Page MenuHomePhabricator
Create Task
Maniphest T261198

nagios-nrpe-server in jessie not compatibile with Buster version
Closed, ResolvedPublic
Actions

Description

While working on moving Icinga to Buster in the parent task, it became clear that check_nrpe from Buster refuses to talk to nrpe server in Jessie due to too short DH params:

etcd1003;puppet last run;CRITICAL;SOFT;2;CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 10.64.0.42: 1

Digging further this turns out to be too short dh params on the nrpe server side (from check_nrpe logs)

[1597742562] SSL Certificate File: None
[1597742562] SSL Private Key File: None
[1597742562] SSL CA Certificate File: None
[1597742562] SSL Cipher List: ALL:!MD5:@STRENGTH:@SECLEVEL=0
[1597742562] SSL Allow ADH: 1
[1597742562] SSL Log Options: 0xff
[1597742562] SSL Version: TLSv1_plus And Above
[1597742562] Connected to 10.64.0.42
[1597742562] Error: (ERR_get_error_line_data = 337260938), Could not complete SSL handshake with 10.64.0.42: dh key too small

The nagios-nrpe-server in Jessie seems to embed DH params of 512 bits. I guess a "solution" would be to rebuild internally a Jessie version of the package with 2048 DH params instead.

Related Objects
Search...

Event Timeline

fgiunchedi created this task.Aug 25 2020, 10:19 AM
MoritzMuehlenhoff subscribed.Aug 25 2020, 11:39 AM

That rings a bell, we've seen similar issues before: https://phabricator.wikimedia.org/T157853

The nagios-nrpe-server in Jessie seems to embed DH params of 512 bits. I guess a "solution" would be to rebuild internally a Jessie version of the package with 2048 DH params instead.

Not sure if that's an option (given that SSL support was rewritten between 2 and 3, but we could build nagios-nrpe 3 (as in stretch) for jessie-wikimedia? Sucks, but I don't think there's a better solution unless we hold back the Icinga update to Buster to jessie is complete (which seems unlikely to happen this Q.

MoritzMuehlenhoff added a project: SRE.Aug 25 2020, 11:46 AM
fgiunchedi added a comment.Aug 25 2020, 12:07 PM
In T261198#6408841, @MoritzMuehlenhoff wrote:

That rings a bell, we've seen similar issues before: https://phabricator.wikimedia.org/T157853

The nagios-nrpe-server in Jessie seems to embed DH params of 512 bits. I guess a "solution" would be to rebuild internally a Jessie version of the package with 2048 DH params instead.

Not sure if that's an option (given that SSL support was rewritten between 2 and 3, but we could build nagios-nrpe 3 (as in stretch) for jessie-wikimedia? Sucks, but I don't think there's a better solution unless we hold back the Icinga update to Buster to jessie is complete (which seems unlikely to happen this Q.

My naive idea was to literally rebuild nrpe-server with larger DH params (no idea if that's a thing or even if jessie openssl would be happy about it). Although I guess a rebuild of stretch's version of nrpe-server on jessie is faster to test so I'll try that first!

fgiunchedi added a comment.Aug 25 2020, 12:19 PM
In T261198#6408898, @fgiunchedi wrote:
In T261198#6408841, @MoritzMuehlenhoff wrote:

That rings a bell, we've seen similar issues before: https://phabricator.wikimedia.org/T157853

The nagios-nrpe-server in Jessie seems to embed DH params of 512 bits. I guess a "solution" would be to rebuild internally a Jessie version of the package with 2048 DH params instead.

Not sure if that's an option (given that SSL support was rewritten between 2 and 3, but we could build nagios-nrpe 3 (as in stretch) for jessie-wikimedia? Sucks, but I don't think there's a better solution unless we hold back the Icinga update to Buster to jessie is complete (which seems unlikely to happen this Q.

