On 2020/11/18 17:06, (a user) wrote off-list: > Hello, > > I found your coordinates on openports.se Website and and few other mailing > lists with topic > about nrpe on OpenBSD.
For ports that do not have a maintainer, it is better to write to ports@openbsd.org. I am replying there and BCC'ing you so that others can benefit from it too while not disclosing your identity if you don't want to. > I would like to report a few troubles about using nrpe on OpenBSD6.8. > > I installed the "official" package with > # pkg_add nrpe > > After I set the options I find myself unable to link with my Nagios server > running Nagios4 on > Debian10. > CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake > > Everything looks set as it should so there is no obvious reason, starting the > deamon with -n to > disable the ssl support works fine. > > Could this be a trouble with the openssl version? > > On this regard, why use an additional ssl library instead of the system one ? > > The package itself uses a fairy old version of nrpe, could it be updated to > something newer ? > > > Thank you for your time. > NRPE before 3.x requires anonymous DH and 512-bit keys which aren't available in the ssl/tls libraries in the base system. NRPE 3.x/4.x support more "normal" crypto but there's a cross compatibility problem, if we update then it will break existing installations, both server and clients need to be updated together. A newer version could be added as a separate port but I'm not sure it is a good idea to encourage any new use of NRPE. Upstream stopped development now, "Notice: As of NRPE version 4.0.1, this project is deprecated. It will not receive any more bugfixes or features, except to resolve security issues." Upstream suggest using NCPA instead but they don't have agents for BSDs. For some of the things that NRPE might be used for, you can use the manubolon-snmp check_snmp_* scripts instead (you would run snmpd or net-snmp on the monitored device) - this can use sensible crypto via SNMPv3 and supports checking disk space, memory, network interface bandwidth, etc. And honestly, the less of nagios' code that is exposed to the network, the better... (maybe it would be better if we just delete the nrpe port...)
