While working on moving Icinga to Buster in the parent task, it became clear that check_nrpe from Buster refuses to talk to nrpe server in Jessie due to too short DH params:
etcd1003;puppet last run;CRITICAL;SOFT;2;CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 10.64.0.42: 1
Digging further this turns out to be too short dh params on the nrpe server side (from check_nrpe logs)
 SSL Certificate File: None  SSL Private Key File: None  SSL CA Certificate File: None  SSL Cipher List: ALL:!MD5:@STRENGTH:@SECLEVEL=0  SSL Allow ADH: 1  SSL Log Options: 0xff  SSL Version: TLSv1_plus And Above  Connected to 10.64.0.42  Error: (ERR_get_error_line_data = 337260938), Could not complete SSL handshake with 10.64.0.42: dh key too small
The nagios-nrpe-server in Jessie seems to embed DH params of 512 bits. I guess a "solution" would be to rebuild internally a Jessie version of the package with 2048 DH params instead.