[Pkg-nagios-devel] Bug#849417: Bug#849417: nagios-nrpe-server: segfault during SSL negotiation with older NRPE 2.15 plugin
Sebastiaan Couwenberg
sebastic at xs4all.nl
Mon Dec 26 21:16:32 UTC 2016
Control: tags -1 unreproducible moreinfo
Hi Adam,
Thanks for reporting this issue. Unfortunately I cannot reproduce it.
On 12/26/2016 09:06 PM, Adam Di Carlo wrote:
> Given a situation where a debian/stable (Jessie) server is polling an
> NRPE node running the latest unstable NRPE server, with all debugging
> enabled (ssl_logging=-1), I am getting the following segfault, as reported in
> /var/log/syslog:
>
> Dec 26 14:49:38 salsa nrpe[14736]: Connection from 192.168.1.5 port 59564
> Dec 26 14:49:38 salsa nrpe[14736]: Host address is in allowed_hosts
> Dec 26 14:49:38 salsa kernel: [176235.037105] nrpe[14736]: segfault at 50000335 ip 00007fd44f408496 sp 00007ffd5abfb418 error 4 in libc-2.24.so[7fd44f388000+195000]
>
> However, if I rachet down the SSL debugging, e.g., ssl_logging=0x03,
> the segfault disappears.
To help reproduce this issue, can you clarify how nagios-nrpe-server is
configured. I assume that you configured SSL before removing the -n
option of the nrpe daemon? Do you use a CA certificate, or self-signed?
-- System Information:
> -- Configuration Files:
> /etc/default/nagios-nrpe-server changed:
> USE_SSL=1
Please note that the /etc/default/nagios-nrpe-server changed in
nagios-nrpe (3.0.1-3) because of the systemd service file.
The USE_SSL option is no longer used, instead the NRPE_OPTS variable is
used to disable SSL in both the init script and systemd service file.
The default content is now as attached.
> /etc/nagios/nrpe.cfg changed:
> log_facility=daemon
> debug=1
> pid_file=/var/run/nagios/nrpe.pid
> server_port=5666
> nrpe_user=nagios
> nrpe_group=nagios
> allowed_hosts=127.0.0.1,192.168.1.5
> dont_blame_nrpe=1
> allow_bash_command_substitution=0
> command_timeout=60
> connection_timeout=300
> ssl_version=SSLv2+
> ssl_logging=-1
It doesn't look like you configured SSL, but you did enable the feature.
To use SSL in NRPE 3.x you'll need to configure at least a certificate
file (ssl_cert_file) and its key (ssl_privatekey_file), e.g. for the
snakeoil certificate generated by the ssl-cert package:
ssl_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_privatekey_file=/etc/ssl/private/ssl-cert-snakeoil.key
For proper SSL certificates you also need to configure the path to the
CA certificate (including intermediate certificates) in ssl_cacert_file.
Also note that setting dont_blame_nrpe=1 has no effect, the package is
not configured with --enable-command-args.
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
-------------- next part --------------
# defaults file for nagios-nrpe-server
# (this file is a /bin/sh compatible fragment)
# NRPE_OPTS are any extra cmdline parameters you'd like to pass along to the
# nrpe daemon.
#
# The -n option disables SSL support.
# Don't remove this option before configuring SSL in /etc/nagios/nrpe.cfg!
# See /usr/share/doc/nagios-nrpe-server/README.SSL.md.gz for instructions.
NRPE_OPTS="-n"
# NICENESS is if you want to run the server at a different nice() priority.
# (only used by the init script)
#NICENESS=5
# INETD is if you want to run the server via inetd (default=0, run as daemon).
# (only used by the init script)
#INETD=0
More information about the Pkg-nagios-devel
mailing list