[Pkg-nagios-devel] Bug#914489: nagios-nrpe-plugin: SSL connections to "old" (as in Jessie) nagios-nrpe-server(s) broken

Alberto Gonzalez Iniesta agi at inittab.org
Fri Nov 23 20:26:03 GMT 2018

Package: nagios-nrpe-plugin
Version: 3.2.1-1~bpo9+1
Severity: important


After updating nagios-nrpe-plugin in my monitoring host to
3.2.1-1~bpo9+1 most of my monitored instances fail to be checked.
AFAICT only those running Stretch continue to work. The error from the
new nagios-nrpe-plugin is as follows:

Nov 23 21:08:29 XXXX check_nrpe: Error: (!log_opts) Could not complete SSL handshake with A.B.C.D: dh key too small

I tried disabling Anonymous Diffie Hellman with '-d 0' but in that case
it also fails to contact remote hosts with:
Nov 23 21:08:34 XXXX check_nrpe: Error: (!log_opts) Could not complete SSL handshake with A.B.C.D: sslv3 alert handshake failure

I could not find a combination of -d/-S/-2 that made possible to check
nagios-nrpe-server from Jessie or previous releases. This is a major
showstopper, since upgrading a monitoring host show not force someone to
update *all* their monitored hosts. And -2 is of no use if it cannot
check 2.x nagios-nrpe-servers.

Please fix this for Buster, or at least include a huge warning before
this hits those upgrading to Buster.

-- System Information:
Debian Release: 9.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nagios-nrpe-plugin depends on:
ii  libc6      2.24-11+deb9u3
ii  libssl1.1  1.1.0f-3+deb9u2

nagios-nrpe-plugin recommends no packages.

nagios-nrpe-plugin suggests no packages.

-- no debconf information

More information about the Pkg-nagios-devel mailing list