Public bug reported:

I have a nsca-ng setup on localhost, with the only customization being a
'checker' identity configured in /etc/nsca-ng/nsca-ng.local.cfg:

authorize "checker" {
password = "s2LDCy4CiK6yrlcHhTXT6agFh067XYE3"
hosts = ".*"
services = ".*"

and corresponding /etc/send_nsca.cfg:

server = localhost
identity = checker
password = "s2LDCy4CiK6yrlcHhTXT6agFh067XYE3"

When I send a test message:

/usr/share/doc/nsca-ng-client/examples/invoke_check -H localhost -S
'backup fresh'  /usr/lib/nagios/plugins/check_dummy 2 "Failed"

the client fails with:

send_nsca: [FATAL] Socket error (localhost (ID: UAM9O/A0)): Connection
reset by peer

and the server (in syslog) report:

nsca-ng[28392]: Cannot retrieve client identity

I have an identical setup on an Ubuntu 18.04.1 server, where this works.

After taking TCP dumps on working and non-working servers (tcpdump -i lo
'port 5668' -w /tmp/send_nsca.log), I observe that the failing server
uses TLSv1.3, whereas the working server uses TLSv1.2.

The failing code can be seen at

Specifically, the OpenSSL SSL_get_psk_identity call
is unexpectedly returning null.

I know zilch about TLS handshakes, but I noticed a comment in Zabbix's
TLS library (
that seems relevant:

 5555     /* SSL_get_psk_identity() is not used here. It works with TLS 1.2, */
 5556     /* but returns NULL with TLS 1.3 in OpenSSL 1.1.1 */

I'm running Ubuntu 18.10, nsca-ng 1.5-3 (also tried 1.5-2build2) and
openssl 1.1.1-1ubuntu2.1. The working server is Ubuntu 18.04.1, nsca-ng
1.5-2build2 and openssl 1.1.0g-2ubuntu4.3.

ProblemType: Bug
DistroRelease: Ubuntu 18.10
Package: nsca-ng-server 1.5-2build2
ProcVersionSignature: Ubuntu 4.18.0-13.14-generic 4.18.17
Uname: Linux 4.18.0-13-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.10-0ubuntu13.1
Architecture: amd64
CurrentDesktop: MATE
Date: Mon Feb 11 14:02:33 2019
InstallationDate: Installed on 2018-11-28 (74 days ago)
InstallationMedia: Ubuntu-MATE 18.10 "Cosmic Cuttlefish" - Release amd64 
SourcePackage: nsca-ng
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.nsca-ng.nsca-ng.cfg: [inaccessible: [Errno 13] 
Permission denied: '/etc/nsca-ng/nsca-ng.cfg']
mtime.conffile..etc.nsca-ng.nsca-ng.local.cfg: 2019-02-11T12:25:56.112242

** Affects: nsca-ng (Ubuntu)
     Importance: Undecided
         Status: New

** Tags: amd64 apport-bug cosmic third-party-packages

You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

  nsca-ng fails under TLS 1.3 / openssl 1.1.1: "Cannot retrieve client
  identity" error

To manage notifications about this bug go to:

ubuntu-bugs mailing list

Reply via email to