diff --git a/Changelog b/Changelog index 893659b..c06902b 100644 --- a/Changelog +++ b/Changelog @@ -2,7 +2,22 @@ NRPE Changelog ************** -3.x.x - 201x-xx-xx +3.1.1 - 2017-05-24 +------------------ +FIXES +- The '--log-file=' or '-g' option is missing from the help (John Frickson) +- check_nrpe = segfault when specifying a config file (John Frickson) +- Alternate log file not being used soon enough (John Frickson) +- Unable to compile v3.1.0rc1 with new SSL checks on rh5 (John Frickson) +- Unable to compile nrpe-3.1.0 - undefined references to va_start, va_end (John Frickson) +- Can't build on Debian Stretch, openssl 1.1.0c (John Frickson) +- Fix build failure with -Werror=format-security (Bas Couwenberg) +- Fixed a typo in `nrpe.spec.in` (John Frickson) +- More detailed error logging for SSL (John Frickson) +- Fix infinite loop when unresolvable host is in allowed_hosts (Nick / John Frickson) + + +3.1.0 - 2017-04-17 ------------------ ENHANCEMENTS - Added option to nrpe.cfg.in that can override hard-coded NASTY_METACHARS (John Frickson) diff --git a/configure b/configure index 0d99939..62b518f 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for nrpe 3.1.0-rc1. +# Generated by GNU Autoconf 2.69 for nrpe 3.1.1. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='nrpe' PACKAGE_TARNAME='nrpe' -PACKAGE_VERSION='3.1.0-rc1' -PACKAGE_STRING='nrpe 3.1.0-rc1' +PACKAGE_VERSION='3.1.1' +PACKAGE_STRING='nrpe 3.1.1' PACKAGE_BUGREPORT='nagios-users@lists.sourceforge.net' PACKAGE_URL='https://www.nagios.org/downloads/nagios-core-addons/' @@ -757,6 +757,7 @@ with_logdir with_piddir with_pipedir enable_ssl +with_need_dh with_ssl with_ssl_inc with_ssl_lib @@ -1319,7 +1320,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures nrpe 3.1.0-rc1 to adapt to many kinds of systems. +\`configure' configures nrpe 3.1.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1369,7 +1370,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of nrpe 3.1.0-rc1:";; + short | recursive ) echo "Configuration of nrpe 3.1.1:";; esac cat <<\_ACEOF @@ -1422,6 +1423,7 @@ Optional Packages: --with-logdir=DIR where log files should be placed --with-piddir=DIR where the PID file should be placed --with-pipedir=DIR where socket and pipe files should be placed + --with-need-dh set to 'no' to not include Diffie-Hellman SSL logic --with-ssl=DIR sets location of the SSL installation --with-ssl-inc=DIR sets location of the SSL include files --with-ssl-lib=DIR sets location of the SSL libraries @@ -1514,7 +1516,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -nrpe configure 3.1.0-rc1 +nrpe configure 3.1.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2120,7 +2122,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by nrpe $as_me 3.1.0-rc1, which was +It was created by nrpe $as_me 3.1.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2485,9 +2487,9 @@ ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. PKG_NAME=nrpe -PKG_VERSION="3.1.0-rc1" +PKG_VERSION="3.1.1" PKG_HOME_URL="http://www.nagios.org/" -PKG_REL_DATE="2017-04-06" +PKG_REL_DATE="2017-05-24" RPM_RELEASE=1 LANG=C @@ -3020,29 +3022,29 @@ fi inetd_disabled="" - if test x"$init_type" = "xupstart"; then - inetd_type="upstart" - elif test "$opsys" = "osx"; then - inetd_type="launchd" - fi - - if test x"$inetd_type" = x; then - case $dist_type in #( + case $dist_type in #( solaris) : if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then - inetd_type="$init_type" - else - inetd_type="inetd" - fi ;; #( + inetd_type="$init_type" + else + inetd_type="inetd" + fi ;; #( *bsd*) : inetd_type=`ps -A -o comm -c | grep inetd` ;; #( + osx) : + inetd_type=`launchd` ;; #( aix|hp-ux) : inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1` ;; #( *) : - inetd_type=`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND` ;; #( + inetd_type=`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1` ;; #( *) : ;; esac + + if test x"$inetd_type" = x; then + if test x"$init_type" = "xupstart"; then + inetd_type="upstart" + fi fi if test x"$inetd_type" = x; then @@ -4346,7 +4348,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by nrpe $as_me 3.1.0-rc1, which was +This file was extended by nrpe $as_me 3.1.