Module: check_mk
Branch: master
Commit: 1d5f61b2bc41944c83f97d454d4f022e0b5baa5a
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=1d5f61b2bc4194…
Author: Tom Baerwinkel <tb(a)mathias-kettner.de>
Date: Wed Apr 18 15:27:23 2018 +0200
5756 FIX check_mk_agent.linux, check_mk_agent.openwrt: specify message digest for
encrypted agent output explicitly
For encrypted agent output the default message digest algorithm of OpenSSL was
used before. Prior to OpenSSL 1.1 the default is MD5 which is what the Check_MK
server is expecting as well. Starting from OpenSSL 1.1. the default message
digest algorithm changed to SHA-256 which leads to problems in the
communication between hosts with a new OpenSSL version and the Check_MK server.
Now the message digest algorithm is specified explicitly as MD5 to circumvent
any ambiguity.
Change-Id: I242678076d69da4cf150354a1d9a878ef8ad1e24
---
.werks/5756 | 16 ++++++++++++++++
agents/check_mk_agent.linux | 6 +++---
agents/check_mk_agent.openwrt | 2 +-
3 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/.werks/5756 b/.werks/5756
new file mode 100644
index 0000000..9f410b3
--- /dev/null
+++ b/.werks/5756
@@ -0,0 +1,16 @@
+Title: check_mk_agent.linux, check_mk_agent.openwrt: specify message digest for encrypted
agent output explicitly
+Level: 1
+Component: checks
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1524056834
+Class: fix
+
+For encrypted agent output the default message digest algorithm of OpenSSL was
+used before. Prior to OpenSSL 1.1 the default is MD5 which is what the Check_MK
+server is expecting as well. Starting from OpenSSL 1.1. the default message
+digest algorithm changed to SHA-256 which leads to problems in the
+communication between hosts with a new OpenSSL version and the Check_MK server.
+Now the message digest algorithm is specified explicitly as MD5 to circumvent
+any ambiguity.
diff --git a/agents/check_mk_agent.linux b/agents/check_mk_agent.linux
index 98d4063..a3f5b04 100755
--- a/agents/check_mk_agent.linux
+++ b/agents/check_mk_agent.linux
@@ -93,7 +93,7 @@ fi
if [ "$ENCRYPTED" == "yes" ] ; then
echo -n "00" # protocol version
- exec > >(openssl enc -aes-256-cbc -k "$PASSPHRASE" -nosalt)
+ exec > >(openssl enc -aes-256-cbc -md md5 -k "$PASSPHRASE" -nosalt)
fi
@@ -272,7 +272,7 @@ function run_real_time_checks()
{ echo -n $PROTOCOL ;
date +%s | tr -d '\n' ;
if [ "$ENCRYPTED_RT" != "no" ] ; then
- export RTC_SECRET=$RTC_SECRET ; section_"$SECTION" | openssl
enc -aes-256-cbc -pass env:RTC_SECRET -nosalt ;
+ export RTC_SECRET=$RTC_SECRET ; section_"$SECTION" | openssl
enc -aes-256-cbc -md md5 -pass env:RTC_SECRET -nosalt ;
else
section_"$SECTION" ;
fi
@@ -294,7 +294,7 @@ function run_real_time_checks()
{ echo -n $PROTOCOL ;
date +%s | tr -d '\n' ;
if [ "$ENCRYPTED_RT" != "no" ] ; then
- export RTC_SECRET=$RTC_SECRET ; ./$PLUGIN | openssl enc
-aes-256-cbc -pass env:RTC_SECRET -nosalt ;
+ export RTC_SECRET=$RTC_SECRET ; ./$PLUGIN | openssl enc
-aes-256-cbc -md md5 -pass env:RTC_SECRET -nosalt ;
else
./"$PLUGIN";
fi
diff --git a/agents/check_mk_agent.openwrt b/agents/check_mk_agent.openwrt
index d4a1549..94c3377 100755
--- a/agents/check_mk_agent.openwrt
+++ b/agents/check_mk_agent.openwrt
@@ -208,7 +208,7 @@ run_real_time_checks()
{ echo -n $PROTOCOL ;
date +%s | tr -d '\n' ;
if [ "$ENCRYPTED_RT" != "no" ] ; then
- export RTC_SECRET=$RTC_SECRET ; section_$SECTION | openssl enc
-aes-256-cbc -pass env:RTC_SECRET -nosalt ;
+ export RTC_SECRET=$RTC_SECRET ; section_$SECTION | openssl enc
-aes-256-cbc -md md5 -pass env:RTC_SECRET -nosalt ;
else
section_$SECTION ;
fi