Since the [http://nsclient.org/nscp/wiki/doc/configuration/0.4.x#ALLOWEDCIPHERS documentation] lists that as the default value for
allowed ciphers I assumed I could leave it out. I guess the documentation needs updating.
When I add
allowed ciphers I finally get some evidence that NSClient++ is using SSL:
$ check_nrpe -H
CHECK_NRPE: Error - Could not complete SSL handshake.
And NSClient++ outputs
Failed to establish secure connection: no shared cipher
Okay, that makes sense...I never told NRPE what ciphers it could use. I can't find anything about it in the NRPE documentation, but based on [http://sourceforge.net/mailarchive/message.php?msg_id=21916402 this thread] from the nagios-users mailing list, it seems like NRPE doesn't use certificates.
I can't tell if NRPE uses ADH or if it's possible to change the cipher. And since I'm not using NSClient++ on my Nagios server, I can't figure out how to apply that blog post to my particular setup. Perhaps I'm asking in the wrong place.