Merge branch 'nrpe-3.1.1rc1'

Changelog

@@ -2,6 +2,21 @@
 NRPE Changelog
 **************
 
+3.1.1 - 2017-05-24
+------------------
+FIXES
+- The '--log-file=' or '-g' option is missing from the help (John Frickson)
+- check_nrpe = segfault when specifying a config file (John Frickson)
+- Alternate log file not being used soon enough (John Frickson)
+- Unable to compile v3.1.0rc1 with new SSL checks on rh5 (John Frickson)
+- Unable to compile nrpe-3.1.0 - undefined references to va_start, va_end (John Frickson)
+- Can't build on Debian Stretch, openssl 1.1.0c (John Frickson)
+- Fix build failure with -Werror=format-security (Bas Couwenberg)
+- Fixed a typo in `nrpe.spec.in` (John Frickson)
+- More detailed error logging for SSL (John Frickson)
+- Fix infinite loop when unresolvable host is in allowed_hosts (Nick / John Frickson)
+
+
 3.1.0 - 2017-04-17
 ------------------
 ENHANCEMENTS

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for nrpe 3.1.0-rc1.
+# Generated by GNU Autoconf 2.69 for nrpe 3.1.1.
 #
 # Report bugs to <nagios-users@lists.sourceforge.net>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='nrpe'
 PACKAGE_TARNAME='nrpe'
-PACKAGE_VERSION='3.1.0-rc1'
-PACKAGE_STRING='nrpe 3.1.0-rc1'
+PACKAGE_VERSION='3.1.1'
+PACKAGE_STRING='nrpe 3.1.1'
 PACKAGE_BUGREPORT='nagios-users@lists.sourceforge.net'
 PACKAGE_URL='https://www.nagios.org/downloads/nagios-core-addons/'
 
@@ -757,6 +757,7 @@ with_logdir
 with_piddir
 with_pipedir
 enable_ssl
+with_need_dh
 with_ssl
 with_ssl_inc
 with_ssl_lib
@@ -1319,7 +1320,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures nrpe 3.1.0-rc1 to adapt to many kinds of systems.
+\`configure' configures nrpe 3.1.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1369,7 +1370,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of nrpe 3.1.0-rc1:";;
+     short | recursive ) echo "Configuration of nrpe 3.1.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1422,6 +1423,7 @@ Optional Packages:
   --with-logdir=DIR       where log files should be placed
   --with-piddir=DIR       where the PID file should be placed
   --with-pipedir=DIR      where socket and pipe files should be placed
+  --with-need-dh          set to 'no' to not include Diffie-Hellman SSL logic
   --with-ssl=DIR          sets location of the SSL installation
   --with-ssl-inc=DIR      sets location of the SSL include files
   --with-ssl-lib=DIR      sets location of the SSL libraries
@@ -1514,7 +1516,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-nrpe configure 3.1.0-rc1
+nrpe configure 3.1.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2120,7 +2122,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by nrpe $as_me 3.1.0-rc1, which was
+It was created by nrpe $as_me 3.1.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2485,9 +2487,9 @@ ac_configure="$SHELL $ac_aux_dir/configure"  # Please don't use this var.
 
 
 PKG_NAME=nrpe
-PKG_VERSION="3.1.0-rc1"
+PKG_VERSION="3.1.1"
 PKG_HOME_URL="http://www.nagios.org/"
-PKG_REL_DATE="2017-04-06"
+PKG_REL_DATE="2017-05-24"
 RPM_RELEASE=1
 
 LANG=C
@@ -3020,29 +3022,29 @@ fi
 
 			inetd_disabled=""
 
