Date: Tuesday, March 21, 2017 @ 09:57:21
Author: jgc
Revision: 217996
upgpkg: nrpe 3.0.1-4
OpenSSL 1.1
Added:
nrpe/trunk/nrpe-0010-opensslv110-strict.patch
nrpe/trunk/nrpe-0011-opensslv110-nosslv2.patch
Modified:
nrpe/trunk/PKGBUILD
-------------------------------------+
PKGBUILD | 16 +++-
nrpe-0010-opensslv110-strict.patch | 54 ++++++++++++++++
nrpe-0011-opensslv110-nosslv2.patch | 113 ++++++++++++++++++++++++++++++++++
3 files changed, 180 insertions(+), 3 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2017-03-21 09:52:28 UTC (rev 217995)
+++ PKGBUILD 2017-03-21 09:57:21 UTC (rev 217996)
@@ -4,7 +4,7 @@
pkgname=nrpe
pkgver=3.0.1
-pkgrel=3
+pkgrel=4
pkgdesc="Nagios Remote Plugin Executor"
arch=('i686' 'x86_64')
license=('GPL')
@@ -13,9 +13,19 @@
install=$pkgname.install
backup=('etc/nrpe/nrpe.cfg' 'etc/xinetd.d/nrpe')
url="https://github.com/NagiosEnterprises/nrpe";
-source=(https://github.com/NagiosEnterprises/nrpe/releases/download/$pkgver/$pkgname-$pkgver.tar.gz)
-md5sums=('8c81f251d9ee0903e5ff0191e99f7981')
+source=(https://github.com/NagiosEnterprises/nrpe/releases/download/$pkgver/$pkgname-$pkgver.tar.gz
+ nrpe-0010-opensslv110-strict.patch
+ nrpe-0011-opensslv110-nosslv2.patch)
+sha256sums=('8f56da2d74f6beca1a04fe04ead84427e582b9bb88611e04e290f59617ca3ea3'
+ '58ca691a11f5005631f4e940daa18c344b3d2f322184506d63cc1eb2633d30a3'
+ 'e4383c8261b7097a46d8fe54c97391767a4ef0107d551f55d71940469f5e433f')
+prepare() {
+ cd $pkgname-$pkgver
+ patch -Np1 -i ../nrpe-0010-opensslv110-strict.patch
+ patch -Np1 -i ../nrpe-0011-opensslv110-nosslv2.patch
+}
+
build() {
cd $pkgname-$pkgver
Added: nrpe-0010-opensslv110-strict.patch
===================================================================
--- nrpe-0010-opensslv110-strict.patch (rev 0)
+++ nrpe-0010-opensslv110-strict.patch 2017-03-21 09:57:21 UTC (rev 217996)
@@ -0,0 +1,54 @@
+diff -up ./src/check_nrpe.c.opensslv110 ./src/check_nrpe.c
+--- ./src/check_nrpe.c.opensslv110 2017-02-07 11:08:23.647733686 -0500
++++ ./src/check_nrpe.c 2017-02-07 12:44:22.314160593 -0500
+@@ -980,9 +980,10 @@ int connect_to_remote()
+ if (peer) {
+ if (sslprm.log_opts & SSL_LogIfClientCert)
+ syslog(LOG_NOTICE, "SSL %s has %s
certificate",
+- rem_host, peer->valid ? "a
valid" : "an invalid");
++ rem_host,
SSL_get_verify_result(ssl) ? "a valid" : "an invalid");
+ if (sslprm.log_opts & SSL_LogCertDetails) {
+- syslog(LOG_NOTICE, "SSL %s Cert Name:
%s", rem_host, peer->name);
++
X509_NAME_oneline(X509_get_subject_name(peer), buffer, sizeof(buffer));
++ syslog(LOG_NOTICE, "SSL %s Cert Name:
%s", rem_host, buffer);
+
X509_NAME_oneline(X509_get_issuer_name(peer), buffer, sizeof(buffer));
+ syslog(LOG_NOTICE, "SSL %s Cert Issuer:
%s", rem_host, buffer);
+ }
+@@ -1427,7 +1428,7 @@ int verify_callback(int preverify_ok, X5
+ ssl = X509_STORE_CTX_get_ex_data(ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
+
+ X509_NAME_oneline(X509_get_subject_name(err_cert), name, 256);
+- X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer, 256);
++ X509_NAME_oneline(X509_get_issuer_name(err_cert), issuer, 256);
+
+ if (!preverify_ok && sslprm.client_certs >= Ask_For_Cert
+ && (sslprm.log_opts & SSL_LogCertDetails)) {
+diff -up ./src/nrpe.c.opensslv110 ./src/nrpe.c
