Solaris 10 ships OpenSSL as part of the OS distribution, in /usr/sfw. It appears that they have removed some of the ciphers in order to be compliant with export restrictions. Unfortunately, that throws a wrench in things when you want your Solaris Nagios server to use the Nagios Remote Plugin Executor (NRPE) to securely talk to other hosts. In my case, my Nagios server is a Sun T2000 and I’m referring to NRPE version 2.12. Newer versions may fix these issues.
First, I built NRPE 2.12 with:
./configure --with-ssl-lib=/usr/sfw/lib --with-ssl-inc=/usr/sfw/include --with-ssl=/usr/sfw --prefix=/opt/whatever
Once that was done the error I was getting on the target Linux host (in /var/log/messages) was the ultra-informative:
Error: Could not complete SSL handshake. 5
I checked that I could telnet to port 5666 on the host to be monitored, and got a connection. If that wouldn’t have worked I’d have made sure that my firewalls were set up correctly, /etc/hosts.allow had a line authorizing the Nagios server, and that nrpe.cfg permitted the Nagios server to connect.
Then I checked that I could start NRPE on the host to be monitored with the -n flag to disable SSL, and was able to run check_nrpe manually with the -n flag and have it work.
It ultimately appeared to be an SSL issue. Everything worked except when I enabled SSL.
There appear to be two fixes. First, you can install the export-controlled SUNWcry and SUNWcryr packages and get those additional ciphers, which theoretically fixes the problem. For various reasons I chose the second fix suggested by Jim Pirzyk in the Nagios FAQs: change the source. Line 152 of check_nrpe.c goes from:
SSL_CTX_set_cipher_list(ctx,"ADH");
to
SSL_CTX_set_cipher_list(ctx,"ADH:-ADH-AES256-SHA");
Basically you tell OpenSSL to not try using the 256-bit AES ciphers, which aren’t there. Additionally, to get nrpe to build you need to comment out lines 616-619 of nrpe.c:
/* else if(!strcmp(varvalue,"authpriv"))
log_facility=LOG_AUTHPRIV;
else if(!strcmp(varvalue,"ftp"))
log_facility=LOG_FTP; */
Those log facilities aren’t supported on Solaris.
I’ve attached a patch for both issues. You can apply it to the 2.12 source with:
cd nrpe-2.12; gpatch -p1 < nrpe-2.12.solaris10.patch
I’ll likely send this along to the NRPE folks. At any rate, here’s hoping you don’t beat your head against this as hard as I did.
Thanks for the advice!
We found we also needed to apply this patch:
— nrpe-2.12.original//src/check_nrpe.c Wed Aug 6 11:16:13 2008
+++ nrpe-2.12/src/check_nrpe.c Wed Aug 6 11:20:15 2008
@@ -149,7 +149,8 @@
/* do SSL handshake */
if(result==STATE_OK && use_ssl==TRUE){
if((ssl=SSL_new(ctx))!=NULL){
– SSL_CTX_set_cipher_list(ctx,”ADH”);
+ /* Altinity patch: Remove AES256 to remove dependency on SUNWcry(r) packages */
+ SSL_CTX_set_cipher_list(ctx,”ADH:-ADH-AES256-SHA”);
SSL_set_fd(ssl,sd);
if((rc=SSL_connect(ssl))!=1){
printf(“CHECK_NRPE: Error – Could not complete SSL handshake.n”);
… to NRPE daemon so that other Nagios servers which support AES256 could still communicate over SSL to NRPE on a Solaris host.
Thanks Bob, your solution help me get following command executed correctly
[root@solaris10 ~]# /usr/local/nagios/libexec/check_nrpe -H localhost
NRPE v2.12
But, when I run check_nrpe from nagios server (RHEL5) to this remote solaris 10 server, it still failed.
[root@rhel5 ~]# /usr/local/nagios/libexec/check_nrpe -H 192.168.78.104
CHECK_NRPE: Error – Could not complete SSL handshake.
Thanks a lot for your solution, would you please have me have a look into this error!
To Ton, I didn’t understand what you stated, would you please give more detail or description, sorry!
When compiling getting errors like
no acceptable C Compiler found in $PATH,
Will there be any specific config changes need to be made for C compiler or need install of C Compiler.
Install SUNWcry package..Your life will be smooth