[Nagiosplug-help] What needs to be done to enable key- and certificate-less SSL handshake with NRPE?

[Ralph.Grothe at itdz-berlin.de]

Hello Plugin Experts,

I have just built an nrpe binary from the sources on a Linux RH
box,
where I adventurously gave configure the --enable-ssl switch.

Thus my nrpe binary identifies as

# /usr/lib/nagios/sbin/nrpe -V 2>&1|grep -Ei version\|ssl
Version: 2.0
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher
required

I set it up to be spawned by xinetd.

When I run an in nrpe.cfg defined check command locally for
testing
the check_nrpe client seems to be unable to initiate a TLS with
the nrpe daemon.

# /usr/lib/nagios/plugins/check_nrpe -H localhost -c
check_heartbeat
CHECK_NRPE: Error - Could not complete SSL handshake.


Unfortunetly the annotations in README.SSL (the only source of
information I could locate)
are rediculously terse and don't explain to me what is required
to set up the grounds for
a successful handshake.

The README.SSL merely states that the provided dh.h header file
could be created
by "openssl dhparam -C 512 > dh.h".
Visiting the manpages of openssl as well as dhparam didn't bring
any further enlightenment to me
apart from that dh obviously stands for Diffie-Hellman.

Since I haven't studied computer sience nor applied cryptography
this isn't at all meaningful to me.

What is one expected to do with the function definitions in dh.h?

The -h help screens from neither nrpe nor its client check_nrpe
give any clues what is required to secure the transport layer.


Also the discovery of a key pair seems to take prohibitively long
for an xinetd spawned daemon
so that I wonder if nrpe shouldn't be run stand alone when
ssl-enabled instead?

# time  openssl dhparam -C 512 >/dev/null 2>&1
real    0m7.382s
user    0m7.340s
sys     0m0.010s




Regards

Ralph