nsca-ng fails under TLS 1.3 / openssl 1.1.1: "Cannot retrieve client identity" error

Bug #1815407 reported by Jeff Turner on 2019-02-11
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nsca-ng (Debian)
Fix Released
nsca-ng (Ubuntu)

Bug Description

I have a nsca-ng setup on localhost, with the only customization being a 'checker' identity configured in /etc/nsca-ng/nsca-ng.local.cfg:

authorize "checker" {
password = "s2LDCy4CiK6yrlcHhTXT6agFh067XYE3"
hosts = ".*"
services = ".*"

and corresponding /etc/send_nsca.cfg:

server = localhost
identity = checker
password = "s2LDCy4CiK6yrlcHhTXT6agFh067XYE3"

When I send a test message:

/usr/share/doc/nsca-ng-client/examples/invoke_check -H localhost -S 'backup fresh' /usr/lib/nagios/plugins/check_dummy 2 "Failed"

the client fails with:

send_nsca: [FATAL] Socket error (localhost (ID: UAM9O/A0)): Connection reset by peer

and the server (in syslog) report:

nsca-ng[28392]: Cannot retrieve client identity

I have an identical setup on an Ubuntu 18.04.1 server, where this works.

After taking TCP dumps on working and non-working servers (tcpdump -i lo 'port 5668' -w /tmp/send_nsca.log), I observe that the failing server uses TLSv1.3, whereas the working server uses TLSv1.2.

The failing code can be seen at https://github.com/weiss/nsca-ng/blob/master/src/common/tls.c#L636

Specifically, the OpenSSL SSL_get_psk_identity call (https://www.openssl.org/docs/man1.0.2/man3/SSL_get_psk_identity.html) is unexpectedly returning null.

I know zilch about TLS handshakes, but I noticed a comment in Zabbix's TLS library (https://fossies.org/linux/zabbix/src/libs/zbxcrypto/tls.c) that seems relevant:

 5555 /* SSL_get_psk_identity() is not used here. It works with TLS 1.2, */
 5556 /* but returns NULL with TLS 1.3 in OpenSSL 1.1.1 */

I'm running Ubuntu 18.10, nsca-ng 1.5-3 (also tried 1.5-2build2) and openssl 1.1.1-1ubuntu2.1. The working server is Ubuntu 18.04.1, nsca-ng 1.5-2build2 and openssl 1.1.0g-2ubuntu4.3.

ProblemType: Bug
DistroRelease: Ubuntu 18.10
Package: nsca-ng-server 1.5-2build2
ProcVersionSignature: Ubuntu 4.18.0-13.14-generic 4.18.17
Uname: Linux 4.18.0-13-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.10-0ubuntu13.1
Architecture: amd64
CurrentDesktop: MATE
Date: Mon Feb 11 14:02:33 2019
InstallationDate: Installed on 2018-11-28 (74 days ago)
InstallationMedia: Ubuntu-MATE 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.2)
SourcePackage: nsca-ng
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.nsca-ng.nsca-ng.cfg: [inaccessible: [Errno 13] Permission denied: '/etc/nsca-ng/nsca-ng.cfg']
mtime.conffile..etc.nsca-ng.nsca-ng.local.cfg: 2019-02-11T12:25:56.112242

Jeff Turner (jeffturner) wrote :
Bas Couwenberg (sebastic) wrote :

This should be fixed in 1.6.

Changed in nsca-ng (Ubuntu):
status: New → Fix Committed
Changed in nsca-ng (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.