Control: tags -1 unreproducible moreinfo Hi Adam,
Thanks for reporting this issue. Unfortunately I cannot reproduce it. On 12/26/2016 09:06 PM, Adam Di Carlo wrote: > Given a situation where a debian/stable (Jessie) server is polling an > NRPE node running the latest unstable NRPE server, with all debugging > enabled (ssl_logging=-1), I am getting the following segfault, as reported in > /var/log/syslog: > > Dec 26 14:49:38 salsa nrpe[14736]: Connection from 192.168.1.5 port 59564 > Dec 26 14:49:38 salsa nrpe[14736]: Host address is in allowed_hosts > Dec 26 14:49:38 salsa kernel: [176235.037105] nrpe[14736]: segfault at > 50000335 ip 00007fd44f408496 sp 00007ffd5abfb418 error 4 in > libc-2.24.so[7fd44f388000+195000] > > However, if I rachet down the SSL debugging, e.g., ssl_logging=0x03, > the segfault disappears. To help reproduce this issue, can you clarify how nagios-nrpe-server is configured. I assume that you configured SSL before removing the -n option of the nrpe daemon? Do you use a CA certificate, or self-signed? -- System Information: > -- Configuration Files: > /etc/default/nagios-nrpe-server changed: > USE_SSL=1 Please note that the /etc/default/nagios-nrpe-server changed in nagios-nrpe (3.0.1-3) because of the systemd service file. The USE_SSL option is no longer used, instead the NRPE_OPTS variable is used to disable SSL in both the init script and systemd service file. The default content is now as attached. > /etc/nagios/nrpe.cfg changed: > log_facility=daemon > debug=1 > pid_file=/var/run/nagios/nrpe.pid > server_port=5666 > nrpe_user=nagios > nrpe_group=nagios > allowed_hosts=127.0.0.1,192.168.1.5 > dont_blame_nrpe=1 > allow_bash_command_substitution=0 > command_timeout=60 > connection_timeout=300 > ssl_version=SSLv2+ > ssl_logging=-1 It doesn't look like you configured SSL, but you did enable the feature. To use SSL in NRPE 3.x you'll need to configure at least a certificate file (ssl_cert_file) and its key (ssl_privatekey_file), e.g. for the snakeoil certificate generated by the ssl-cert package: ssl_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem ssl_privatekey_file=/etc/ssl/private/ssl-cert-snakeoil.key For proper SSL certificates you also need to configure the path to the CA certificate (including intermediate certificates) in ssl_cacert_file. Also note that setting dont_blame_nrpe=1 has no effect, the package is not configured with --enable-command-args. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
# defaults file for nagios-nrpe-server # (this file is a /bin/sh compatible fragment) # NRPE_OPTS are any extra cmdline parameters you'd like to pass along to the # nrpe daemon. # # The -n option disables SSL support. # Don't remove this option before configuring SSL in /etc/nagios/nrpe.cfg! # See /usr/share/doc/nagios-nrpe-server/README.SSL.md.gz for instructions. NRPE_OPTS="-n" # NICENESS is if you want to run the server at a different nice() priority. # (only used by the init script) #NICENESS=5 # INETD is if you want to run the server via inetd (default=0, run as daemon). # (only used by the init script) #INETD=0