NCPA 2.0.6 on RedHat 5.5 error with XI 5.8.3

[dberlenda]

Hello ,
I installed the ncpa-2.0.6-1.el5.centos in some server with Red Hat Enterprise Linux Server release 5.5 (Tikanga) .
I can't install the last version of ncpa because the last version is not supported by OS.
Now when I try to connect the servers to NagiosXI version 5.8.3 I have the follow error :
Unable to contact server at https://xxx.xxx.xxx.xxx:5693/testconnec ... n=<MYTOKEN>

I tried to check the problem with various tsl version without success :

curl -k -L --tlsv1 "https://xxx.xxx.xxx.xxx:5693/testconnec ... n=<MYTOKEN>" -v
curl -k -L --tlsv1.0 "https://xxx.xxx.xxx.xxx:5693/testconnec ... n=<MYTOKEN>" -v
curl -k -L --tlsv1.1 "https://xxx.xxx.xxx.xxx:5693/testconnec ... n=<MYTOKEN>" -v
curl -k -L --tlsv1.2 "https://xxx.xxx.xxx.xxx:5693/testconnec ... n=<MYTOKEN>" -v
curl -k -L --tlsv1.3 "https://xxx.xxx.xxx.xxx:5693/testconnec ... n=<MYTOKEN>" -v

I have always the error :

# curl -k -L --tlsv1 "https://xxx.xxx.xxx.xxx:5693/testconnec ... n=<MYTOKEN>" -v
* Trying xxx.xxx.xxx.xxx ...
* TCP_NODELAY set
* Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) port 5693 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

Could you please help me to fix the problem or to find a workaround ?

Thanks in advance
Davide

[kfanselow]

Hi Davide,

What do you have set for "ssl_version =" in your ncpa.cfg ?

Code: Select all

/usr/local/ncpa/etc/ncpa.cfg

Also what are you seeing the ncpa logs ?

Code: Select all

/usr/local/ncpa/var/log/ncpa_listener.log 

Thanks and Best Regards,
Keith

[dberlenda]

Hi kfanselow ,

In the nagiosXI server and also in the satelite system i have the follow sets :
# SSL connection and certificate config (if an SSL option is not available on some older
# operating systems it will default back to TLSv1)
# ssl_version options: TLSv1, TLSv1_1, TLSv1_2
#
ssl_version = TLSv1_2
certificate = adhoc

[root@xxxxxx~]# cat /usr/local/ncpa/var/log/ncpa_listener.log
2021-10-04 15:57:00,272 4556 INFO started
2021-10-04 15:57:00,273 4556 INFO Using SSL version TLSv1
2021-10-04 16:42:09,085 4556 INFO stopped
2021-10-04 16:42:09,595 5459 INFO started
2021-10-04 16:42:09,596 5459 INFO Using SSL version TLSv1
[root@grsapprd1 ~]#

In a forum i found the follow information :

We found the version of curl provided for RHEL5 does not include the flags "--tlsv1.1" or "--tlsv1.2" provided by later versions of curl.

This means CentOS5 curl does not include/support the flags "--tlsv1.1" or "--tlsv1.2".

RHEL7 and RHEL6 versions do support TLSv1.1 and TLSv1.2 and work when using them .

In effect if i check the version of TLS installed in the satellite system with redhat 5.5 :

[root@xxxxxxx~]# openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv2
SSLv3
[root@grsapqty1 ~]#

In the nagios server the same command reports that also the TLSv1.x are supported :

[nagios@tegp-nag-ia1 SAP]$ openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1
TLSv1.2
TLSv1.3
[nagios@tegp-nag-ia1 SAP]$

I suppose that is not possible to use the ncpa with redhat 5.5

Best regards
Davide

[ssax]

This is likely your XI server running EL8 that is not allowing it:

https://access.redhat.com/articles/3642912

Running this on the XI server and then rebooting should allow TLSv1 to work from my EL8 system to an EL5 system through NCPA and curl:

Code: Select all

update-crypto-policies --set LEGACY

[dberlenda]

Hello ssax ,
tnks for your suggestion, the solution works .

Best regards
Davide

[benjaminsmith]

HI Davide,

tnks for your suggestion, the solution works .

Glad to hear that worked. We'll go ahead and close this one out.

Thank you for using Nagios!