OpenSSL 1.1.0e: Error: Could not complete SSL handshake

(sort of) fix for issue #119 Anonymous Diffie Hellman is not available in OpenSSL 1.1.x so if there's no certificates, it ends up with a "no shared cipher" error. It does the same thing if you specify `-d0` on the `check_nrpe` command line, which disables ADH. Logging for both nrpe and check_nrpe has been modified to include more information. For this issue in particular, the nrpe daemon checks for "no shared cipher" and puts out an additional log line stating: "Error: This could be because you have not specified certificate or ca-certificate files". So it's not really fixed (and it can't be) but the problem is better documented.
NagiosEnterprises · May 17, 2017 · dc3637f · dc3637f
1 parent 1eaed94
commit dc3637f
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 6 deletions.
diff --git a/src/check_nrpe.c b/src/check_nrpe.c
@@ -984,7 +984,7 @@ int connect_to_remote()
 	struct sockaddr addr;
 	struct in_addr *inaddr;
 	socklen_t addrlen;
-	int result, rc, ssl_err, ern;
+	int result, rc, ssl_err, ern, x, nerrs = 0;
 
 	/* try to connect to the host at the given port number */
 	if ((sd =
@@ -1023,7 +1023,6 @@ int connect_to_remote()
 		ssl_err = SSL_get_error(ssl, rc);
 
 		if (sslprm.log_opts & (SSL_LogCertDetails | SSL_LogIfClientCert)) {
-			int x, nerrs = 0;
 			rc = 0;
 			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
 				logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
@@ -1034,9 +1033,16 @@ int connect_to_remote()
 				logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d",
 					   rem_host, rc, ssl_err);
 
-		} else
-			logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d",
-				   rem_host, rc, ssl_err);
+		} else {
+			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
+				logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
+					   rem_host, ERR_reason_error_string(x));
+				++nerrs;
+			}
+			if (nerrs == 0)
+				logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: "
+						"rc=%d SSL-error=%d", rem_host, rc, ssl_err);
+		}
 
 		if (ssl_err == 5) {
 			/* Often, errno will be zero, so print a generic message here */

diff --git a/src/nrpe.c b/src/nrpe.c
@@ -1863,6 +1863,7 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
 #else
 	const SSL_CIPHER *c;
 #endif
+	const char *errmsg = NULL;
 	char      buffer[MAX_INPUT_BUFFER];
 	SSL      *ssl = (SSL*)ssl_ptr;
 	X509     *peer;
@@ -1880,8 +1881,14 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
 			int       nerrs = 0;
 			rc = 0;
 			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
+				errmsg = ERR_reason_error_string(x);
 				logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
-					   remote_host, ERR_reason_error_string(x));
+					   remote_host, errmsg);
+				if (errmsg && !strcmp(errmsg, "no shared cipher")) {
+					if (sslprm.cert_file == NULL || sslprm.cacert_file == NULL)
+						logit(LOG_ERR, "Error: This could be because you have not "
+								"specified certificate or ca-certificate files");
+				}
 				++nerrs;
 			}
 			if (nerrs == 0)