Module: check_mk Branch: master Commit: 1d5f61b2bc41944c83f97d454d4f022e0b5baa5a URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=1d5f61b2bc4194… Author: Tom Baerwinkel <tb(a)mathias-kettner.de> Date: Wed Apr 18 15:27:23 2018 +0200 5756 FIX check_mk_agent.linux, check_mk_agent.openwrt: specify message digest for encrypted agent output explicitly For encrypted agent output the default message digest algorithm of OpenSSL was used before. Prior to OpenSSL 1.1 the default is MD5 which is what the Check_MK server is expecting as well. Starting from OpenSSL 1.1. the default message digest algorithm changed to SHA-256 which leads to problems in the communication between hosts with a new OpenSSL version and the Check_MK server. Now the message digest algorithm is specified explicitly as MD5 to circumvent any ambiguity. Change-Id: I242678076d69da4cf150354a1d9a878ef8ad1e24 --- .werks/5756 | 16 ++++++++++++++++ agents/check_mk_agent.linux | 6 +++--- agents/check_mk_agent.openwrt | 2 +- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/.werks/5756 b/.werks/5756 new file mode 100644 index 0000000..9f410b3 --- /dev/null +++ b/.werks/5756 @@ -0,0 +1,16 @@ +Title: check_mk_agent.linux, check_mk_agent.openwrt: specify message digest for encrypted agent output explicitly +Level: 1 +Component: checks +Compatible: compat +Edition: cre +Version: 1.6.0i1 +Date: 1524056834 +Class: fix + +For encrypted agent output the default message digest algorithm of OpenSSL was +used before. Prior to OpenSSL 1.1 the default is MD5 which is what the Check_MK +server is expecting as well. Starting from OpenSSL 1.1. the default message +digest algorithm changed to SHA-256 which leads to problems in the +communication between hosts with a new OpenSSL version and the Check_MK server. +Now the message digest algorithm is specified explicitly as MD5 to circumvent +any ambiguity. diff --git a/agents/check_mk_agent.linux b/agents/check_mk_agent.linux index 98d4063..a3f5b04 100755 --- a/agents/check_mk_agent.linux +++ b/agents/check_mk_agent.linux @@ -93,7 +93,7 @@ fi if [ "$ENCRYPTED" == "yes" ] ; then echo -n "00" # protocol version - exec > >(openssl enc -aes-256-cbc -k "$PASSPHRASE" -nosalt) + exec > >(openssl enc -aes-256-cbc -md md5 -k "$PASSPHRASE" -nosalt) fi @@ -272,7 +272,7 @@ function run_real_time_checks() { echo -n $PROTOCOL ; date +%s | tr -d '\n' ; if [ "$ENCRYPTED_RT" != "no" ] ; then - export RTC_SECRET=$RTC_SECRET ; section_"$SECTION" | openssl enc -aes-256-cbc -pass env:RTC_SECRET -nosalt ; + export RTC_SECRET=$RTC_SECRET ; section_"$SECTION" | openssl enc -aes-256-cbc -md md5 -pass env:RTC_SECRET -nosalt ; else section_"$SECTION" ; fi @@ -294,7 +294,7 @@ function run_real_time_checks() { echo -n $PROTOCOL ; date +%s | tr -d '\n' ; if [ "$ENCRYPTED_RT" != "no" ] ; then - export RTC_SECRET=$RTC_SECRET ; ./$PLUGIN | openssl enc -aes-256-cbc -pass env:RTC_SECRET -nosalt ; + export RTC_SECRET=$RTC_SECRET ; ./$PLUGIN | openssl enc -aes-256-cbc -md md5 -pass env:RTC_SECRET -nosalt ; else ./"$PLUGIN"; fi diff --git a/agents/check_mk_agent.openwrt b/agents/check_mk_agent.openwrt index d4a1549..94c3377 100755 --- a/agents/check_mk_agent.openwrt +++ b/agents/check_mk_agent.openwrt @@ -208,7 +208,7 @@ run_real_time_checks() { echo -n $PROTOCOL ; date +%s | tr -d '\n' ; if [ "$ENCRYPTED_RT" != "no" ] ; then - export RTC_SECRET=$RTC_SECRET ; section_$SECTION | openssl enc -aes-256-cbc -pass env:RTC_SECRET -nosalt ; + export RTC_SECRET=$RTC_SECRET ; section_$SECTION | openssl enc -aes-256-cbc -md md5 -pass env:RTC_SECRET -nosalt ; else section_$SECTION ; fi