-			if test x"$init_type" = "xupstart"; then
-				inetd_type="upstart"
-			elif test "$opsys" = "osx"; then
-				inetd_type="launchd"
-			fi
-
-			if test x"$inetd_type" = x; then
-				case $dist_type in #(
+			case $dist_type in #(
   solaris) :
     if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then
-							inetd_type="$init_type"
-						else
-							inetd_type="inetd"
-						fi ;; #(
+						inetd_type="$init_type"
+					else
+						inetd_type="inetd"
+					fi ;; #(
   *bsd*) :
     inetd_type=`ps -A -o comm -c | grep inetd` ;; #(
+  osx) :
+    inetd_type=`launchd` ;; #(
   aix|hp-ux) :
     inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1` ;; #(
   *) :
-    inetd_type=`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND` ;; #(
+    inetd_type=`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1` ;; #(
   *) :
      ;;
 esac
+
+			if test x"$inetd_type" = x; then
+				if test x"$init_type" = "xupstart"; then
+					inetd_type="upstart"
+				fi
 			fi
 
 			if test x"$inetd_type" = x; then
@@ -4346,7 +4348,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by nrpe $as_me 3.1.0-rc1, which was
+This file was extended by nrpe $as_me 3.1.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4400,7 +4402,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-nrpe config.status 3.1.0-rc1
+nrpe config.status 3.1.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -7278,9 +7280,19 @@ else
 fi
 
 
+need_dh=yes
+
+# Check whether --with-need_dh was given.
+if test "${with_need_dh+set}" = set; then :
+  withval=$with_need_dh; need_dh=$withval
+else
+  nrpe_group=need_dh
+fi
+
+
 if test x$check_for_ssl = xyes; then
 	# need_dh should only be set for NRPE
-	need_dh=yes
+#	need_dh=yes
 
 
 # -------------------------------
@@ -8272,7 +8284,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by nrpe $as_me 3.1.0-rc1, which was
+This file was extended by nrpe $as_me 3.1.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -8335,7 +8347,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-nrpe config.status 3.1.0-rc1
+nrpe config.status 3.1.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -5,15 +5,15 @@ define([AC_CACHE_LOAD],)
 define([AC_CACHE_SAVE],)
 
 m4_include([build-aux/custom_help.m4])
-AC_INIT([nrpe],[3.1.0-rc1],[nagios-users@lists.sourceforge.net],[nrpe],[https://www.nagios.org/downloads/nagios-core-addons/])
+AC_INIT([nrpe],[3.1.1],[nagios-users@lists.sourceforge.net],[nrpe],[https://www.nagios.org/downloads/nagios-core-addons/])
 AC_CONFIG_SRCDIR([src/nrpe.c])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_PREFIX_DEFAULT(/usr/local/nagios)
 
 PKG_NAME=nrpe
-PKG_VERSION="3.1.0-rc1"
+PKG_VERSION="3.1.1"
 PKG_HOME_URL="http://www.nagios.org/"
-PKG_REL_DATE="2017-04-06"
+PKG_REL_DATE="2017-05-24"
 RPM_RELEASE=1
 
 LANG=C
@@ -304,10 +304,16 @@ AC_ARG_ENABLE([ssl],
 	fi
 	],check_for_ssl=yes)
 
+need_dh=yes
+AC_ARG_WITH([need_dh],
+	AS_HELP_STRING([--with-need-dh],[set to 'no' to not include Diffie-Hellman SSL logic]),
+	[need_dh=$withval],
+	[nrpe_group=need_dh])
+
 dnl Optional SSL library and include paths
 if test x$check_for_ssl = xyes; then
 	# need_dh should only be set for NRPE
-	need_dh=yes
+#	need_dh=yes
 	AC_NAGIOS_GET_SSL
 fi
 

include/common.h.in

@@ -2,7 +2,7 @@
  *
  * COMMON.H - NRPE Common Include File
  * Copyright (c) 1999-2007 Ethan Galstad (nagios@nagios.org)
- * Last Modified: 2017-04-06
+ * Last Modified: 2017-05-24
  *
  * License:
  *
@@ -33,8 +33,8 @@
 # endif
 #endif
 
