Certificate of NSClient++ with only 512 bits not accepted by new openssl libraries


#1

HI! I updated recently the openssl libraries of my linux monitoring server and now it seems it requires more than 512bit of dh for the the certificates.

The default certificate NSClient++ provides it’s 512bits only so this seems to be my current problem.

That certificate needs something special? The client (check_nrpe) should have the CA on it’s key-ring ?

Regards,


#2

The NRPE cert is rather insecure workaround for the old legacy NRPE which has a hard coded key. If you are using something else then legacy check_nrpe please dont use it at all…


#3

I’m using the check_nrpe command. It requires by default the SSL cert, but as I said the NSClient++ cert it’s not accepted due to it’s low security (512bits).