update the regular cipher list to allow dh if so desired

sample-config/nrpe.cfg.in

@@ -225,10 +225,12 @@ connection_timeout=300
 
 # SSL CIPHER LIST
 # This lists which ciphers can be used. For backward compatibility, this
-# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in this version but
-# will be changed to something like the example below in a later version of NRPE.
+# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' for < OpenSSL 1.1.0,
+# and 'ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0' for OpenSSL 1.1.0 and
+# greater. 
 
 #ssl_cipher_list=ALL:!MD5:@STRENGTH
+#ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0
 #ssl_cipher_list=ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH
 
 # SSL Certificate and Private Key Files

src/check_nrpe.c

@@ -148,7 +148,11 @@ int main(int argc, char **argv)
 	if (timeout_return_code == -1)
 		timeout_return_code = STATE_CRITICAL;
 	if (sslprm.cipher_list[0] == '\0')
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+		strncpy(sslprm.cipher_list, "ALL:!MD5:@STRENGTH:@SECLEVEL=0", MAX_FILENAME_LENGTH - 1);
+#else
 		strncpy(sslprm.cipher_list, "ALL:!MD5:@STRENGTH", MAX_FILENAME_LENGTH - 1);
+#endif
 	if (sslprm.ssl_proto_ver == SSL_Ver_Invalid)
 		sslprm.ssl_proto_ver = TLSv1_plus;
 	if (sslprm.allowDH == -1)
@@ -717,7 +721,11 @@ void usage(int result)
 		printf("                              TLSv1.2   TLS v1.2 only\n");
 		printf("                              TLSv1.2+  TLS v1.2 or above\n");
 		printf(" -L, --cipher-list=LIST       The list of SSL ciphers to use (currently defaults\n");
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+		printf("                              to \"ALL:!MD5:@STRENGTH:@SECLEVEL=0\". THIS WILL change in a future release.)\n");
+#else
 		printf("                              to \"ALL:!MD5:@STRENGTH\". THIS WILL change in a future release.)\n");
+#endif
 		printf(" -C, --client-cert=FILE       The client certificate to use for PKI\n");
 		printf(" -K, --key-file=FILE          The private key to use with the client certificate\n");
 		printf(" -A, --ca-cert-file=FILE      The CA certificate to use for PKI\n");

src/nrpe.c

@@ -147,7 +147,11 @@ struct _SSL_PARMS {
 	ClntCerts client_certs;
 	SslLogging log_opts;
 } sslprm = {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+NULL, NULL, NULL, "ALL:!MD5:@STRENGTH:@SECLEVEL=0", TLSv1_plus, TRUE, 0, SSL_NoLogging};
+#else
 NULL, NULL, NULL, "ALL:!MD5:@STRENGTH", TLSv1_plus, TRUE, 0, SSL_NoLogging};
+#endif
 
 
 #ifdef HAVE_SSL
@@ -476,12 +480,8 @@ void log_ssl_startup(void)
 		   sslprm.privatekey_file ? sslprm.privatekey_file : "None");
 	logit(LOG_INFO, "SSL CA Certificate File: %s",
 		   sslprm.cacert_file ? sslprm.cacert_file : "None");
-	if (sslprm.allowDH < 2)
-		logit(LOG_INFO, "SSL Cipher List: %s", sslprm.cipher_list);
-	else
-		logit(LOG_INFO, "SSL Cipher List: ADH");
-	logit(LOG_INFO, "SSL Allow ADH: %s",
-		   sslprm.allowDH == 0 ? "No" : (sslprm.allowDH == 1 ? "Allow" : "Require"));
+	logit(LOG_INFO, "SSL Cipher List: %s", sslprm.cipher_list);
+	logit(LOG_INFO, "SSL Allow ADH: %d", sslprm.allowDH == 0);
 	logit(LOG_INFO, "SSL Client Certs: %s",
 		   sslprm.client_certs == 0 ? "Don't Ask" : (sslprm.client_certs ==
 													 1 ? "Accept" : "Require"));