-#define PROGRAM_VERSION "3.1.0-rc1"
-#define MODIFICATION_DATE "2017-04-06"
+#define PROGRAM_VERSION "3.1.1"
+#define MODIFICATION_DATE "2017-05-24"
 
 #define OK							0
 #define ERROR						-1

macros/ax_nagios_get_inetd

@@ -93,29 +93,30 @@ AC_SUBST(inetd_type)
 
 			inetd_disabled=""
 
-			if test x"$init_type" = "xupstart"; then
-				inetd_type="upstart"
-			elif test "$opsys" = "osx"; then
-				inetd_type="launchd"
-			fi
+			AS_CASE([$dist_type],
+				[solaris],
+					if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then
+						inetd_type="$init_type"
+					else
+						inetd_type="inetd"
+					fi,
 
-			if test x"$inetd_type" = x; then
-				AS_CASE([$dist_type],
-					[solaris],
-						if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then
-							inetd_type="$init_type"
-						else
-							inetd_type="inetd"
-						fi,
+				[*bsd*],
+					inetd_type=`ps -A -o comm -c | grep inetd`,
+
+				[osx],
+					inetd_type=`launchd`,
 
-					[*bsd*],
-						inetd_type=`ps -A -o comm -c | grep inetd`,
+				[aix|hp-ux],
+					inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1`,
 
-					[aix|hp-ux],
-						inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1`,
+				[*],
+					inetd_type=[`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1`])
 
-					[*],
-						inetd_type=[`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1`])
+			if test x"$inetd_type" = x; then
+				if test x"$init_type" = "xupstart"; then
+					inetd_type="upstart"
+				fi
 			fi
 
 			if test x"$inetd_type" = x; then

nrpe.spec.in

@@ -9,7 +9,7 @@
 %endif
 %if %{islinux}
 	%define _init_dir @initdir@
-	%define _init_tyhpe @init_type@
+	%define _init_type @init_type@
 	%define _exec_prefix %{_prefix}/sbin
 	%define _bindir %{_prefix}/sbin
 	%define _sbindir %{_prefix}/lib/nagios/cgi
@@ -22,7 +22,7 @@
 %define _sysconfdir /etc/nagios
 
 %define name @PACKAGE_NAME@
-%define version 3.1.0-rc1
+%define version 3.1.1
 %define release @RPM_RELEASE@
 %define nsusr @nrpe_user@
 %define nsgrp @nrpe_group@

src/acl.c

@@ -565,9 +565,9 @@ int is_an_allowed_host(int family, void *host)
 					break;
 				}
 			}
-
-			dns_acl_curr = dns_acl_curr->next;
 		}
+
+		dns_acl_curr = dns_acl_curr->next;
 	}
 	return 0;
 }

src/check_nrpe.c

@@ -4,7 +4,7 @@
  * Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
  * License: GPL
  *
- * Last Modified: 2017-04-06
+ * Last Modified: 2017-05-24
  *
  * Command line: CHECK_NRPE -H <host_address> [-p port] [-c command] [-to to_sec]
  *
@@ -116,8 +116,6 @@ int main(int argc, char **argv)
 
 	result = process_arguments(argc, argv, 0);
 
-	open_log_file();
-
 	if (result != OK || show_help == TRUE || show_license == TRUE || show_version == TRUE)
 		usage(result);			/* usage() will call exit() */
 
@@ -466,6 +464,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
 				break;
 			}
 			log_file = strdup(optarg);
+			open_log_file();
 			break;
 
 		default:
@@ -558,10 +557,10 @@ int read_config_file(char *fname)
 