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4400,7 +4402,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -nrpe config.status 3.1.0-rc1 +nrpe config.status 3.1.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -7278,9 +7280,19 @@ else fi +need_dh=yes + +# Check whether --with-need_dh was given. +if test "${with_need_dh+set}" = set; then : + withval=$with_need_dh; need_dh=$withval +else + nrpe_group=need_dh +fi + + if test x$check_for_ssl = xyes; then # need_dh should only be set for NRPE - need_dh=yes +# need_dh=yes # ------------------------------- @@ -8272,7 +8284,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by nrpe $as_me 3.1.0-rc1, which was +This file was extended by nrpe $as_me 3.1.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -8335,7 +8347,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -nrpe config.status 3.1.0-rc1 +nrpe config.status 3.1.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index f25cf6c..e6ba05b 100644 --- a/configure.ac +++ b/configure.ac @@ -5,15 +5,15 @@ define([AC_CACHE_LOAD],) define([AC_CACHE_SAVE],) m4_include([build-aux/custom_help.m4]) -AC_INIT([nrpe],[3.1.0-rc1],[nagios-users@lists.sourceforge.net],[nrpe],[https://www.nagios.org/downloads/nagios-core-addons/]) +AC_INIT([nrpe],[3.1.1],[nagios-users@lists.sourceforge.net],[nrpe],[https://www.nagios.org/downloads/nagios-core-addons/]) AC_CONFIG_SRCDIR([src/nrpe.c]) AC_CONFIG_AUX_DIR([build-aux]) AC_PREFIX_DEFAULT(/usr/local/nagios) PKG_NAME=nrpe -PKG_VERSION="3.1.0-rc1" +PKG_VERSION="3.1.1" PKG_HOME_URL="http://www.nagios.org/" -PKG_REL_DATE="2017-04-06" +PKG_REL_DATE="2017-05-24" RPM_RELEASE=1 LANG=C @@ -304,10 +304,16 @@ AC_ARG_ENABLE([ssl], fi ],check_for_ssl=yes) +need_dh=yes +AC_ARG_WITH([need_dh], + AS_HELP_STRING([--with-need-dh],[set to 'no' to not include Diffie-Hellman SSL logic]), + [need_dh=$withval], + [nrpe_group=need_dh]) + dnl Optional SSL library and include paths if test x$check_for_ssl = xyes; then # need_dh should only be set for NRPE - need_dh=yes +# need_dh=yes AC_NAGIOS_GET_SSL fi diff --git a/docs/NRPE.odt b/docs/NRPE.odt index db9ca05..f5b906f 100644 Binary files a/docs/NRPE.odt and b/docs/NRPE.odt differ diff --git a/docs/NRPE.pdf b/docs/NRPE.pdf index 7284e7c..543daef 100644 Binary files a/docs/NRPE.pdf and b/docs/NRPE.pdf differ diff --git a/include/common.h.in b/include/common.h.in index b36fb8a..bfa7fcf 100644 --- a/include/common.h.in +++ b/include/common.h.in @@ -2,7 +2,7 @@ * * COMMON.H - NRPE Common Include File * Copyright (c) 1999-2007 Ethan Galstad (nagios@nagios.org) - * Last Modified: 2017-04-06 + * Last Modified: 2017-05-24 * * License: * @@ -33,8 +33,8 @@ # endif #endif -#define PROGRAM_VERSION "3.1.0-rc1" -#define MODIFICATION_DATE "2017-04-06" +#define PROGRAM_VERSION "3.1.1" +#define MODIFICATION_DATE "2017-05-24" #define OK 0 #define ERROR -1 diff --git a/macros/ax_nagios_get_inetd b/macros/ax_nagios_get_inetd index 610b892..d42a7d0 100644 --- a/macros/ax_nagios_get_inetd +++ b/macros/ax_nagios_get_inetd @@ -93,29 +93,30 @@ AC_SUBST(inetd_type) inetd_disabled="" - if test x"$init_type" = "xupstart"; then - inetd_type="upstart" - elif test "$opsys" = "osx"; then - inetd_type="launchd" - fi + AS_CASE([$dist_type], + [solaris], + if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then + inetd_type="$init_type" + else + inetd_type="inetd" + fi, + + [*bsd*], + inetd_type=`ps -A -o comm -c | grep inetd`, + + [osx], + inetd_type=`launchd`, + + [aix|hp-ux], + inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1`, + + [*], + inetd_type=[`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1`]) if