My naive idea was to literally rebuild nrpe-server with larger DH params (no idea if that's a thing or even if jessie openssl would be happy about it). Although I guess a rebuild of stretch's version of nrpe-server on jessie is faster to test so I'll try that first!

Unsurpringly nrpe-server 3.2 won't link with openssl 1.0 (in jessie)

make[1]: Leaving directory '/build/nagios-nrpe-3.2.1'
   debian/rules override_dh_auto_build
make[1]: Entering directory '/build/nagios-nrpe-3.2.1'
dh_auto_build -- all
	make -j1 all
make[2]: Entering directory '/build/nagios-nrpe-3.2.1'
cd ./src/; make
make[3]: Entering directory '/build/nagios-nrpe-3.2.1/src'
gcc -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -I/usr/include/openssl -DHAVE_CONFIG_H -I ../include -I ./../include -o nrpe ./nrpe.c ./utils.c ./acl.c -fPIE -pie -Wl,-z,relro -Wl,-z,now -L/usr/lib/x86_64-linux-gnu  -lssl -lcrypto -lnsl -lwrap  
/tmp/cc8ecNbg.o: In function `get_dh2048':
/build/nagios-nrpe-3.2.1/src/./../include/dh.h:46: undefined reference to `DH_set0_pqg'
collect2: error: ld returned 1 exit status
Makefile:48: recipe for target 'nrpe' failed
make[3]: *** [nrpe] Error 1
make[3]: Leaving directory '/build/nagios-nrpe-3.2.1/src'
Makefile:65: recipe for target 'all' failed
make[2]: *** [all] Error 2
make[2]: Leaving directory '/build/nagios-nrpe-3.2.1'
dh_auto_build: make -j1 all returned exit code 2
debian/rules:29: recipe for target 'override_dh_auto_build' failed
jijiki triaged this task as Medium priority.Aug 25 2020, 12:29 PM
Stashbot added a comment.Aug 25 2020, 12:39 PM

Mentioned in SAL (#wikimedia-operations) [2020-08-25T12:39:16Z] <godog> test nagios-nrpe-server with dh 2048 on scb2001 - T261198

fgiunchedi added a comment.Aug 25 2020, 12:45 PM
In T261198#6409003, @Stashbot wrote:

Mentioned in SAL (#wikimedia-operations) [2020-08-25T12:39:16Z] <godog> test nagios-nrpe-server with dh 2048 on scb2001 - T261198

This actually worked, I replaced the get_dh512 function in src/nrpe.c and the openssl dhparam in configure{,.in} to use 2048 bits instead, and it seems to work! No errors reported AFAICT and all checks are green for scb2001 on icinga1001

Stashbot added a comment.Aug 25 2020, 12:56 PM

Mentioned in SAL (#wikimedia-operations) [2020-08-25T12:56:07Z] <godog> upgrade nagios-nrpe-server on scb2* and mwlog* - T261198

fgiunchedi added a comment.Aug 25 2020, 12:58 PM
In T261198#6409081, @Stashbot wrote:

Mentioned in SAL (#wikimedia-operations) [2020-08-25T12:56:07Z] <godog> upgrade nagios-nrpe-server on scb2* and mwlog* - T261198

I've uploaded nagios-nrpe-server 2.15-2 to jessie-wikimedia and upgraded on the hosts above for some "baking", I'll complete the upgrade tomorrow

fgiunchedi added a project: User-fgiunchedi.Aug 25 2020, 12:58 PM
fgiunchedi moved this task from Backlog to Doing on the User-fgiunchedi board.
Stashbot added a comment.Aug 26 2020, 12:12 PM

Mentioned in SAL (#wikimedia-operations) [2020-08-26T12:12:50Z] <godog> upgrade nagios-nrpe-server to 2.15-2 on jessie hosts - T261198

fgiunchedi closed this task as Resolved.Aug 26 2020, 12:36 PM
fgiunchedi claimed this task.
herron awarded a token.Aug 26 2020, 3:24 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL