search

NagiosEnterprises / nrpe

NRPE Agent
GNU General Public License v2.0
257 stars 133 forks source link

Unable to build against OpenSSL 3.0.0 #258

Closed ondrejj closed 2 years ago

ondrejj commented 2 years ago

NRPE doesn't build against OpenSSL 3.0.0, which is comming to modern Linux distributions like Fedora.

Here are build logs for Fedora 36:

https://koji.fedoraproject.org/koji/taskinfo?taskID=78020218 https://kojipkgs.fedoraproject.org//work/tasks/1014/78021014/build.log

Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=2021958

The main problem is:

/usr/bin/ld: /tmp/ccStWj3g.ltrans0.ltrans.o: in function `main':
/builddir/build/BUILD/nrpe-4.0.3/src/./nrpe.c:474: undefined reference to `get_dh2048'

I can workaround this build problem by disabling USE_SSL_DH, but not sure if this is a good solution.

ignatenkobrain commented 2 years ago

https://github.com/openssl/openssl/pull/13384#issuecomment-939993259 and later is relevant… OpenSSL 3.x does not have generate C code option.

arekm commented 2 years ago

Debian (and pld) uses pre-generated db.h: https://git.pld-linux.org/gitweb.cgi?p=packages/nagios-nrpe.git;a=blob_plain;f=11_reproducible_dh.h.patch;hb=HEAD

loqs commented 2 years ago

An alternative approach would be to use SSL_CTX_set_dh_auto

diff --git a/src/nrpe.c b/src/nrpe.c
index 73699f7..5a0bc80 100644
--- a/src/nrpe.c
+++ b/src/nrpe.c
@@ -40,11 +40,6 @@
 #include "utils.h"
 #include "acl.h"

-#ifdef HAVE_SSL
-# ifdef USE_SSL_DH
-#  include "../include/dh.h"
-# endif
-#endif
 #ifndef HAVE_ASPRINTF
 extern int asprintf(char **ptr, const char *format, ...);
 #endif
@@ -471,9 +466,12 @@ void init_ssl(void)
        }

 #ifdef USE_SSL_DH
-       dh = get_dh2048();
-       SSL_CTX_set_tmp_dh(ctx, dh);
-       DH_free(dh);
+       if (!SSL_CTX_set_dh_auto(ctx, 1))
+       {
+           SSL_CTX_free(ctx);
+           logit(LOG_ERR, "Error: Could not set automatic use of DH.");
+           exit(STATE_CRITICAL);
+       }
 #endif
    }
sawolf commented 2 years ago

Ended up sorting this out (due to an internal request) before I saw this issue - I'll keep the supplied patch in mind if I find any more issues with the patch that's currently in master.

sawolf commented 2 years ago

Closing this since it should be fixed in NRPE 4.1.0 - if any of you are still having problems, leave another comment here and we can reopen the issue.