Ubuntu
nsca-ng package

nsca-ng fails under TLS 1.3 / openssl 1.1.1: "Cannot retrieve client identity" error

Bug #1815407 reported by Jeff Turner
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
nsca-ng (Debian)
Fix Released
Unknown
nsca-ng (Ubuntu)
Fix Committed
Undecided
Unassigned

Bug Description

I have a nsca-ng setup on localhost, with the only customization being a 'checker' identity configured in /etc/nsca-ng/nsca-ng.local.cfg:

authorize "checker" {
password = "s2LDCy4CiK6yrlcHhTXT6agFh067XYE3"
hosts = ".*"
services = ".*"
}

and corresponding /etc/send_nsca.cfg:

server = localhost
identity = checker
password = "s2LDCy4CiK6yrlcHhTXT6agFh067XYE3"

When I send a test message:

/usr/share/doc/nsca-ng-client/examples/invoke_check -H localhost -S 'backup fresh' /usr/lib/nagios/plugins/check_dummy 2 "Failed"

the client fails with:

send_nsca: [FATAL] Socket error (localhost (ID: UAM9O/A0)): Connection reset by peer

and the server (in syslog) report:

nsca-ng[28392]: Cannot retrieve client identity

I have an identical setup on an Ubuntu 18.04.1 server, where this works.

After taking TCP dumps on working and non-working servers (tcpdump -i lo 'port 5668' -w /tmp/send_nsca.log), I observe that the failing server uses TLSv1.3, whereas the working server uses TLSv1.2.

The failing code can be seen at https://github.com/weiss/nsca-ng/blob/master/src/common/tls.c#L636

Specifically, the OpenSSL SSL_get_psk_identity call (https://www.openssl.org/docs/man1.0.2/man3/SSL_get_psk_identity.html) is unexpectedly returning null.

I know zilch about TLS handshakes, but I noticed a comment in Zabbix's TLS library (https://fossies.org/linux/zabbix/src/libs/zbxcrypto/tls.c) that seems relevant:

 5555 /* SSL_get_psk_identity() is not used here. It works with TLS 1.2, */
 5556 /* but returns NULL with TLS 1.3 in OpenSSL 1.1.1 */

I'm running Ubuntu 18.10, nsca-ng 1.5-3 (also tried 1.5-2build2) and openssl 1.1.1-1ubuntu2.1. The working server is Ubuntu 18.04.1, nsca-ng 1.5-2build2 and openssl 1.1.0g-2ubuntu4.3.

ProblemType: Bug
DistroRelease: Ubuntu 18.10
Package: nsca-ng-server 1.5-2build2
ProcVersionSignature: Ubuntu 4.18.0-13.14-generic 4.18.17
Uname: Linux 4.18.0-13-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.10-0ubuntu13.1
Architecture: amd64
CurrentDesktop: MATE
Date: Mon Feb 11 14:02:33 2019
InstallationDate: Installed on 2018-11-28 (74 days ago)
InstallationMedia: Ubuntu-MATE 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.2)
SourcePackage: nsca-ng
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.nsca-ng.nsca-ng.cfg: [inaccessible: [Errno 13] Permission denied: '/etc/nsca-ng/nsca-ng.cfg']
mtime.conffile..etc.nsca-ng.nsca-ng.local.cfg: 2019-02-11T12:25:56.112242

Revision history for this message
Jeff Turner (jeffturner) wrote :
Revision history for this message
Bas Couwenberg (sebastic) wrote :

This should be fixed in 1.6.

Changed in nsca-ng (Ubuntu):
status: New → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in nsca-ng (Debian):
status: Unknown → Fix Released
Revision history for this message
Nils Toedtmann (m-launchpad-net-mail-nils-toedtmann-net) wrote :

This also affects Bionic's nsca-ng-client=1.5-2build2. Oddly, the server-side seems to work fine with older clients:

This works: nsca-ng-client=1.4-2 -> nsca-ng-server=1.5-2build2
This fails: nsca-ng-client=1.5-2build2 -> nsca-ng-server=1.5-2build2

... with error message "Cannot retrieve client identity".

On my Bionic, I have to downgrade nsca-ng-client to Xenial's version to make it work. Which will be EoL in a few days.

Please fix

Revision history for this message
Nils Toedtmann (m-launchpad-net-mail-nils-toedtmann-net) wrote :

Is there a timeline for releasing the upstream fix, at least for 18.04 LTS?

Norbert (nrbrtx)
tags: removed: cosmic
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.