Public bug reported:
I have a nsca-ng setup on localhost, with the only customization being a
'checker' identity configured in /etc/nsca-ng/nsca-ng.local.cfg:
authorize "checker" {
password = "s2LDCy4CiK6yrlcHhTXT6agFh067XYE3"
hosts = ".*"
services = ".*"
}
and corresponding /etc/send_nsca.cfg:
server = localhost
identity = checker
password = "s2LDCy4CiK6yrlcHhTXT6agFh067XYE3"
When I send a test message:
/usr/share/doc/nsca-ng-client/examples/invoke_check -H localhost -S
'backup fresh' /usr/lib/nagios/plugins/check_dummy 2 "Failed"
the client fails with:
send_nsca: [FATAL] Socket error (localhost (ID: UAM9O/A0)): Connection
reset by peer
and the server (in syslog) report:
nsca-ng[28392]: Cannot retrieve client identity
I have an identical setup on an Ubuntu 18.04.1 server, where this works.
After taking TCP dumps on working and non-working servers (tcpdump -i lo
'port 5668' -w /tmp/send_nsca.log), I observe that the failing server
uses TLSv1.3, whereas the working server uses TLSv1.2.
The failing code can be seen at https://github.com/weiss/nsca-
ng/blob/master/src/common/tls.c#L636
Specifically, the OpenSSL SSL_get_psk_identity call
(https://www.openssl.org/docs/man1.0.2/man3/SSL_get_psk_identity.html)
is unexpectedly returning null.
I know zilch about TLS handshakes, but I noticed a comment in Zabbix's
TLS library (https://fossies.org/linux/zabbix/src/libs/zbxcrypto/tls.c)
that seems relevant:
5555 /* SSL_get_psk_identity() is not used here. It works with TLS 1.2, */
5556 /* but returns NULL with TLS 1.3 in OpenSSL 1.1.1 */
I'm running Ubuntu 18.10, nsca-ng 1.5-3 (also tried 1.5-2build2) and
openssl 1.1.1-1ubuntu2.1. The working server is Ubuntu 18.04.1, nsca-ng
1.5-2build2 and openssl 1.1.0g-2ubuntu4.3.
ProblemType: Bug
DistroRelease: Ubuntu 18.10
Package: nsca-ng-server 1.5-2build2
ProcVersionSignature: Ubuntu 4.18.0-13.14-generic 4.18.17
Uname: Linux 4.18.0-13-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.10-0ubuntu13.1
Architecture: amd64
CurrentDesktop: MATE
Date: Mon Feb 11 14:02:33 2019
InstallationDate: Installed on 2018-11-28 (74 days ago)
InstallationMedia: Ubuntu-MATE 18.10 "Cosmic Cuttlefish" - Release amd64
(20181017.2)
SourcePackage: nsca-ng
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.nsca-ng.nsca-ng.cfg: [inaccessible: [Errno 13]
Permission denied: '/etc/nsca-ng/nsca-ng.cfg']
mtime.conffile..etc.nsca-ng.nsca-ng.local.cfg: 2019-02-11T12:25:56.112242
** Affects: nsca-ng (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug cosmic third-party-packages
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1815407
Title:
nsca-ng fails under TLS 1.3 / openssl 1.1.1: "Cannot retrieve client
identity" error
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nsca-ng/+bug/1815407/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
