Created attachment 182152 [details] svn diff for net-mgmt/nrpe Current NRPE2 uses 512-bit DH parameters which is insecure. Upstream updated to 2048bit for 3.x see https://github.com/NagiosEnterprises/nrpe/blob/maint/macros/ax_nagios_get_ssl#L298 Poor design to generate params during build but that has perpetuated into 3.x as well. Proposed commit log: ``` net-mgmt/nrpe: Use 2048-bit DH params - Add patches to upgrade 512 to 2048-bit DH params - Add LICENSE PR: Approved by: ```
Looks good to me. OK to commit if you have tested interpoerability with nrpe with 512bit DH parameters, to ensure that we don't break mixed environments.
Just ran interop tests on 11amd64-p6 vanilla poudriere jail 3 builds: 1. stock OpenSSL and current port 2. stock OpenSSL and dh2048 patches 3. LibreSSL port and dh2048 patches Tests: client current vs server current : OK client current vs server dh2048 : OK client current vs server libressl : OK client dh2048 vs server current : OK client dh2048 vs server dh2048 : OK client dh2048 vs server libressl : OK client libressl vs server current : FAIL client libressl vs server dh2048 : OK client libressl vs server libressl : OK FAIL for client libressl vs server current was expected, this is why I patched to begin with. 512bit DH params are no longer supported in LibreSSL 2.5
A commit references this bug: Author: brnrd Date: Fri Apr 28 19:33:27 UTC 2017 New revision: 439625 URL: https://svnweb.freebsd.org/changeset/ports/439625 Log: net-mgmt/nrpe: Use 2048-bit DH params - Add patch for DH-param generation in configure - Update patch switching dh512 to dh2048 for server - Add LICENSE - Fixes runtime issue when nrpe-ssl built with LibreSSL 2.5 PR: 218930 Approved by: zeising (maintainer) Changes: head/net-mgmt/nrpe/Makefile head/net-mgmt/nrpe/files/patch-configure head/net-mgmt/nrpe/files/patch-src-nrpe.c
Fixed a while ago, just forgot to close the PR.