test x"$inetd_type" = x; then - AS_CASE([$dist_type], - [solaris], - if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then - inetd_type="$init_type" - else - inetd_type="inetd" - fi, - - [*bsd*], - inetd_type=`ps -A -o comm -c | grep inetd`, - - [aix|hp-ux], - inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1`, - - [*], - inetd_type=[`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1`]) + if test x"$init_type" = "xupstart"; then + inetd_type="upstart" + fi fi if test x"$inetd_type" = x; then diff --git a/nrpe.spec.in b/nrpe.spec.in index 3d066fe..05fa7ab 100644 --- a/nrpe.spec.in +++ b/nrpe.spec.in @@ -9,7 +9,7 @@ %endif %if %{islinux} %define _init_dir @initdir@ - %define _init_tyhpe @init_type@ + %define _init_type @init_type@ %define _exec_prefix %{_prefix}/sbin %define _bindir %{_prefix}/sbin %define _sbindir %{_prefix}/lib/nagios/cgi @@ -22,7 +22,7 @@ %define _sysconfdir /etc/nagios %define name @PACKAGE_NAME@ -%define version 3.1.0-rc1 +%define version 3.1.1 %define release @RPM_RELEASE@ %define nsusr @nrpe_user@ %define nsgrp @nrpe_group@ diff --git a/src/acl.c b/src/acl.c index c5e09b9..d937d53 100644 --- a/src/acl.c +++ b/src/acl.c @@ -565,9 +565,9 @@ int is_an_allowed_host(int family, void *host) break; } } - - dns_acl_curr = dns_acl_curr->next; } + + dns_acl_curr = dns_acl_curr->next; } return 0; } diff --git a/src/check_nrpe.c b/src/check_nrpe.c index ecd042e..3216deb 100644 --- a/src/check_nrpe.c +++ b/src/check_nrpe.c @@ -4,7 +4,7 @@ * Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org) * License: GPL * - * Last Modified: 2017-04-06 + * Last Modified: 2017-05-24 * * Command line: CHECK_NRPE -H [-p port] [-c command] [-to to_sec] * @@ -116,8 +116,6 @@ int main(int argc, char **argv) result = process_arguments(argc, argv, 0); - open_log_file(); - if (result != OK || show_help == TRUE || show_license == TRUE || show_version == TRUE) usage(result); /* usage() will call exit() */ @@ -466,6 +464,7 @@ int process_arguments(int argc, char **argv, int from_config_file) break; } log_file = strdup(optarg); + open_log_file(); break; default: @@ -558,10 +557,10 @@ int read_config_file(char *fname) bufp = buf; while (argc < 50) { + while (*bufp && strchr(delims, *bufp)) + ++bufp; if (*bufp == '\0') break; - while (strchr(delims, *bufp)) - ++bufp; argv[argc] = my_strsep(&bufp, delims); if (!argv[argc++]) break; @@ -667,7 +666,7 @@ void usage(int result) printf("Usage: check_nrpe -H [-2] [-4] [-6] [-n] [-u] [-V] [-l] [-d ]\n" " [-P ] [-S ] [-L ] [-C ]\n" " [-K ] [-A ] [-s ] [-b ]\n" - " [-f ] [-p ] [-t :]\n" + " [-f ] [-p ] [-t :] [-g ]\n" " [-c ] [-a ]\n"); printf("\n"); printf("Options:\n"); @@ -704,6 +703,7 @@ void usage(int result) printf(" = SSL Logging Options\n"); printf(" = bind to local address\n"); printf(" = configuration file to use\n"); + printf(" = full path to the log file to write to\n"); printf(" [port] = The port on which the daemon is running (default=%d)\n", DEFAULT_SERVER_PORT); printf(" [command] = The name of the command that the remote daemon should run\n"); @@ -743,7 +743,7 @@ void usage(int result) void setup_ssl() { #ifdef HAVE_SSL - int vrfy; + int vrfy, x; if (sslprm.log_opts & SSL_LogStartup) { char *val; @@ -878,7 +878,9 @@ void setup_ssl() break; case TLSv1_2: case TLSv1_2_plus: +#ifdef SSL_OP_NO_TLSv1_1 ssl_opts |= SSL_OP_NO_TLSv1_1; +#endif case TLSv1_1: case TLSv1_1_plus: ssl_opts |= SSL_OP_NO_TLSv1; @@ -897,14 +899,23 @@ void setup_ssl() if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) { if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) { - SSL_CTX_free(ctx); printf("Error: could not use certificate file '%s'.