On Wed, November 18, 2020 10:57 am, Stuart Henderson wrote: > On 2020/11/18 17:06, (a user) wrote off-list: >> Hello, >> >> I found your coordinates on openports.se Website and and few other >> mailing lists with topic >> about nrpe on OpenBSD. > > For ports that do not have a maintainer, it is better to write to > ports@openbsd.org. I am replying there and BCC'ing you so that > others can benefit from it too while not disclosing your identity > if you don't want to. > >> I would like to report a few troubles about using nrpe on OpenBSD6.8. >> >> I installed the "official" package with >> # pkg_add nrpe >> >> After I set the options I find myself unable to link with my Nagios >> server running Nagios4 on >> Debian10. >> CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake >> >> Everything looks set as it should so there is no obvious reason, >> starting the deamon with -n to >> disable the ssl support works fine. >> >> Could this be a trouble with the openssl version? >> >> On this regard, why use an additional ssl library instead of the system >> one ? >> >> The package itself uses a fairy old version of nrpe, could it be updated >> to something newer ? >> >> >> Thank you for your time. >> > > NRPE before 3.x requires anonymous DH and 512-bit keys which aren't > available in the ssl/tls libraries in the base system. > > NRPE 3.x/4.x support more "normal" crypto but there's a cross > compatibility problem, if we update then it will break existing > installations, both server and clients need to be updated together. > > A newer version could be added as a separate port but I'm not sure it > is a good idea to encourage any new use of NRPE. Upstream stopped > development now, "Notice: As of NRPE version 4.0.1, this project is > deprecated. It will not receive any more bugfixes or features, except to > resolve security issues." >
In case the OP is on the list, I submitted an update using libressl about a year ago. Check the archives. By the time I looked at modifying as a separate port, NRPE was deprecated so I never bothered. I do still use it on my work OpenBSD systems.
