While working on moving Icinga to Buster in the parent task, it became clear that check_nrpe from Buster refuses to talk to nrpe server in Jessie due to too short DH params:
etcd1003;puppet last run;CRITICAL;SOFT;2;CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 10.64.0.42: 1
Digging further this turns out to be too short dh params on the nrpe server side (from check_nrpe logs)
[1597742562] SSL Certificate File: None [1597742562] SSL Private Key File: None [1597742562] SSL CA Certificate File: None [1597742562] SSL Cipher List: ALL:!MD5:@STRENGTH:@SECLEVEL=0 [1597742562] SSL Allow ADH: 1 [1597742562] SSL Log Options: 0xff [1597742562] SSL Version: TLSv1_plus And Above [1597742562] Connected to 10.64.0.42 [1597742562] Error: (ERR_get_error_line_data = 337260938), Could not complete SSL handshake with 10.64.0.42: dh key too small
The nagios-nrpe-server in Jessie seems to embed DH params of 512 bits. I guess a "solution" would be to rebuild internally a Jessie version of the package with 2048 DH params instead.