 	bufp = buf;
 	while (argc < 50) {
+		while (*bufp && strchr(delims, *bufp))
+			++bufp;
 		if (*bufp == '\0')
 			break;
-		while (strchr(delims, *bufp))
-			++bufp;
 		argv[argc] = my_strsep(&bufp, delims);
 		if (!argv[argc++])
 			break;
@@ -667,7 +666,7 @@ void usage(int result)
 		printf("Usage: check_nrpe -H <host> [-2] [-4] [-6] [-n] [-u] [-V] [-l] [-d <dhopt>]\n"
 			   "       [-P <size>] [-S <ssl version>]  [-L <cipherlist>] [-C <clientcert>]\n"
 			   "       [-K <key>] [-A <ca-certificate>] [-s <logopts>] [-b <bindaddr>]\n"
-			   "       [-f <cfg-file>] [-p <port>] [-t <interval>:<state>]\n"
+			   "       [-f <cfg-file>] [-p <port>] [-t <interval>:<state>] [-g <log-file>]\n"
 			   "       [-c <command>] [-a <arglist...>]\n");
 		printf("\n");
 		printf("Options:\n");
@@ -704,6 +703,7 @@ void usage(int result)
 		printf(" <logopts>    = SSL Logging Options\n");
 		printf(" <bindaddr>   = bind to local address\n");
 		printf(" <cfg-file>   = configuration file to use\n");
+		printf(" <log-file>   = full path to the log file to write to\n");
 		printf(" [port]       = The port on which the daemon is running (default=%d)\n",
 			   DEFAULT_SERVER_PORT);
 		printf(" [command]    = The name of the command that the remote daemon should run\n");
@@ -743,7 +743,7 @@ void usage(int result)
 void setup_ssl()
 {
 #ifdef HAVE_SSL
-	int vrfy;
+	int vrfy, x;
 
 	if (sslprm.log_opts & SSL_LogStartup) {
 		char *val;
@@ -878,7 +878,9 @@ void setup_ssl()
 				break;
 			case TLSv1_2:
 			case TLSv1_2_plus:
+#ifdef SSL_OP_NO_TLSv1_1
 				ssl_opts |= SSL_OP_NO_TLSv1_1;
+#endif
 			case TLSv1_1:
 			case TLSv1_1_plus:
 				ssl_opts |= SSL_OP_NO_TLSv1;
@@ -897,14 +899,23 @@ void setup_ssl()
 
 		if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) {
 			if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) {
-				SSL_CTX_free(ctx);
 				printf("Error: could not use certificate file '%s'.\n", sslprm.cert_file);
+				while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
+					printf("Error: could not use certificate file '%s': %s\n",
+						   sslprm.cert_file, ERR_reason_error_string(x));
+				}
+				SSL_CTX_free(ctx);
 				exit(STATE_CRITICAL);
 			}
 			if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
 				SSL_CTX_free(ctx);
 				printf("Error: could not use private key file '%s'.\n",
 					   sslprm.privatekey_file);
+				while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
+					printf("Error: could not use private key file '%s': %s\n",
+						   sslprm.privatekey_file, ERR_reason_error_string(x));
+				}
+				SSL_CTX_free(ctx);
 				exit(STATE_CRITICAL);
 			}
 		}
@@ -913,8 +924,12 @@ void setup_ssl()
 			vrfy = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
 			SSL_CTX_set_verify(ctx, vrfy, verify_callback);
 			if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
-				SSL_CTX_free(ctx);
 				printf("Error: could not use CA certificate '%s'.\n", sslprm.cacert_file);
+				while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
+					printf("Error: could not use CA certificate '%s': %s\n",
+						   sslprm.privatekey_file, ERR_reason_error_string(x));
+				}
+				SSL_CTX_free(ctx);
 				exit(STATE_CRITICAL);
 			}
 		}
@@ -932,8 +947,12 @@ void setup_ssl()
 		}
 
 		if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) {
-			SSL_CTX_free(ctx);
 			printf("Error: Could not set SSL/TLS cipher list: %s\n", sslprm.cipher_list);
+			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
+				printf("Could not set SSL/TLS cipher list '%s': %s\n",
+					   sslprm.cipher_list, ERR_reason_error_string(x));
+			}
+			SSL_CTX_free(ctx);
 			exit(STATE_CRITICAL);
 		}
 	}
@@ -965,7 +984,7 @@ int connect_to_remote()
 	struct sockaddr addr;
 	struct in_addr *inaddr;
 	socklen_t addrlen;
-	int result, rc, ssl_err, ern;
+	int result, rc, ssl_err, ern, x, nerrs = 0;
 
