Securing NRPE against weak SSL Ciphers

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
illectronic
Posts: 5
Joined: Thu Feb 06, 2014 4:37 pm

Securing NRPE against weak SSL Ciphers

Post by illectronic »

I am running a PCI scan and NRPE is showing up as having weak or medium ciphers. With other applications there were ways to adjust this to only allow strong ciphers. Is there any way to do this in nagios?
Top
sreinhardt
-fno-stack-protector
Posts: 4366
Joined: Mon Nov 19, 2012 12:10 pm

Re: Securing NRPE against weak SSL Ciphers

Post by sreinhardt »

First question would be, what clients are you running nrpe on, and which specific nrpe agent? There are ways to do this though!
Nagios-Plugins maintainer exclusively, unless you have other C language bugs with open-source nagios projects, then I am happy to help! Please pm or use other communication to alert me to issues as I no longer track the forum.
Top
mark.s.spooner
Posts: 2
Joined: Fri Apr 25, 2014 11:04 am

Re: Securing NRPE against weak SSL Ciphers

Post by mark.s.spooner »

I have the same question for nrpe 2.13. Is it the set_cipher_list that needs to be changed?

check_nrpe.c:SSL_CTX *ctx;
check_nrpe.c: if((ctx=SSL_CTX_new(meth))==NULL){
check_nrpe.c: SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
check_nrpe.c: SSL_CTX_set_cipher_list(ctx,"ADH");
check_nrpe.c: SSL_CTX_free(ctx);
check_nrpe.c: SSL_CTX_free(ctx);
nrpe.c:SSL_CTX *ctx;
nrpe.c: if((ctx=SSL_CTX_new(meth))==NULL){
nrpe.c: SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
nrpe.c: SSL_CTX_set_cipher_list(ctx,"ADH");
nrpe.c: SSL_CTX_set_tmp_dh(ctx,dh);
nrpe.c: SSL_CTX_free(ctx);
Top
tmcdonald
Posts: 9117
Joined: Mon Sep 23, 2013 8:40 am

Re: Securing NRPE against weak SSL Ciphers

Post by tmcdonald »

I'm not quite sure. We have an internal bug fix open for this but I don't think a patch has been made. I'm not a C developer so I wouldn't feel comfortable weighing in on a security issue. My gut says to change the SSL_CTW_set_cipher_list to something other than ADH (since that seems to be the weak cipher) but again I can't say for sure not being a dev.
Former Nagios employee
Top
mark.s.spooner
Posts: 2
Joined: Fri Apr 25, 2014 11:04 am

Re: Securing NRPE against weak SSL Ciphers

Post by mark.s.spooner »

Tried changing the cipher_list.-- no joy.
Must be more complicated than that.
Top
abrist
Red Shirt
Posts: 8334
Joined: Thu Nov 15, 2012 1:20 pm

Re: Securing NRPE against weak SSL Ciphers

Post by abrist »

This is on the NRPE devs' radars. They are working on it, and it is a bit more complicated than it first appears.
Former Nagios employee
"It is turtles. All. The. Way. Down. . . .and maybe an elephant or two."
VI VI VI - The editor of the Beast!
Come to the Dark Side.
Top
bradley.radjoo
Posts: 1
Joined: Tue Aug 19, 2014 5:01 am

Re: Securing NRPE against weak SSL Ciphers

Post by bradley.radjoo »

abrist wrote:This is on the NRPE devs' radars. They are working on it, and it is a bit more complicated than it first appears.
Hi, has there perhaps been any update or progress in regards to this ?
Top
User avatar
eloyd
Cool Title Here
Posts: 2129
Joined: Thu Sep 27, 2012 9:14 am
Location: Rochester, NY
Contact:
Contact eloyd

Re: Securing NRPE against weak SSL Ciphers

Post by eloyd »

Wow. I think you just won the "oldest posting that really needs a status update" award! :-)
Image
Eric Loyd • http://everwatch.global • 844.240.EVER • @EricLoydI'm a Nagios Fanatic!
Top
abrist
Red Shirt
Posts: 8334
Joined: Thu Nov 15, 2012 1:20 pm

Re: Securing NRPE against weak SSL Ciphers

Post by abrist »

Not yet. There is some work being done on nrpe, but it may lead to a more thoughtful rewrite. I would watch the issues on the github page:
https://github.com/NagiosEnterprises/nrpe/issues/4
Former Nagios employee
"It is turtles. All. The. Way. Down. . . .and maybe an elephant or two."
VI VI VI - The editor of the Beast!
Come to the Dark Side.
Top
Locked

Return to “Open Source Nagios Projects”