\n", sslprm.cert_file); + while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { + printf("Error: could not use certificate file '%s': %s\n", + sslprm.cert_file, ERR_reason_error_string(x)); + } + SSL_CTX_free(ctx); exit(STATE_CRITICAL); } if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) { SSL_CTX_free(ctx); printf("Error: could not use private key file '%s'.\n", sslprm.privatekey_file); + while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { + printf("Error: could not use private key file '%s': %s\n", + sslprm.privatekey_file, ERR_reason_error_string(x)); + } + SSL_CTX_free(ctx); exit(STATE_CRITICAL); } } @@ -913,8 +924,12 @@ void setup_ssl() vrfy = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; SSL_CTX_set_verify(ctx, vrfy, verify_callback); if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) { - SSL_CTX_free(ctx); printf("Error: could not use CA certificate '%s'.\n", sslprm.cacert_file); + while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { + printf("Error: could not use CA certificate '%s': %s\n", + sslprm.privatekey_file, ERR_reason_error_string(x)); + } + SSL_CTX_free(ctx); exit(STATE_CRITICAL); } } @@ -932,8 +947,12 @@ void setup_ssl() } if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) { - SSL_CTX_free(ctx); printf("Error: Could not set SSL/TLS cipher list: %s\n", sslprm.cipher_list); + while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { + printf("Could not set SSL/TLS cipher list '%s': %s\n", + sslprm.cipher_list, ERR_reason_error_string(x)); + } + SSL_CTX_free(ctx); exit(STATE_CRITICAL); } } @@ -965,7 +984,7 @@ int connect_to_remote() struct sockaddr addr; struct in_addr *inaddr; socklen_t addrlen; - int result, rc, ssl_err, ern; + int result, rc, ssl_err, ern, x, nerrs = 0; /* try to connect to the host at the given port number */ if ((sd = @@ -1004,7 +1023,6 @@ int connect_to_remote() ssl_err = SSL_get_error(ssl, rc); if (sslprm.log_opts & (SSL_LogCertDetails | SSL_LogIfClientCert)) { - int x, nerrs = 0; rc = 0; while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s", @@ -1015,9 +1033,16 @@ int connect_to_remote() logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d", rem_host, rc, ssl_err); - } else - logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d", - rem_host, rc, ssl_err); + } else { + while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { + logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s", + rem_host, ERR_reason_error_string(x)); + ++nerrs; + } + if (nerrs == 0) + logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: " + "rc=%d SSL-error=%d", rem_host, rc, ssl_err); + } if (ssl_err == 5) { /* Often, errno will be zero, so print a generic message here */ diff --git a/src/nrpe.c b/src/nrpe.c index 3c25f68..c91d8b6 100644 --- a/src/nrpe.c +++ b/src/nrpe.c @@ -186,8 +186,6 @@ int main(int argc, char **argv) return STATE_CRITICAL; } - open_log_file(); - if (!nasty_metachars) nasty_metachars = strdup(NASTY_METACHARS); @@ -244,6 +242,7 @@ void init_ssl(void) #ifdef HAVE_SSL DH *dh; char seedfile[FILENAME_MAX]; + char errstr[120] = { "" }; int i, c, x, vrfy; unsigned long ssl_opts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; @@ -315,7 +314,10 @@ void init_ssl(void) ctx = SSL_CTX_new(meth); if (ctx == NULL) { - logit(LOG_ERR, "Error: could not create SSL context"); + while ((x = ERR_get_error()) != 0) { + ERR_error_string(x, errstr); + logit(LOG_ERR, "Error: could not create SSL context : %s", errstr); + } SSL_CTX_free(ctx); exit(STATE_CRITICAL); } @@ -359,7 +361,9 @@ void init_ssl(void) break; case TLSv1_2: case TLSv1_2_plus: +#ifdef SSL_OP_NO_TLSv1_1 ssl_opts |= SSL_OP_NO_TLSv1_1; +#endif case TLSv1_1: case TLSv1_1_plus: ssl_opts |= SSL_OP_NO_TLSv1; @@ -377,7 +381,6 @@ void init_ssl(void) SSL_CTX_set_options(ctx, ssl_opts); if (sslprm.cert_file != NULL) { - char errstr[120] = { "" }; if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) { SSL_CTX_free(ctx); while ((x = ERR_get_error()) != 0) { @@ -388,9 +391,12 @@ void init_ssl(void) exit(STATE_CRITICAL); } if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) { + while ((x = ERR_get_error()) != 0) { + ERR_error_string(x, errstr); + logit(LOG_ERR, "Error: could not use private key file '%s' : %s", + sslprm.privatekey_file, errstr); + } SSL_CTX_free(ctx); - logit(LOG_ERR, "Error: could not use private key file '%s'", - sslprm.privatekey_file); exit(STATE_CRITICAL); } } @@ -401,6 +407,10 @@ void init_ssl(void) vrfy |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; SSL_CTX_set_verify(ctx, vrfy, verify_callback); if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) { + while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { + logit(LOG_ERR, "Error: could not use certificate file '%s': %s\n", + sslprm.cacert_file, ERR_reason_error_string(x)); + } SSL_CTX_free(ctx); logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file); exit(STATE_CRITICAL); @@ -651,13 +661,13 @@ void cleanup(void) free_memory(); /* free all memory we allocated */ if (sigrestart == TRUE && sigshutdown == FALSE) { + close_log_file(); result = read_config_file(config_file); /* read the config file */ if (result == ERROR) { /* exit if there are errors... */ logit(LOG_ERR, "Config file '%s' contained errors, bailing out...", config_file); exit(STATE_CRITICAL); } - open_log_file(); return; } @@ -950,10 +960,11 @@ int read_config_file(char *filename) else if (!strcmp(varname, "nasty_metachars")) nasty_metachars = strdup(varvalue); - else if (!strcmp(varname, "log_file")) + else if (!strcmp(varname, "log_file")) { log_file = strdup(varvalue); + open_log_file(); - else { + } else { logit(LOG_WARNING, "Unknown option specified in config file '%s' - Line %d\n", filename, line); continue; @@ -1852,6 +1863,7 @@ int handle_conn_ssl(int sock, void *ssl_ptr) #else const SSL_CIPHER *c; #endif + const char *errmsg = NULL; char buffer[MAX_INPUT_BUFFER]; SSL *ssl = (SSL*)ssl_ptr; X509 *peer; @@ -1869,8 +1881,14 @@ int handle_conn_ssl(int sock, void *ssl_ptr) int nerrs = 0; rc = 0; while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { + errmsg = ERR_reason_error_string(x); logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s", - remote_host, ERR_reason_error_string(x)); + remote_host, errmsg); + if (errmsg && !strcmp(errmsg, "no shared cipher")) { + if (sslprm.cert_file == NULL || sslprm.cacert_file == NULL) + logit(LOG_ERR, "Error: This could be because you have not " + "specified certificate or ca-certificate files"); + } ++nerrs; } if (nerrs == 0) diff --git a/src/utils.c b/src/utils.c index 50cce29..161f3da 100644 --- a/src/utils.c +++ b/src/utils.c @@ -31,6 +31,7 @@ #include "../include/common.h" #include "../include/utils.h" +#include #ifdef HAVE_PATHS_H #include #endif @@ -469,6 +470,7 @@ char *my_strsep(char **stringp, const char *delim) void open_log_file() { int fh; + int flags = O_RDWR|O_APPEND|O_CREAT; struct stat st; close_log_file(); @@ -476,7 +478,10 @@ void open_log_file() if (!log_file) return; - if ((fh = open(log_file, O_RDWR|O_APPEND|O_CREAT|O_NOFOLLOW, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) { +#ifdef O_NOFOLLOW + flags |= O_NOFOLLOW; +#endif + if ((fh = open(log_file, flags, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) { printf("Warning: Cannot open log file '%s' for writing\n", log_file); logit(LOG_WARNING, "Warning: Cannot open log file '%s' for writing", log_file); return; @@ -527,7 +532,7 @@ void logit(int priority, const char *format, ...) fflush(log_fp); } else - syslog(priority, buffer); + syslog(priority, "%s", buffer); free(buffer); } diff --git a/update-version b/update-version index 5a7c039..8ebcf0e 100755 --- a/update-version +++ b/update-version @@ -28,10 +28,10 @@ else fi # Current version number -CURRENTVERSION=3.1.0-rc1 +CURRENTVERSION=3.1.1 # Last date -LASTDATE=2017-04-06 +LASTDATE=2017-05-24 if [ "x$1" = "x" ] then