 	/* try to connect to the host at the given port number */
 	if ((sd =
@@ -1004,7 +1023,6 @@ int connect_to_remote()
 		ssl_err = SSL_get_error(ssl, rc);
 
 		if (sslprm.log_opts & (SSL_LogCertDetails | SSL_LogIfClientCert)) {
-			int x, nerrs = 0;
 			rc = 0;
 			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
 				logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
@@ -1015,9 +1033,16 @@ int connect_to_remote()
 				logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d",
 					   rem_host, rc, ssl_err);
 
-		} else
-			logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d",
-				   rem_host, rc, ssl_err);
+		} else {
+			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
+				logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
+					   rem_host, ERR_reason_error_string(x));
+				++nerrs;
+			}
+			if (nerrs == 0)
+				logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: "
+						"rc=%d SSL-error=%d", rem_host, rc, ssl_err);
+		}
 
 		if (ssl_err == 5) {
 			/* Often, errno will be zero, so print a generic message here */

src/nrpe.c

@@ -186,8 +186,6 @@ int main(int argc, char **argv)
 		return STATE_CRITICAL;
 	}
 
-	open_log_file();
-
 	if (!nasty_metachars)
 		nasty_metachars = strdup(NASTY_METACHARS);
 
@@ -244,6 +242,7 @@ void init_ssl(void)
 #ifdef HAVE_SSL
 	DH            *dh;
 	char          seedfile[FILENAME_MAX];
+	char          errstr[120] = { "" };
 	int           i, c, x, vrfy;
 	unsigned long ssl_opts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
 
@@ -315,7 +314,10 @@ void init_ssl(void)
 
 	ctx = SSL_CTX_new(meth);
 	if (ctx == NULL) {
-		logit(LOG_ERR, "Error: could not create SSL context");
+		while ((x = ERR_get_error()) != 0) {
+			ERR_error_string(x, errstr);
+			logit(LOG_ERR, "Error: could not create SSL context : %s", errstr);
+		}
 		SSL_CTX_free(ctx);
 		exit(STATE_CRITICAL);
 	}
@@ -359,7 +361,9 @@ void init_ssl(void)
 			break;
 		case TLSv1_2:
 		case TLSv1_2_plus:
+#ifdef SSL_OP_NO_TLSv1_1
 			ssl_opts |= SSL_OP_NO_TLSv1_1;
+#endif
 		case TLSv1_1:
 		case TLSv1_1_plus:
 			ssl_opts |= SSL_OP_NO_TLSv1;
@@ -377,7 +381,6 @@ void init_ssl(void)
 	SSL_CTX_set_options(ctx, ssl_opts);
 
 	if (sslprm.cert_file != NULL) {
-		char	errstr[120] = { "" };
 		if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) {
 			SSL_CTX_free(ctx);
 			while ((x = ERR_get_error()) != 0) {
@@ -388,9 +391,12 @@ void init_ssl(void)
 			exit(STATE_CRITICAL);
 		}
 		if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
+			while ((x = ERR_get_error()) != 0) {
+				ERR_error_string(x, errstr);
+				logit(LOG_ERR, "Error: could not use private key file '%s' : %s",
+					 sslprm.privatekey_file, errstr);
+			}
 			SSL_CTX_free(ctx);
-			logit(LOG_ERR, "Error: could not use private key file '%s'",
-				   sslprm.privatekey_file);
 			exit(STATE_CRITICAL);
 		}
 	}
@@ -401,6 +407,10 @@ void init_ssl(void)
 			vrfy |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
 		SSL_CTX_set_verify(ctx, vrfy, verify_callback);
 		if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
+			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
+				logit(LOG_ERR, "Error: could not use certificate file '%s': %s\n",
+					   sslprm.cacert_file, ERR_reason_error_string(x));
+			}
 			SSL_CTX_free(ctx);
 			logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file);
 			exit(STATE_CRITICAL);
@@ -651,13 +661,13 @@ void cleanup(void)
 	free_memory();				/* free all memory we allocated */
 
