Backport "Re-enable SSL support by default. Compatibility with older versions has been fixed." to zesty.

Thanks for taking your time to report this issue and help making Ubuntu better.

Since you mention that the issue is fixed in Artful, but still present in 17.04, you may want to look into the SRU Procedure [1].

[1]: https://wiki.ubuntu.com/StableReleaseUpdates#Procedure

Since there are no bug-reports on launchpad the most valid argument is probably that the changes have been implemented in Debian-Stretch (9.1) and also backported to stretch-backports.

See discussion (and included links) here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867567

[Impact]
* Currently nagios-nrpe-server on zesty cannot talk to existing infrastructure using older nagios/icinga server without disabling SSL (or plainly pinning nagios-nrpe-server to xenial)

[Test Case]
* Setup nagios/icinga server using distribution based on wheezy/jessy (eg. ubuntu trusty/xenial)
* Setup nagios node using zesty
* Setup nagios-node to allow connections from nagios/icinga server
* Invoking nrpe-plugin fails with "Could not complete SSL handshake"
  (See https://github.com/NagiosEnterprises/nrpe/issues/113 for details about this)

[Regression Potential]
* Seeing this implemented in Debian 9.1 and stretch-backport proably none apart from requiring SSL by default again

[Other Info]
* As being said, nagios-nrpe-server is currently unusable in its current state IFF using an older OS release as nagios master. The only option is to either pin nagios-nrpe-server to xenial (effectively downgrading it) or disabling SSL altogether which seems equally bad :(

Hello and thank you again for the report. I am looking at the fix, and the NEWS and changelog files say:

+ The bug that caused the SSL support between NRPE 2.x and 3.x not
+ to work has been fixed.

What bug? Where was it fixed? Will updating just nagios-nrpe break existing 17.04 installs?

+ What bug? Where was it fixed?

The Bug itself was discussed on the nagios nrpe github repository, see here:
https://github.com/NagiosEnterprises/nrpe/issues/113

The cause of the issue is mentioned in comment #313378250, good read to understand what has happened:
https://github.com/NagiosEnterprises/nrpe/issues/113#issuecomment-313378250

Or here the short gist of it:
https://github.com/NagiosEnterprises/nrpe/issues/113#issuecomment-313396185
Note: This is also were the fix-commits mentioned by Vinson Lee are coming from

+ Will updating just nagios-nrpe break existing 17.04 installs?

AFAIK the commits only fix the the issue introduced by https://anonscm.debian.org/git/pkg-nagios/pkg-nrpe.git/commit/?id=a4b095ea which did unconditionally disabled the 'need_dh' flag.

Tests have been done by sebastic here:
https://github.com/NagiosEnterprises/nrpe/issues/113#issuecomment-313677276

Addendum:
To my understanding we actually need those two:
https://anonscm.debian.org/cgit/pkg-nagios/pkg-nrpe.git/commit/?h=debian/3.0.1-3%2bdeb9u1&id=2b82acf0ff3a93db939bb327046e010c7f360c43
https://anonscm.debian.org/cgit/pkg-nagios/pkg-nrpe.git/commit/?h=debian/3.0.1-3%2bdeb9u1&id=5a13300801c2880fe9c1add81751b71aecb20e4b

Please note that with SSL enabled in the Debian package, NRPE from EPEL for RHEL/CentOS 5 (and 6 IIRC) remains incompatible because the dh key size is too small. I think this is caused by changes in OpenSSL 1.1.0, so this may not be an issue for Ubuntu with OpenSSL 1.0.0. Regardless of this issue, SSL should be enabled by default in the nagios-nrpe package in Ubuntu because that's what users expect.

That version is now dead
http://news.softpedia.com/news/ubuntu-17-04-zesty-zapus-has-reached-end-of-life-upgrade-to-ubuntu-17-10-now-519360.shtml

That request might be fixed with 3.2.0-4ubuntu2 (see changelog)