+--- ./src/nrpe.c.opensslv110 2016-09-08 12:18:58.000000000 -0400
++++ ./src/nrpe.c 2017-02-07 12:42:35.667799987 -0500
+@@ -614,7 +614,7 @@ int verify_callback(int preverify_ok, X5
+ ssl = X509_STORE_CTX_get_ex_data(ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
+
+ X509_NAME_oneline(X509_get_subject_name(err_cert), name, 256);
+- X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer, 256);
++ X509_NAME_oneline(err_cert, issuer, 256);
+
+ if (!preverify_ok && (sslprm.log_opts & SSL_LogCertDetails)) {
+ syslog(LOG_ERR, "SSL Client has an invalid certificate: %s
(issuer=%s) err=%d:%s",
+@@ -1785,12 +1785,14 @@ int handle_conn_ssl(int sock, void *ssl_
+ peer = SSL_get_peer_certificate(ssl);
+
+ if (peer) {
++
+ if (sslprm.log_opts & SSL_LogIfClientCert)
+ syslog(LOG_NOTICE, "SSL Client %s has %svalid
certificate",
+- remote_host, peer->valid ? "a " :
"an in");
++ remote_host, SSL_get_verify_result(ssl)
? "a " : "an in");
+ if (sslprm.log_opts & SSL_LogCertDetails) {
++ X509_NAME_oneline(X509_get_subject_name(peer),
buffer, sizeof(buffer));
+ syslog(LOG_NOTICE, "SSL Client %s Cert Name:
%s",
+- remote_host, peer->name);
++ remote_host, buffer);
+ X509_NAME_oneline(X509_get_issuer_name(peer),
buffer, sizeof(buffer));
+ syslog(LOG_NOTICE, "SSL Client %s Cert Issuer:
%s",
+ remote_host, buffer);
Added: nrpe-0011-opensslv110-nosslv2.patch
===================================================================
--- nrpe-0011-opensslv110-nosslv2.patch (rev 0)
+++ nrpe-0011-opensslv110-nosslv2.patch 2017-03-21 09:57:21 UTC (rev 217996)
@@ -0,0 +1,113 @@
+diff -up ./src/check_nrpe.c.opensslv110_nossl2 ./src/check_nrpe.c
+--- ./src/check_nrpe.c.opensslv110_nossl2 2017-02-07 13:51:02.848680596
-0500
++++ ./src/check_nrpe.c 2017-02-07 13:56:14.134901320 -0500
+@@ -64,7 +64,7 @@ int use_ssl = FALSE;
+
+ /* SSL/TLS parameters */
+ typedef enum _SSL_VER {
+- SSL_Ver_Invalid = 0, SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus,
++ SSL_Ver_Invalid = 0, SSLv3=3, SSLv3_plus,
+ TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus
+ } SslVer;
+
+@@ -402,11 +402,7 @@ int process_arguments(int argc, char **a
+ "overrides the
config file option.");
+ break;
+ }
+- if (!strcmp(optarg, "SSLv2"))
+- sslprm.ssl_min_ver = SSLv2;
+- else if (!strcmp(optarg, "SSLv2+"))
+- sslprm.ssl_min_ver = SSLv2_plus;
+- else if (!strcmp(optarg, "SSLv3"))
++ if (!strcmp(optarg, "SSLv3"))
+ sslprm.ssl_min_ver = SSLv3;
+ else if (!strcmp(optarg, "SSLv3+"))
+ sslprm.ssl_min_ver = SSLv3_plus;
+@@ -665,8 +661,8 @@ void usage(int result)
+ printf(" 2 = Force Anonymous Diffie Hellman\n");
+ printf(" <size> = Specify non-default payload size for
NSClient++\n");
+ printf
+- (" <ssl ver> = The SSL/TLS version to use. Can be
any one of: SSLv2 (only),\n");
+- printf(" SSLv2+ (or above), SSLv3 (only), SSLv3+
(or above),\n");
++ (" <ssl ver> = The SSL/TLS version to use. Can be
any one of: \n");
++ printf(" SSLv3 (only), SSLv3+ (or above),\n");
+ printf(" TLSv1 (only), TLSv1+ (or above
DEFAULT), TLSv1.1 (only),\n");
+ printf(" TLSv1.1+ (or above), TLSv1.2 (only),
TLSv1.2+ (or above)\n");
+ printf(" <cipherlist> = The list of SSL ciphers to use
(currently defaults\n");
+@@ -736,12 +732,6 @@ void setup_ssl()
+ sslprm.allowDH == 0 ? "No" : (sslprm.allowDH == 1 ?