 	if (sigrestart == TRUE && sigshutdown == FALSE) {
+		close_log_file();
 		result = read_config_file(config_file);	/* read the config file */
 
 		if (result == ERROR) {	/* exit if there are errors... */
 			logit(LOG_ERR, "Config file '%s' contained errors, bailing out...", config_file);
 			exit(STATE_CRITICAL);
 		}
-		open_log_file();
 		return;
 	}
 
@@ -950,10 +960,11 @@ int read_config_file(char *filename)
 		else if (!strcmp(varname, "nasty_metachars"))
 			nasty_metachars = strdup(varvalue);
 
-		else if (!strcmp(varname, "log_file"))
+		else if (!strcmp(varname, "log_file")) {
 			log_file = strdup(varvalue);
+			open_log_file();
 
-		else {
+		} else {
 			logit(LOG_WARNING, "Unknown option specified in config file '%s' - Line %d\n",
 				   filename, line);
 			continue;
@@ -1852,6 +1863,7 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
 #else
 	const SSL_CIPHER *c;
 #endif
+	const char *errmsg = NULL;
 	char      buffer[MAX_INPUT_BUFFER];
 	SSL      *ssl = (SSL*)ssl_ptr;
 	X509     *peer;
@@ -1869,8 +1881,14 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
 			int       nerrs = 0;
 			rc = 0;
 			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
+				errmsg = ERR_reason_error_string(x);
 				logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
-					   remote_host, ERR_reason_error_string(x));
+					   remote_host, errmsg);
+				if (errmsg && !strcmp(errmsg, "no shared cipher")) {
+					if (sslprm.cert_file == NULL || sslprm.cacert_file == NULL)
+						logit(LOG_ERR, "Error: This could be because you have not "
+								"specified certificate or ca-certificate files");
+				}
 				++nerrs;
 			}
 			if (nerrs == 0)

src/utils.c

@@ -31,6 +31,7 @@
 
 #include "../include/common.h"
 #include "../include/utils.h"
+#include <stdarg.h>
 #ifdef HAVE_PATHS_H
 #include <paths.h>
 #endif
@@ -469,6 +470,7 @@ char *my_strsep(char **stringp, const char *delim)
 void open_log_file()
 {
 	int fh;
+	int flags = O_RDWR|O_APPEND|O_CREAT;
 	struct stat st;
 
 	close_log_file();
@@ -476,7 +478,10 @@ void open_log_file()
 	if (!log_file)
 		return;
 
-	if ((fh = open(log_file, O_RDWR|O_APPEND|O_CREAT|O_NOFOLLOW, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) {
+#ifdef O_NOFOLLOW
+	flags |= O_NOFOLLOW;
+#endif
+	if ((fh = open(log_file, flags, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) {
 		printf("Warning: Cannot open log file '%s' for writing\n", log_file);
 		logit(LOG_WARNING, "Warning: Cannot open log file '%s' for writing", log_file);
 		return;
@@ -527,7 +532,7 @@ void logit(int priority, const char *format, ...)
 			fflush(log_fp);
 
 		} else
-			syslog(priority, buffer);
+			syslog(priority, "%s", buffer);
 
 		free(buffer);
 	}

update-version

@@ -28,10 +28,10 @@ else
 fi
 
 # Current version number
-CURRENTVERSION=3.1.0-rc1
+CURRENTVERSION=3.1.1
 
 # Last date
-LASTDATE=2017-04-06
+LASTDATE=2017-05-24
 
 if [ "x$1" = "x" ]
 then