Securing NRPE against weak SSL Ciphers
-
- Posts: 5
- Joined: Thu Feb 06, 2014 4:37 pm
Securing NRPE against weak SSL Ciphers
I am running a PCI scan and NRPE is showing up as having weak or medium ciphers. With other applications there were ways to adjust this to only allow strong ciphers. Is there any way to do this in nagios?
-
- -fno-stack-protector
- Posts: 4366
- Joined: Mon Nov 19, 2012 12:10 pm
Re: Securing NRPE against weak SSL Ciphers
First question would be, what clients are you running nrpe on, and which specific nrpe agent? There are ways to do this though!
Nagios-Plugins maintainer exclusively, unless you have other C language bugs with open-source nagios projects, then I am happy to help! Please pm or use other communication to alert me to issues as I no longer track the forum.
-
- Posts: 2
- Joined: Fri Apr 25, 2014 11:04 am
Re: Securing NRPE against weak SSL Ciphers
I have the same question for nrpe 2.13. Is it the set_cipher_list that needs to be changed?
check_nrpe.c:SSL_CTX *ctx;
check_nrpe.c: if((ctx=SSL_CTX_new(meth))==NULL){
check_nrpe.c: SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
check_nrpe.c: SSL_CTX_set_cipher_list(ctx,"ADH");
check_nrpe.c: SSL_CTX_free(ctx);
check_nrpe.c: SSL_CTX_free(ctx);
nrpe.c:SSL_CTX *ctx;
nrpe.c: if((ctx=SSL_CTX_new(meth))==NULL){
nrpe.c: SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
nrpe.c: SSL_CTX_set_cipher_list(ctx,"ADH");
nrpe.c: SSL_CTX_set_tmp_dh(ctx,dh);
nrpe.c: SSL_CTX_free(ctx);
check_nrpe.c:SSL_CTX *ctx;
check_nrpe.c: if((ctx=SSL_CTX_new(meth))==NULL){
check_nrpe.c: SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
check_nrpe.c: SSL_CTX_set_cipher_list(ctx,"ADH");
check_nrpe.c: SSL_CTX_free(ctx);
check_nrpe.c: SSL_CTX_free(ctx);
nrpe.c:SSL_CTX *ctx;
nrpe.c: if((ctx=SSL_CTX_new(meth))==NULL){
nrpe.c: SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
nrpe.c: SSL_CTX_set_cipher_list(ctx,"ADH");
nrpe.c: SSL_CTX_set_tmp_dh(ctx,dh);
nrpe.c: SSL_CTX_free(ctx);
Re: Securing NRPE against weak SSL Ciphers
I'm not quite sure. We have an internal bug fix open for this but I don't think a patch has been made. I'm not a C developer so I wouldn't feel comfortable weighing in on a security issue. My gut says to change the SSL_CTW_set_cipher_list to something other than ADH (since that seems to be the weak cipher) but again I can't say for sure not being a dev.
Former Nagios employee
-
- Posts: 2
- Joined: Fri Apr 25, 2014 11:04 am
Re: Securing NRPE against weak SSL Ciphers
Tried changing the cipher_list.-- no joy.
Must be more complicated than that.
Must be more complicated than that.
Re: Securing NRPE against weak SSL Ciphers
This is on the NRPE devs' radars. They are working on it, and it is a bit more complicated than it first appears.
Former Nagios employee
"It is turtles. All. The. Way. Down. . . .and maybe an elephant or two."
VI VI VI - The editor of the Beast!
Come to the Dark Side.
"It is turtles. All. The. Way. Down. . . .and maybe an elephant or two."
VI VI VI - The editor of the Beast!
Come to the Dark Side.
-
- Posts: 1
- Joined: Tue Aug 19, 2014 5:01 am
Re: Securing NRPE against weak SSL Ciphers
Hi, has there perhaps been any update or progress in regards to this ?abrist wrote:This is on the NRPE devs' radars. They are working on it, and it is a bit more complicated than it first appears.
Re: Securing NRPE against weak SSL Ciphers
Wow. I think you just won the "oldest posting that really needs a status update" award!
Re: Securing NRPE against weak SSL Ciphers
Not yet. There is some work being done on nrpe, but it may lead to a more thoughtful rewrite. I would watch the issues on the github page:
https://github.com/NagiosEnterprises/nrpe/issues/4
https://github.com/NagiosEnterprises/nrpe/issues/4
Former Nagios employee
"It is turtles. All. The. Way. Down. . . .and maybe an elephant or two."
VI VI VI - The editor of the Beast!
Come to the Dark Side.
"It is turtles. All. The. Way. Down. . . .and maybe an elephant or two."
VI VI VI - The editor of the Beast!
Come to the Dark Side.