"Allow" : "Require"));
+ syslog(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts);
+ switch (sslprm.ssl_min_ver) {
+- case SSLv2:
+- val = "SSLv2";
+- break;
+- case SSLv2_plus:
+- val = "SSLv2 And Above";
+- break;
+ case SSLv3:
+ val = "SSLv3";
+ break;
+@@ -779,10 +769,6 @@ void setup_ssl()
+ SSL_library_init();
+ meth = SSLv23_client_method();
+
+-# ifndef OPENSSL_NO_SSL2
+- if (sslprm.ssl_min_ver == SSLv2)
+- meth = SSLv2_client_method();
+-# endif
+ # ifndef OPENSSL_NO_SSL3
+ if (sslprm.ssl_min_ver == SSLv3)
+ meth = SSLv3_client_method();
+diff -up ./src/nrpe.c.opensslv110_nossl2 ./src/nrpe.c
+--- ./src/nrpe.c.opensslv110_nossl2 2017-02-07 13:51:02.849680580 -0500
++++ ./src/nrpe.c 2017-02-07 13:51:02.851680549 -0500
+@@ -109,7 +109,7 @@ int listen_queue_size = DEFAULT_LI
+
+ /* SSL/TLS parameters */
+ typedef enum _SSL_VER {
+- SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus, TLSv1,
++ SSLv3=3, SSLv3_plus, TLSv1,
+ TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus
+ } SslVer;
+
+@@ -278,10 +278,10 @@ void init_ssl(void)
+ }
+ }
+ }
+-# ifndef OPENSSL_NO_SSL2
+- if (sslprm.ssl_min_ver == SSLv2)
+- meth = SSLv2_server_method();
+-# endif
++
++
++
++
+ # ifndef OPENSSL_NO_SSL3
+ if (sslprm.ssl_min_ver == SSLv3)
+ meth = SSLv3_server_method();
+@@ -385,12 +385,6 @@ void log_ssl_startup(void)
+
1 ? "Accept" : "Require"));
+ syslog(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts);
+ switch (sslprm.ssl_min_ver) {
+- case SSLv2:
+- vers = "SSLv2";
+- break;
+- case SSLv2_plus:
+- vers = "SSLv2 And Above";
+- break;
+ case SSLv3:
+ vers = "SSLv3";
+ break;
+@@ -796,11 +790,7 @@ int read_config_file(char *filename)
+ }
+
+ } else if (!strcmp(varname, "ssl_version")) {
+- if (!strcmp(varvalue, "SSLv2"))
+- sslprm.ssl_min_ver = SSLv2;
+- else if (!strcmp(varvalue, "SSLv2+"))
+- sslprm.ssl_min_ver = SSLv2_plus;
+- else if (!strcmp(varvalue, "SSLv3"))
++ if (!strcmp(varvalue, "SSLv3"))
+ sslprm.ssl_min_ver = SSLv3;
+ else if (!strcmp(varvalue, "SSLv3+"))
+ sslprm.ssl_min_ver = SSLv3_plus;
