[Pkg-nagios-devel] Bug#849417: Bug#849417: nagios-nrpe-server: segfault during SSL negotiation with older NRPE 2.15 plugin

Sebastiaan Couwenberg sebastic at xs4all.nl
Mon Dec 26 21:16:32 UTC 2016

Control: tags -1 unreproducible moreinfo

Hi Adam,

Thanks for reporting this issue. Unfortunately I cannot reproduce it.

On 12/26/2016 09:06 PM, Adam Di Carlo wrote:
> Given a situation where a debian/stable (Jessie) server is polling an
> NRPE node running the latest unstable NRPE server, with all debugging
> enabled (ssl_logging=-1), I am getting the following segfault, as reported in
> /var/log/syslog:
> Dec 26 14:49:38 salsa nrpe[14736]: Connection from port 59564
> Dec 26 14:49:38 salsa nrpe[14736]: Host address is in allowed_hosts
> Dec 26 14:49:38 salsa kernel: [176235.037105] nrpe[14736]: segfault at 50000335 ip 00007fd44f408496 sp 00007ffd5abfb418 error 4 in libc-2.24.so[7fd44f388000+195000]
> However, if I rachet down the SSL debugging, e.g., ssl_logging=0x03,
> the segfault disappears. 

To help reproduce this issue, can you clarify how nagios-nrpe-server is
configured. I assume that you configured SSL before removing the -n
option of the nrpe daemon? Do you use a CA certificate, or self-signed?

-- System Information:
> -- Configuration Files:
> /etc/default/nagios-nrpe-server changed:

Please note that the /etc/default/nagios-nrpe-server changed in
nagios-nrpe (3.0.1-3) because of the systemd service file.

The USE_SSL option is no longer used, instead the NRPE_OPTS variable is
used to disable SSL in both the init script and systemd service file.
The default content is now as attached.

> /etc/nagios/nrpe.cfg changed:
> log_facility=daemon
> debug=1
> pid_file=/var/run/nagios/nrpe.pid
> server_port=5666
> nrpe_user=nagios
> nrpe_group=nagios
> allowed_hosts=,
> dont_blame_nrpe=1
> allow_bash_command_substitution=0
> command_timeout=60
> connection_timeout=300
> ssl_version=SSLv2+
> ssl_logging=-1

It doesn't look like you configured SSL, but you did enable the feature.

To use SSL in NRPE 3.x you'll need to configure at least a certificate
file (ssl_cert_file) and its key (ssl_privatekey_file), e.g. for the
snakeoil certificate generated by the ssl-cert package:


For proper SSL certificates you also need to configure the path to the
CA certificate (including intermediate certificates) in ssl_cacert_file.

Also note that setting dont_blame_nrpe=1 has no effect, the package is
not configured with --enable-command-args.

Kind Regards,


 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1
-------------- next part --------------
# defaults file for nagios-nrpe-server
# (this file is a /bin/sh compatible fragment)

# NRPE_OPTS are any extra cmdline parameters you'd like to pass along to the
# nrpe daemon.
# The -n option disables SSL support.
# Don't remove this option before configuring SSL in /etc/nagios/nrpe.cfg!
# See /usr/share/doc/nagios-nrpe-server/README.SSL.md.gz for instructions.

# NICENESS is if you want to run the server at a different nice() priority.
# (only used by the init script)

# INETD is if you want to run the server via inetd (default=0, run as daemon).
# (only used by the init script)

More information about the Pkg-nagios-devel mailing list