Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

**CHECK_NRPE: Error - Could not complete SSL handshake* - * NSClient++ version: **0.6.0.1** #825

Open
AntMCE opened this issue Feb 6, 2024 · 3 comments
Open

**CHECK_NRPE: Error - Could not complete SSL handshake* - * NSClient++ version: **0.6.0.1** #825

AntMCE opened this issue Feb 6, 2024 · 3 comments

Comments

@AntMCE
Copy link

AntMCE commented Feb 6, 2024
edited
Loading

Describe your issue and tell us how to reproduce it.
CHECK_NRPE: Error - Could not complete SSL handshake

PLEASE PROVIDE COMMAND HERE
check_nrpe -H x.x.x.x -p 5666 -u -t 180 -c CheckCPU -a warn=85 crit=90 time=10s

Expected Behavior

Should read check value output

  • NSClient++ version: 0.6.0.1
  • OS and Version: Windows Server 2012
  • Checking from: Shinken installed on centos6 with OpenSSL 1.0.2k-fips
  • Checking with: check_nrpe

Additional Details

[/settings/NRPE/server]

ssl options =

port = 5666

insecure = true

verify mode = none

allow nasty characters = true

allow arguments = true

use ssl = true

NSClient++ log:

nscp failed to establish secure connection: unsupported protocol
@AntMCE AntMCE changed the title **CHECK_NRPE: Error - Could not complete SSL handshake* - * NSClient++ version: **0.6.0.0** **CHECK_NRPE: Error - Could not complete SSL handshake* - * NSClient++ version: **0.6.0.1** Feb 12, 2024
@Prathameshhankare
Copy link

@AntMCE, I am not sure if your issue was similar to mine. I used Centos7 on which the check_nrpe command worked with no issue however after I migrated to Ubuntu 22.04 the check_nrpe threw the same error you mentioned. To mitigate the problem I had to change the DH key size on my Windows server to 2048 bit instead of the default 512 bit. Since I am monitoring 1000+ domain controllers(Windows Servers) I could not make the change manually hence created a PowerShell script that does the work for me. Check out my GitHub repository if the script can help you as well.

https://github.com/Prathameshhankare/nsclientpp_dh-key-updater

@rvva
Copy link

rvva commented Oct 10, 2024

The problem is that version 0.6.0.1 supports NRPE v3/4 and the Windows installer implements a 512-bit DH key which is not supported by NRPE v3:
nrpe-v3-enhanced-security

So users should manually deploy the 2048-bit DH key and place it in C:\Program Files\NSClient++\security\ and add a reference to this key in the ini file instead of the 512-bit key, and finally restart the nscp service.

cd "C:\Program Files\NSClient++\security\".
nscp settings --path /settings/NRPE/server --key dh --set “${certificate-path}/nrpe_dh_2048.pem”
net stop nscp && net start nscp

I think the package maintainer should add the 2048-bit key as the default key instead of the 512-bit key.
If someone else wants to use a 512-bit key, they should use version 0.5.X or lower. 512-bit keys should not be used in 2024. They cannot be supported forever.

@pozda2
Copy link

pozda2 commented Feb 7, 2025

Yes, it would be a good idea for the installation package to at least generate the nrpe_dh_2048.pem file. If he was the default it would be even better.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pozda2 @Prathameshhankare @rvva @AntMCE