FS#53850 - [nrpe] "Error: Could not complete SSL handshake with 127.0.0.1: 1" since OpenSSL 1.1

Attached to Project: Community Packages
Opened by Moritz Bunkus (mbunkus) - Thursday, 27 April 2017, 10:43 GMT
Last edited by Jonathan Steel (jsteel) - Tuesday, 09 May 2017, 10:58 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Jonathan Steel (jsteel)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

Since doing a full system upgrade and a subsequent reboot yesterday, all connections from check_nrpe to the nrpe daemon fail with the error message mentioned in the subject. This happens with a configuration file that used to work until right before the upgrade. This also happens with the default configuration file as provided by the nrpe package. This happens with check_nrpe running on a different machine (CentOS with Nagios installed), and it happens with check_nrpe running on localhost (meaning the binary from the same package the nrpe daemon comes from).

The only way to get it working again is to run both the nrpe daemon and the check_nrpe client with the "-n" option in order to disable SSL.

I'm fully aware that the most common cause of the "could not complete SSL handshake" message is "allowed_hosts" being wrong. This is not the case for me: the configuration used to work before the update and fails afterwards, and the default configuration allows 127.0.0.1 and even connection from there doesn't work.

Re-compiling the nrpe 3.1.0-1 package on my system didn't change anything.

Additional info:
* package versions: nrpe 3.1.0-1, openssl 1.1.0.e-1
* config files: use the standard nrpe.cfg file from the nrpe package
* journal from such a communication:

Apr 27 12:39:52 sweet-chili nrpe[7704]: add_ipv4_to_acl: Error, ip-address >::1< incorrect length
Apr 27 12:39:52 sweet-chili nrpe[7704]: Starting up daemon
Apr 27 12:39:52 sweet-chili nrpe[7704]: Server listening on 0.0.0.0 port 5666.
Apr 27 12:39:52 sweet-chili nrpe[7704]: Server listening on :: port 5666.
Apr 27 12:39:52 sweet-chili nrpe[7704]: Listening for connections on port 5666
Apr 27 12:39:52 sweet-chili nrpe[7704]: Allowing connections from: 127.0.0.1,::1
Apr 27 12:39:55 sweet-chili nrpe[7795]: Error: Could not complete SSL handshake with 127.0.0.1: 1
Apr 27 12:39:55 sweet-chili check_nrpe[7793]: Error: Could not complete SSL handshake with 127.0.0.1: rc=-1 SSL-error=1

Steps to reproduce:

* purge any traces of an existing installation of nrpe
* make sure system is up to date and has openssl 1.1.0.e-1 or later installed
* install nrpe
* leave configuration at its default
* start the nrpe daemon, either manually or via systemd
* run "/usr/lib/monitoring-clients/check_nrpe -H 127.0.0.1 -c check_users"
* observe the error from both check_nrpe (in the terminal) and the nrpe daemon (in the journal)
This task depends upon

Closed by  Jonathan Steel (jsteel)
Tuesday, 09 May 2017, 10:58 GMT
Reason for closing:  Fixed
Comment by Stefano (senden9) - Thursday, 27 April 2017, 11:27 GMT
Hi,
Same behaviour if you install the package „openssl-1.0“ additional?
Comment by Moritz Bunkus (mbunkus) - Thursday, 27 April 2017, 11:47 GMT
openssl-1.0 1.0.2.k-3 was already installed when I tested: failure.

I cannot test removing openssl-1.0 as that would remove quite a lot of other important packages from my two production servers.
Comment by Jonathan Steel (jsteel) - Thursday, 27 April 2017, 17:22 GMT
Does 3.0.1-4 give you the same issue? (3.1.0-1 is in testing and I haven't tried it yet)
Comment by Moritz Bunkus (mbunkus) - Thursday, 27 April 2017, 17:31 GMT
Same problem with 3.0.1-4: I've again tried `check_nrpe -H 127.0.0.1 -c check_users` with both check_nrpe and the nrpe daemon from the same host & same package.
Comment by Moritz Bunkus (mbunkus) - Thursday, 27 April 2017, 17:33 GMT
Addendum & correction: I don't usually use testing. In this particular case I've re-compiled 3.1.0-1 via ABS before submitting the bug, hence me having 3.1.0-1 installed at that moment. It's the only thing from testing I have installed, but like I said, the problem happens with both 3.0.1-4 and 3.1.0-1.
Comment by Jonathan Steel (jsteel) - Thursday, 27 April 2017, 17:36 GMT
No it's still in testing; I put it there and haven't moved it out yet. Someone else did the 3.0.1-4 build; I'll look into it. But you might want to look into why you are getting testing packages!
Comment by Jonathan Steel (jsteel) - Thursday, 27 April 2017, 17:53 GMT
Sorry just missed your last comment. Best to raise this issue upstream; I just tried the latest in git on the maint branch and it is no better.
Comment by Moritz Bunkus (mbunkus) - Thursday, 27 April 2017, 18:17 GMT
Done: https://github.com/NagiosEnterprises/nrpe/issues/119
Comment by Jonathan Steel (jsteel) - Monday, 08 May 2017, 18:47 GMT
Please try nrpe-3.1.0-2. I've rebuilt it against openssl 1.0 and it looks OK to me. As soon as upstream get it working with openssl 1.1 I'll do a new build against that.
Comment by Moritz Bunkus (mbunkus) - Tuesday, 09 May 2017, 08:29 GMT
After installing nrpe-3.1.0-2 and removing the "-n" parameter from both the NRPE daemon and check_nrpe invocation everything works fine again. As a workaround that's fine. Thanks.

Loading...