gcc 3.3.2) with OpenSSL 0.9.8a just like I did with NRPE 2.3 using:
./configure --enable-ssl --with-nrpe-group=nobody --prefix=/usr/local
My nagios host is a Linux RHEL4 AS U3 box.
===============================================
SSL worked fine with NRPE 2.3:
vulture:# uname -a
SunOS vulture 5.7 Generic_106541-17 sun4u sparc
darlene:# uname -a
SunOS darlene 5.8 Generic_108528-29 sun4u sparc SUNW,UltraAX-i2
[root@chiseler]# uname -a
Linux chiseler.swbs.gtri.gatech.edu 2.6.9-34.EL #1 Fri Feb 24 16:44:51 EST 2006 i686 i686 i386 GNU/Linux
[root@chiseler]# check_nrpe -H -c check_disksuite
OK: All metadevices are Okay
[root@chiseler ]# check_nrpe -H -c check_disksuite
OK: All metadevices are Okay
===============================================
SSL is broken with NRPE 2.4:
[root@chiseler]# check_nrpe -H -c check_disksuite
CHECK_NRPE: Error - Could not complete SSL handshake.
[root@chiseler]# check_nrpe -H -c check_disksuite
CHECK_NRPE: Error - Could not complete SSL handshake.
Yes, NRPE is starting up with TLS/SSL support:
vulture nrpe[17282]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
but it gets this error:
vulture nrpe[17301]: Error: Could not complete SSL handshake. 2
Digging further, it appears that when SSL is enabled in NRPE 2.4 daemon, it immediately closes connection, not even waiting for an SSL handshake:
[root@chiseler]# check_nrpe -H -c check_disksuite
CHECK_NRPE: Error - Could not complete SSL handshake.
[root@chiseler]#telnet 5666
Trying X.X.X.X…
Connected to X.X.X.X (X.X.X.X).
Escape character is ‘^]’.
Connection closed by foreign host.
whereas NRP 2.3 daemon allows data to be sent on the connection and doesn’t close the connection until I send an invalid SSL handshake:
[root@chiseler]#telnet 5666
Trying X.X.X.X…
Connected to X.X.X.X (X.X.X.X).
Escape character is ‘^]’.
hello there nrpe daemon i am typing at you [RETURN]
Connection closed by foreign host.
You migh think this is a TCP wrappers problem. Except I don’t have TCP wrappers installed on the Solaris boxes (./configure confirms, failing to find tcpd.h and libwrap) and that wouldn’t explain why it works with 2.3.
Any ideas? Thanks.