Page MenuHomePhabricator

nagios-nrpe-server in jessie not compatibile with Buster version
Closed, ResolvedPublic

Description

While working on moving Icinga to Buster in the parent task, it became clear that check_nrpe from Buster refuses to talk to nrpe server in Jessie due to too short DH params:

etcd1003;puppet last run;CRITICAL;SOFT;2;CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 10.64.0.42: 1

Digging further this turns out to be too short dh params on the nrpe server side (from check_nrpe logs)

[1597742562] SSL Certificate File: None
[1597742562] SSL Private Key File: None
[1597742562] SSL CA Certificate File: None
[1597742562] SSL Cipher List: ALL:!MD5:@STRENGTH:@SECLEVEL=0
[1597742562] SSL Allow ADH: 1
[1597742562] SSL Log Options: 0xff
[1597742562] SSL Version: TLSv1_plus And Above
[1597742562] Connected to 10.64.0.42
[1597742562] Error: (ERR_get_error_line_data = 337260938), Could not complete SSL handshake with 10.64.0.42: dh key too small

The nagios-nrpe-server in Jessie seems to embed DH params of 512 bits. I guess a "solution" would be to rebuild internally a Jessie version of the package with 2048 DH params instead.

Event Timeline

That rings a bell, we've seen similar issues before: https://phabricator.wikimedia.org/T157853

The nagios-nrpe-server in Jessie seems to embed DH params of 512 bits. I guess a "solution" would be to rebuild internally a Jessie version of the package with 2048 DH params instead.

Not sure if that's an option (given that SSL support was rewritten between 2 and 3, but we could build nagios-nrpe 3 (as in stretch) for jessie-wikimedia? Sucks, but I don't think there's a better solution unless we hold back the Icinga update to Buster to jessie is complete (which seems unlikely to happen this Q.

That rings a bell, we've seen similar issues before: https://phabricator.wikimedia.org/T157853

The nagios-nrpe-server in Jessie seems to embed DH params of 512 bits. I guess a "solution" would be to rebuild internally a Jessie version of the package with 2048 DH params instead.

Not sure if that's an option (given that SSL support was rewritten between 2 and 3, but we could build nagios-nrpe 3 (as in stretch) for jessie-wikimedia? Sucks, but I don't think there's a better solution unless we hold back the Icinga update to Buster to jessie is complete (which seems unlikely to happen this Q.

My naive idea was to literally rebuild nrpe-server with larger DH params (no idea if that's a thing or even if jessie openssl would be happy about it). Although I guess a rebuild of stretch's version of nrpe-server on jessie is faster to test so I'll try that first!

That rings a bell, we've seen similar issues before: https://phabricator.wikimedia.org/T157853

The nagios-nrpe-server in Jessie seems to embed DH params of 512 bits. I guess a "solution" would be to rebuild internally a Jessie version of the package with 2048 DH params instead.

Not sure if that's an option (given that SSL support was rewritten between 2 and 3, but we could build nagios-nrpe 3 (as in stretch) for jessie-wikimedia? Sucks, but I don't think there's a better solution unless we hold back the Icinga update to Buster to jessie is complete (which seems unlikely to happen this Q.

My naive idea was to literally rebuild nrpe-server with larger DH params (no idea if that's a thing or even if jessie openssl would be happy about it). Although I guess a rebuild of stretch's version of nrpe-server on jessie is faster to test so I'll try that first!

Unsurpringly nrpe-server 3.2 won't link with openssl 1.0 (in jessie)

make[1]: Leaving directory '/build/nagios-nrpe-3.2.1'
   debian/rules override_dh_auto_build
make[1]: Entering directory '/build/nagios-nrpe-3.2.1'
dh_auto_build -- all
	make -j1 all
make[2]: Entering directory '/build/nagios-nrpe-3.2.1'
cd ./src/; make
make[3]: Entering directory '/build/nagios-nrpe-3.2.1/src'
gcc -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -I/usr/include/openssl -DHAVE_CONFIG_H -I ../include -I ./../include -o nrpe ./nrpe.c ./utils.c ./acl.c -fPIE -pie -Wl,-z,relro -Wl,-z,now -L/usr/lib/x86_64-linux-gnu  -lssl -lcrypto -lnsl -lwrap  
/tmp/cc8ecNbg.o: In function `get_dh2048':
/build/nagios-nrpe-3.2.1/src/./../include/dh.h:46: undefined reference to `DH_set0_pqg'
collect2: error: ld returned 1 exit status
Makefile:48: recipe for target 'nrpe' failed
make[3]: *** [nrpe] Error 1
make[3]: Leaving directory '/build/nagios-nrpe-3.2.1/src'
Makefile:65: recipe for target 'all' failed
make[2]: *** [all] Error 2
make[2]: Leaving directory '/build/nagios-nrpe-3.2.1'
dh_auto_build: make -j1 all returned exit code 2
debian/rules:29: recipe for target 'override_dh_auto_build' failed
jijiki triaged this task as Medium priority.Aug 25 2020, 12:29 PM

Mentioned in SAL (#wikimedia-operations) [2020-08-25T12:39:16Z] <godog> test nagios-nrpe-server with dh 2048 on scb2001 - T261198

Mentioned in SAL (#wikimedia-operations) [2020-08-25T12:39:16Z] <godog> test nagios-nrpe-server with dh 2048 on scb2001 - T261198

This actually worked, I replaced the get_dh512 function in src/nrpe.c and the openssl dhparam in configure{,.in} to use 2048 bits instead, and it seems to work! No errors reported AFAICT and all checks are green for scb2001 on icinga1001

Mentioned in SAL (#wikimedia-operations) [2020-08-25T12:56:07Z] <godog> upgrade nagios-nrpe-server on scb2* and mwlog* - T261198

Mentioned in SAL (#wikimedia-operations) [2020-08-25T12:56:07Z] <godog> upgrade nagios-nrpe-server on scb2* and mwlog* - T261198

I've uploaded nagios-nrpe-server 2.15-2 to jessie-wikimedia and upgraded on the hosts above for some "baking", I'll complete the upgrade tomorrow

fgiunchedi moved this task from Backlog to Doing on the User-fgiunchedi board.

Mentioned in SAL (#wikimedia-operations) [2020-08-26T12:12:50Z] <godog> upgrade nagios-nrpe-server to 2.15-2 on jessie hosts - T261198

fgiunchedi closed this task as Resolved.Aug 26 2020, 12:36 PM
fgiunchedi claimed this task.