Impossible compiling NRPE with SSL on UNIX
Brought to you by:
egalstad
Menu
▾
▴
#2 Impossible compiling NRPE with SSL on UNIX
On our UNIX-Systems
- HP-UX 11.11
- Solaris 2.6
- Solaris 8
we cannot compile NRPE in SSL mode:
(we must disable it by
./configure --disable-ssl
)
The command creates an error at configure:
openssl dhparam -out /dev/null -C 512 > /tmp/mist
warning, not much extra random data, consider using
the -rand option
Generating DH parameters, 512 bit long safe prime,
generator 2
This is going to take a long
time
15617:error:24064064:random number
generator:SSLEAY_RAND_BYTES:PRNG not seeded:m
d_rand.c:512:You need to read the OpenSSL FAQ,
http://www.openssl.org/support/fa
q.html
15617:error:05068003:Diffie-Hellman
routines:DH_generate_parameters:BN lib:dh_ge
n.c:157:
We used all the binaries from the manufacturer of the
system:
http://www.sunfreeware.com
http://hpux.asknet.de/
The openssl-Version is:
openssl-0.9.7e
P.S. On AIX 4.3 and 5.1 the are no binaries available and
the compiling of OPENSSL fails.
73 de DF7BE
Logged In: YES
user_id=613416
I have a workaround for machines without /dev/random or
another good random number generation. I tried it
successfully on AIX5.1
- The openssl command fails because no source of
randomness can be found to seed the rng.
Call "openssl dhparam -out /dev/null -C -rand a_big_file
512"
I used a core-file as a_big_file but any other will do.
This creates a $HOME/.rnd file which will serve as
seedfile the next time you run the openssl command.
- Run ./configure --with-ssl ... again
This time it will succeed. If not, i have no idea why.
- Edit src/nrpe.c or apply the patch
The SSL initialization code relies on a strong source of
randomness which these machines don't support. If you
compile the original nrpe.c ther will be a "Error - Could
not complete SSL handshake".
So we must modify nrpe.c to initialize SSL so that it
accepts another seedfile instead of for example /dev/random
You can find a patch at
http://people.consol.de/~lausser/nagios/nrpe.weak_ssl.patch
cd nrpe-2.0
patch -p1 < nrpe.weak_ssl.patch
This will add four lines of code so that SSL
initialization uses the $HOME/.rnd as seedfile and writes
new random content into it for the next run.
Now compile.
- Generate $HOME/.rnd files on all your machines where the
nrpe daemon will run.
Logged In: YES
user_id=613416
More on nrpe+ssl can be found here
http://sourceforge.net/mailarchive/forum.php?
thread_id=9454221&forum_id=1872
Logged In: YES
user_id=69405
Since NRPE 2.5 and new openssl version are available, NRPE
and OPENSSL/OPENSSH are compileable on following OS:
Solaris 8,9,10
HP-UX 11.11
IBM AIX 4.3, 5.1 with EGD and workaround from lausser
==> needing actual OS patches.
and also LINUX.
TNX , 73 es 55 de DF7BE
Logged In: YES
user_id=69405
Originator: YES
Hello,
- Now we have AIX 5.3, no problems with SSL are left now (/dev/random and /dev/urandom are now supported by the OS)
- Addiditional Information for HP-UX 11.11:
The support for /dev/random and /dev/urandom can be added bei installing the following package:
swlist | grep -i KRNG
KRNG11i B.11.11.09 HP-UX 11.11 Strong Random Number Generator
(KRNG11i_B.11.11.09_HP-UX_B.11.11_32+64.depot)
HP-UX 11.23 suppors this by the OS
use GNU as (contained in binutils)
- Solaris:
Solaris 8: Patch 112438-01 added the /dev/random support
Solaris 10: /dev/random supported by the OS
I Think , after adding this information in the documents you can close this ID
73 de DF7BE